Use zero-cost method to construct Errors
#335
Conversation
This comment has been minimized.
This comment has been minimized.
TheSven73
force-pushed
the
rust-for-linux-error-invariant
branch
from
4f424b2 to
c23f634
Compare
This comment has been minimized.
This comment has been minimized.
TheSven73
force-pushed
the
rust-for-linux-error-invariant
branch
from
c23f634 to
2f2c5ef
Compare
This comment has been minimized.
This comment has been minimized.
|
The first two commits have the same title and mostly the same message, which is a bit confusing: perhaps: "rust: introduce zero-cost from_kernel_int_result_uint" or something like that to see the difference between them? (I noted to add a @ksquirrel check for this) |
|
The third commit is related to #324 (comment) and #283 -- so not sure what to do. Also, I think @foxhlchen was going to send a PR to discuss moving it to return I think this is a good candidate for discussion this Saturday (and likely also in a technical meeting next week or so). |
Perhaps we can bypass this whole discussion by not removing the runtime check function? That will of course generate a warning, as the function is now unused. I can add a dead-code marker. How does that sound? |
rust/kernel/error.rs
Outdated
| match retval { | ||
| success if success >= 0 => Ok(()), | ||
| // SAFETY: Safety above and match arm guarantee that `errno` is a valid negative `errno`. | ||
| errno => Err(Error::from_kernel_errno_unchecked(errno)), | ||
| } |
There was a problem hiding this comment.
match statements are great, but I think for cases like this where it reduces to a single condition it looks easier to read:
| match retval { | |
| success if success >= 0 => Ok(()), | |
| // SAFETY: Safety above and match arm guarantee that `errno` is a valid negative `errno`. | |
| errno => Err(Error::from_kernel_errno_unchecked(errno)), | |
| } | |
| if retval < 0 { | |
| // SAFETY: Safety above and match arm guarantee that `errno` is a valid negative `errno`. | |
| return Err(Error::from_kernel_errno_unchecked(errno)); | |
| } | |
| Ok(()) |
rust/kernel/error.rs
Outdated
| pub(crate) unsafe fn from_kernel_int_result(retval: c_types::c_int) -> Result { | ||
| match retval { | ||
| success if success >= 0 => Ok(()), | ||
| // SAFETY: Safety above and match arm guarantee that `errno` is a valid negative `errno`. |
There was a problem hiding this comment.
For the comment, perhaps:
| // SAFETY: Safety above and match arm guarantee that `errno` is a valid negative `errno`. | |
| // SAFETY: This condition together with the function precondition guarantee | |
| // `errno` is a valid negative `errno`. |
Sure, feel free to split the PR. |
In a previous PR, the type invariant for `Error` is enforced using a runtime check. This is non-zero cost. However we may decide to trust the return value of certain kernel C functions. In such cases, no runtime check is required to enforce the type invariant. So we can return to zero-cost. This patch removes invariant checks from kernel C functions that return 0 on success, or a non-zero errno on failure. Signed-off-by: Sven Van Asbroeck <[email protected]>
In a previous PR, the type invariant for `Error` is enforced using a runtime check. This is non-zero cost. However we may decide to trust the return value of certain kernel C functions. In such cases, no runtime check is required to enforce the type invariant. So we can return to zero-cost. This patch removes invariant checks from kernel C functions that return a positive value on success, or a non-zero errno on failure. Signed-off-by: Sven Van Asbroeck <[email protected]>
It turns out that we don't need an `Error` constructor that
checks the `errno` invariant at runtime. This is because we
trust return values originating from kernel C. And any return
values originating from Rust code can be constucted using
`Error::` constants, which also do not need a runtime check:
```rust
return Err(Error::EBUSY);
```
However, there is still ongoing discussion about the merits and
purpose of this function. To facilitate this discussion, keep the
function for the time being, and remove the "dead code" warning.
Signed-off-by: Sven Van Asbroeck <[email protected]>
TheSven73
force-pushed
the
rust-for-linux-error-invariant
branch
from
2f2c5ef to
ec1faf3
Compare
v1 -> v2:ojeda:
|
You have a call on Saturday?? Can you send me an invitation?? |
|
Of course! We have informal calls every first Saturday of a month. I will send a remainder to the mailing list. |
Great, Thank you! |
|
@ojeda How can I assign a "Prio: low" label to this PR? |
When constructing an
Error, avoid the runtime check which verifies theerrnoinvariant, by:constErrors if an error return is needed in Rust code.For the time being, no explicit
Errorinvariant runtime checks are used or required anywhere, so we can eliminate the function which carries out the check.