Re: C aggregate passing (Rust kernel policy)

[Miguel Ojeda]

On Tue, Feb 25, 2025 at 11:45 PM Miguel Ojeda
<miguel.ojeda.sandonis@xxxxxxxxx> wrote:
>
> Both of them are essentially `restrict`/`noalias`, and thus no load is
> performed, with a constant 42 returned.

I forgot to mention that while having so many `restrict`s around
sounds crazy, the reason why this can even remotely work in practice
without everything blowing up all the time is because, unlike
`restrict` in C, Rust will not allow one to e.g. call

    f(&mut a, &mut a)

Complaining with:

    error[E0499]: cannot borrow `a` as mutable more than once at a time
      --> <source>:10:19
       |
    10 |         f(&mut a, &mut a);
       |         - ------  ^^^^^^ second mutable borrow occurs here
       |         | |
       |         | first mutable borrow occurs here
       |         first borrow later used by call

Even then, when one is around unsafe code, one needs to be very
careful not to introduce UB by e.g. fabricating `&mut`s that actually
alias by mistake, because of course then it all breaks.

And the hard part is designing APIs (like the mentioned `Vec`) that
use unsafe code in the implementation but are able to promise to be
safe without allowing any possible caller to break the castle down
("soundness").

Cheers,
Miguel