Thanks to visit codestin.com
Credit goes to github.com

Skip to content

static_buf!(): Remove StaticUninitializedBuffer and UninitializedBuffer in favor of MaybeUninit, update component conventions to match #3239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 25, 2022
Merged

static_buf!(): Remove StaticUninitializedBuffer and UninitializedBuffer in favor of MaybeUninit, update component conventions to match #3239

merged 7 commits into from
Sep 25, 2022

Conversation

hudson-ayers
Copy link
Contributor

@hudson-ayers hudson-ayers commented Sep 21, 2022
edited by bradjc
Loading

Pull Request Overview

This pull request builds on top of #3219 , with some additional optimizations for size to reduce the overhead introduced in #3219. This PR removes StaticUninitializedBuffer and UninitializedBuffer, since I believe they now offer very little over MaybeUninit today (other than a slightly nicer name for initialize() vs write().

This combination of changes makes it no longer unsafe to call static_init!() or static_buf!(). A logical followup change is to remove unsafe from static_buf!() and make Component::finalize() safe. This change should allow us to remove >90% of the unsafe code in main.rs, a big jump forward for validating memory safety in Tock.

On Imix, this brings the overhead of #3219 down to 1104 bytes. Notably, once Brad finishes porting uses of static_init_half!() to static_buf!(), this overhead will increase.

Apologies for the weird commit ordering, where #3219 comes after my changes -- I implemented my changes first and then pulled in the #3219 changes in a squashed commit. Ultimately I think that #3219 should just be closed in favor of this PR.

This PR also defines the expected process for a component: all statically declared memory is created in a macro and passed in to finalize(). That macro has a naming convention of [name]_component_static!(). No memory is statically allocated in finalize() (i.e. no static_init! or static_buf! in the finalize function). That macro only statically declares memory.

Testing Strategy

This pull request was tested by compiling.

TODO or Help Wanted

After this PR is merged, Brad's various component PRs will need to be rebased to use MaybeUninit as the StaticInput to components.

Documentation Updated

  • Updated.

Formatting

  • Ran make prepush.

bradjc
bradjc previously approved these changes Sep 21, 2022
View reviewed changes
Copy link
Contributor

@bradjc bradjc left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a major step forward for components. The singleton-without-enforcement property of components has long been a pain point for Tock, and this is a step towards eliminating that rough edge.

@bradjc bradjc mentioned this pull request Sep 21, 2022
Closed
2 tasks
@bradjc bradjc changed the title static_buf!(): Remove StaticUninitializedBuffer and UninitializedBuffer in favor of MaybeUninit static_buf!(): Remove StaticUninitializedBuffer and UninitializedBuffer in favor of MaybeUninit, update component conventions to match Sep 22, 2022
bradjc
bradjc previously approved these changes Sep 22, 2022
View reviewed changes
@bradjc bradjc mentioned this pull request Sep 22, 2022
Closed
2 tasks
@github-actions github-actions bot added the WG-OpenTitan In the purview of the OpenTitan working group. label Sep 22, 2022
@bradjc bradjc force-pushed the all-static-init-changes branch from 4a70cf7 to ab89f67 Compare September 22, 2022 14:04
hudson-ayers
hudson-ayers commented Sep 22, 2022
View reviewed changes
boards/opentitan/src/tests/hmac.rs
let hmac = &perf.hmac;

let callback = unsafe { static_init_test_cb() };
let callback = unsafe { static_init_test_cb!() };
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am surprised you don't get warnings that this unsafe is not needed

bradjc
bradjc previously approved these changes Sep 22, 2022
View reviewed changes
alistair23
alistair23 reviewed Sep 23, 2022
View reviewed changes
hudson-ayers and others added 4 commits September 23, 2022 09:16
@hudson-ayers @bradjc
Use stabilized MaybeUninit interface in static_init
6e97f0b
@hudson-ayers @bradjc
WIP: Remove UninitializedBuffer and StaticUninitializedBuffer
b62a552
@bradjc
kernel: convert static_buf!() to be like singleton
46d9145 
That is, `static_buf!()` will now panic if the same static buffer is
used multiple times. This happens if the same `static_buf!()` expansion
is run multiple times, such is if `static_buf!()` is in a function which
is called multiple times. Since doing this causes memory to be aliased
which is bad, we panic to let the board author know this needs to be
fixed.

Also: doc: update soundness with new static_init impl
@hudson-ayers @bradjc
further reduce the code size cost of the singleton approach
c80fa75
@bradjc bradjc force-pushed the all-static-init-changes branch from ab89f67 to 8f80902 Compare September 23, 2022 13:16
bradjc
bradjc previously approved these changes Sep 23, 2022
View reviewed changes
@bradjc bradjc mentioned this pull request Sep 23, 2022
Merged
2 tasks
@bradjc bradjc force-pushed the all-static-init-changes branch from 8f80902 to 8fad119 Compare September 23, 2022 17:11
@bradjc bradjc force-pushed the all-static-init-changes branch from 8fad119 to def33a3 Compare September 23, 2022 17:18
@alevy
Copy link
Member

alevy commented Sep 23, 2022

The most recent version of this PR (which @bradjc just updated) requires unsafe to use static_.

@alevy
Copy link
Member

alevy commented Sep 23, 2022

There was some discussion outside GitHub about the desire for a zero-cost variant that doesn't dynamically check if a value has already been initialized, though the uses of this would likely be only out-of-tree (at least for now).

I think this is pretty simple to implement, but would vote for leaving this either out-of-tree for now or doing it in a separate pull request.

ppannuto
ppannuto approved these changes Sep 23, 2022
View reviewed changes
Copy link
Member

@ppannuto ppannuto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got a chance to actually read this over now, sorry I wasn't so engaged earlier today. I agree this is better than what we have, and we should make the stepwise improvement here.

@alevy
Copy link
Member

alevy commented Sep 25, 2022

bors r+

@bors
Copy link
Contributor

bors bot commented Sep 25, 2022

Build succeeded:

@bors bors bot merged commit 0f1d9ba into tock:master Sep 25, 2022
@twilfredo twilfredo mentioned this pull request Sep 27, 2022
Merged
2 tasks
bors bot added a commit that referenced this pull request Sep 27, 2022
@bors @twilfredo
Merge #3245
2918579 
3245: boards/opentitan/tests: fixup macro syntax r=ppannuto a=twilfredo

### Pull Request Overview

The following changes address the compiler warning generated [1] when building tests:

Since: #3239

[1]: `warning: trailing semicolon in macro used in expression position`

The exact warning: 
```
warning: trailing semicolon in macro used in expression position
   --> boards/opentitan/earlgrey-cw310/src/tests/flash_ctrl.rs:92:6
    |
92  |     };};
    |      ^
...
104 |     let cb = unsafe { static_init_test!() };
    |                       ------------------- in this macro invocation
    |
    = note: `#[warn(semicolon_in_expressions_from_macros)]` on by default
    = warning: this was previously accepted by the compiler but is being phased out; it will become a hard error in a future release!
    = note: for more information, see issue #79813 <rust-lang/rust#79813>
    = note: macro invocations at the end of a block are treated as expressions
    = note: to ignore the value produced by the macro, add a semicolon after the invocation of `static_init_test`
    = note: this warning originates in the macro `static_init_test` (in Nightly builds, run with -Z macro-backtrace for more info)
```

### Testing Strategy

Compiling and testing on Verilator

### TODO or Help Wanted

N/A


### Documentation Updated

- [x] Updated the relevant files in `/docs`, or no updates are required.

### Formatting

- [x] Ran `make prepush`.


Co-authored-by: Wilfred Mallawa <[email protected]>
@bradjc bradjc mentioned this pull request Oct 6, 2022
Merged
2 tasks
@hudson-ayers hudson-ayers mentioned this pull request Oct 17, 2022
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alevy alevy alevy approved these changes

@ppannuto ppannuto ppannuto approved these changes

@bradjc bradjc bradjc approved these changes

+1 more reviewer

@alistair23 alistair23 alistair23 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
kernel WG-OpenTitan In the purview of the OpenTitan working group.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hudson-ayers @alevy @alistair23 @ppannuto @bradjc