Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Avoid creating intermediate Rust references when taking pointers of memory / extern statics #3824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 20, 2024
Merged

Avoid creating intermediate Rust references when taking pointers of memory / extern statics #3824

merged 1 commit into from
Feb 20, 2024

Conversation

lschuermann
Copy link
Member

@lschuermann lschuermann commented Jan 27, 2024
edited
Loading

Pull Request Overview

Avoid creating intermediate references to extern statics during process loading, setting up the RISC-V PMP, creating non-volatile storage drivers, and when taking the addresses of registers in chips. Extern statics are inaccessible in safe Rust code by default. However, when we perform an operation such as &_sapp as *const u8, we create a Rust reference to the underlying memory that is (a) safely dereferencable, and (b) does not necessarily conform to Rust requirements concerning initialized memory.

This PR switches those occurrences to use core::ptr::addr_of (and its mutable sibling), a macro explicitly designed to return the address of some memory location without creating an intermediate reference.

Suggested-by: Alyssa Haroldsen [email protected] @kupiakos

Testing Strategy

This pull request was tested by compiling.

TODO or Help Wanted

Blocked on #3597. Will need to port those changes to the new Kernel-protection PMP instances as well.

Documentation Updated

  • Updated the relevant files in /docs, or no updates are required.

Formatting

  • Ran make prepush.

@github-actions github-actions bot added the WG-OpenTitan In the purview of the OpenTitan working group. label Jan 27, 2024
bradjc
bradjc previously approved these changes Jan 28, 2024
View reviewed changes
@lschuermann lschuermann added the blocked Waiting on something, like a different PR or a dependency. label Jan 29, 2024
@bradjc bradjc added blocked Waiting on something, like a different PR or a dependency. waiting-on-author and removed blocked Waiting on something, like a different PR or a dependency. labels Jan 30, 2024
@valexandru
Copy link
Contributor

This pull request partially fixes the issue regarding the usage of shared/mutable reference of mutable static is discouraged that I created here when compiling with the latest rust nightly compiler, but maybe it could also solve the remaining issue in the board files such as this one:

warning: mutable reference of mutable static is discouraged
   --> boards/microbit_v2/src/main.rs:773:9
    |
773 |         &mut PROCESSES,
    |         ^^^^^^^^^^^^^^ mutable reference of mutable static
    |
    = note: for more information, see issue #114447 <https://github.com/rust-lang/rust/issues/114447>
    = note: reference of mutable static is a hard error from 2024 edition
    = note: mutable statics can be written to by multiple threads: aliasing violations or data races will cause undefined behavior
help: mutable references are dangerous since if there's any other pointer or reference used for that static while the reference lives, that's UB; use `addr_of_mut!` instead to create a raw pointer
    |
773 |         addr_of_mut!(PROCESSES),
    |         ~~~~~~~~~~~~~~~~~~~~~~~

@bradjc bradjc mentioned this pull request Feb 9, 2024
Open
5 tasks
@kupiakos
Copy link
Contributor

kupiakos commented Feb 9, 2024

Looks great, thank you!

@lschuermann lschuermann force-pushed the dev/process-load-no-ref branch from a1770e0 to 577ef2c Compare February 17, 2024 18:09
@github-actions github-actions bot added kernel chips/sam4l Change pertains to the SAM4L MCU. chips/nrf Change pertains to the nRF5x family of MCUs. chips/stm32 Change pertains to the stm32 family of MCUSs component labels Feb 17, 2024
@lschuermann lschuermann changed the title boards: avoid creating intermediate references to extern statics Avoid creating intermediate references to extern statics Feb 17, 2024
@lschuermann lschuermann force-pushed the dev/process-load-no-ref branch from 577ef2c to 7773377 Compare February 17, 2024 18:11
@lschuermann lschuermann changed the title Avoid creating intermediate references to extern statics Avoid creating intermediate Rust references when taking pointers of memory / extern statics Feb 17, 2024
@lschuermann
Copy link
Member Author

lschuermann commented Feb 17, 2024
edited
Loading

This should be ready now. I changed the newly introduced casts of #3597, as well as new boards added. I further extended this PR to also change all intermediate references which are subsequently converted to pointers across the entire codebase, using the following RegEx to find such usages:

git grep -E '&[a-zA-Z0-9\_\.]* as \*'

We may still be missing some usages that don't match on the above, but this should be a good step toward resolving #3841.

lschuermann
lschuermann commented Feb 17, 2024
View reviewed changes
boards/components/src/process_console.rs
Comment on lines 144 to -147
let kernel_addresses = unsafe {
process_console::KernelAddresses {
stack_start: &_sstack as *const u8,
stack_end: &_estack as *const u8,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to remove the unsafe here, but the compiler still insists that this is a usage of an extern static. I think this is due to the implementation of a macro, which uses an experimental syntax that still triggers the safety lint.

@lschuermann
Avoid creating intermediate Rust references for taking pointers
b423469 
Avoid creating intermediate references for taking pointers to
variables or extern statics during process loading, setting up the
RISC-V PMP, creating non-volatile storage drivers, and when taking the
addresses of registers in chips. Extern statics are inaccessible in
safe Rust code by default. However, when we perform an operation such
as `&_sapp as *const u8`, we create a Rust reference to the underlying
memory that is (a) safely dereferencable, and (b) does not necessarily
conform to Rust requirements concerning initialized memory.

This PR switches those occurrences to use `core::ptr::addr_of` (and
its mutable sibling), a macro explicitly designed to return the
address of some memory location without creating an intermediate
reference.

Suggested-by: Alyssa Haroldsen <[email protected]>
@lschuermann lschuermann force-pushed the dev/process-load-no-ref branch from 7773377 to b423469 Compare February 17, 2024 18:18
@bradjc bradjc added the last-call Final review period for a pull request. label Feb 19, 2024
@bradjc
Copy link
Contributor

bradjc commented Feb 20, 2024

Merging this soon if anyone has any comments.

@bradjc bradjc added this pull request to the merge queue Feb 20, 2024
Merged via the queue into tock:master with commit 8203504 Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bradjc bradjc bradjc approved these changes

@alexandruradovici alexandruradovici alexandruradovici approved these changes

Assignees
No one assigned
Labels
chips/nrf Change pertains to the nRF5x family of MCUs. chips/sam4l Change pertains to the SAM4L MCU. chips/stm32 Change pertains to the stm32 family of MCUSs component kernel last-call Final review period for a pull request. WG-OpenTitan In the purview of the OpenTitan working group.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lschuermann @valexandru @kupiakos @bradjc @alexandruradovici