Re: [PATCH 2/2] rust: alloc: add `Vec::dec_len`

From: Tamir Duberstein
Date: Mon Mar 17 2025 - 11:38:17 EST

Next message: Thomas Richard: "[PATCH RFC v2 1/6] gpiolib: add gpiochip_add_pin_range_sparse() function"
Previous message: Simon Horman: "Re: [PATCH net-next v3 1/7] net: usb: lan78xx: Convert to PHYlink for improved PHY and MAC management"
In reply to: Benno Lossin: "Re: [PATCH 2/2] rust: alloc: add `Vec::dec_len`"
Next in thread: Miguel Ojeda: "Re: [PATCH 2/2] rust: alloc: add `Vec::dec_len`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 17, 2025 at 10:39 AM Benno Lossin <benno.lossin@xxxxxxxxx> wrote:
>
> On Mon Mar 17, 2025 at 12:34 PM CET, Tamir Duberstein wrote:
> > On Mon, Mar 17, 2025 at 6:04 AM Benno Lossin <benno.lossin@xxxxxxxxx> wrote:
> >>
> >> On Sun Mar 16, 2025 at 11:32 PM CET, Tamir Duberstein wrote:
> >> > Add `Vec::dec_len` that reduces the length of the receiver. This method
> >> > is intended to be used from methods that remove elements from `Vec` such
> >> > as `truncate`, `pop`, `remove`, and others. This method is intentionally
> >> > not `pub`.
> >>
> >> I think it should be `pub`. Otherwise we're loosing functionality
> >> compared to now. If one decides to give the raw pointer to some C API
> >> that takes ownership of the pointer, then I want them to be able to call
> >> `dec_len` manually.
> >
> > This is premature. It is trivial to make this function pub when the need arises.
>
> And it's trivial to do it now. If it's private now, someone will have to
> change this in some random patch and it's annoying.

It is my understanding that the kernel's policy is in general not to
add API surface that doesn't have users. Rust-for-Linux of course
often doesn't honor this by necessity, since many abstractions are
needed before users (drivers) can be upstream. But in this case we
can't even mention a specific use case - so as I mentioned on the
previous reply, I am not comfortable putting my name on such an API.

> >> > + ///
> >> > + /// # Safety
> >> > + ///
> >> > + /// - `count` must be less than or equal to `self.len`.
> >>
> >> I also think that we should use saturating_sub instead and then not have
> >> to worry about this. (It should still be documented in the function
> >> though). That way this can also be a safe function.
> >
> > This doesn't seem better to me. I'd prefer to have more rather than
> > fewer guardrails on such low-level operations.
>
> Your second sentence seems like an argument for making it safe? I think
> it's a lot better as a safe function.

The guardrail I was referring to is the requirement that the caller
write a safety comment.

Next message: Thomas Richard: "[PATCH RFC v2 1/6] gpiolib: add gpiochip_add_pin_range_sparse() function"
Previous message: Simon Horman: "Re: [PATCH net-next v3 1/7] net: usb: lan78xx: Convert to PHYlink for improved PHY and MAC management"
In reply to: Benno Lossin: "Re: [PATCH 2/2] rust: alloc: add `Vec::dec_len`"
Next in thread: Miguel Ojeda: "Re: [PATCH 2/2] rust: alloc: add `Vec::dec_len`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]