Re: [PATCH v2 3/4] rust: alloc: refactor `Vec::truncate` using `dec_len`
From: Alice Ryhl
Date: Wed Mar 19 2025 - 05:56:38 EST
On Tue, Mar 18, 2025 at 04:13:55PM -0400, Tamir Duberstein wrote:
> Use `checked_sub` to satisfy the safety requirements of `dec_len` and
> replace nearly the whole body of `truncate` with a call to `dec_len`.
>
> Signed-off-by: Tamir Duberstein <tamird@xxxxxxxxx>
> ---
> rust/kernel/alloc/kvec.rs | 29 +++++++++++------------------
> 1 file changed, 11 insertions(+), 18 deletions(-)
>
> diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs
> index 97cc5ab11e2a..6f4dc89ef7f8 100644
> --- a/rust/kernel/alloc/kvec.rs
> +++ b/rust/kernel/alloc/kvec.rs
> @@ -489,25 +489,18 @@ pub fn reserve(&mut self, additional: usize, flags: Flags) -> Result<(), AllocEr
> /// # Ok::<(), Error>(())
> /// ```
> pub fn truncate(&mut self, len: usize) {
> - if len >= self.len() {
> - return;
> + match self.len().checked_sub(len) {
> + None => {}
> + Some(count) => {
This could be simplified as:
if let Some(count) = self.len().checked_sub(len) {
// logic here
}
or
let Some(count) = self.len().checked_sub(len) else {
return;
}
// logic here
> + // SAFETY: `count` is `self.len() - len` so it is guaranteed to be less than or
> + // equal to `self.len()`.
> + let tail = unsafe { self.dec_len(count) };
> +
> + // SAFETY: the contract of `dec_len` guarantees that the elements in `tail` are
> + // valid elements whose ownership has been transferred to the caller.
> + unsafe { ptr::drop_in_place(ptr) };
We have a mutable reference to these elements until after the
`drop_in_place` call, but the elements are invalidated by that call.
This means that we have a mutable reference to invalid values, which
violates the invariants for mutable references.
Consider converting to a raw pointer when creating `tail` instead to
avoid that:
let tail: *mut [T] = unsafe { self.dec_len(count) };
unsafe { ptr::drop_in_place(ptr) };
Alice