Re: [PATCH v2 1/6] rust: io: turn IoCapable into a functional trait

Next message: Niklas Cassel: "Re: [PATCH 0/4] PCI: endpoint: Doorbell-related fixes"
Previous message: Arnd Bergmann: "Re: [PATCH] [v2] arm64: hugetlbpage: avoid unused-but-set-parameter warning (gcc-16)"
Next in thread: Danilo Krummrich: "Re: [PATCH v2 1/6] rust: io: turn IoCapable into a functional trait"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexandre Courbot

Date: Mon Feb 16 2026 - 06:51:36 EST

On Thu Feb 12, 2026 at 11:52 PM JST, Danilo Krummrich wrote:
> On Thu Feb 12, 2026 at 3:11 PM CET, Gary Guo wrote:
>> They can, but the `Io` trait just passes the wrong address to the `IoCapable`
>> trait, and nothing horrible can happen without doing things unsafely inside
>> `IoCapable` impl, which is controlled by the user who implements `Io`. It looks
>> to me that unsafe code is still needed to do bogus things.
>
> I think what you mean is that the invariant of `addr` and `maxsize` being valid
> is on the implementing type of `Io`, e.g. `MmioRaw` and `Mmio`. The same applies
> to IoKnownSize::MIN_SIZE.
>
> To me this seems like a valid way of arguing.

But still, using only safe code an implementor of `Io` can lie about
this safety statement:

// SAFETY: `address` has been validated by `io_addr`.
Ok(unsafe { self.io_read(address) })

Granted, the same person will likely have written the `IoCapable`
implementations, but its safety requirements cannot be fulfilled unless
the caller also guarantees that the offsets it passes are valid, which
the type system alone cannot guarantee - thus the need to make `Io` and
`IoKnownSize` unsafe IMHO.