On Thu, Sep 26, 2024 at 01:00:58PM +0000, Benno Lossin wrote:
> On 12.09.24 00:52, Danilo Krummrich wrote:
> > +/// # Invariants
> > +///
> > +/// One of the following `krealloc`, `vrealloc`, `kvrealloc`.
> > +struct ReallocFunc(
> > + unsafe extern "C" fn(*const core::ffi::c_void, usize, u32) -> *mut core::ffi::c_void,
> > +);
> > +
> > +impl ReallocFunc {
> > + // INVARIANT: `krealloc` satisfies the type invariants.
> > + const KREALLOC: Self = Self(bindings::krealloc);
> > +
> > + /// # Safety
> > + ///
> > + /// This method has the same safety requirements as [`Allocator::realloc`].
> > + ///
> > + /// # Guarantees
> > + ///
> > + /// This method has the same guarantees as `Allocator::realloc`. Additionally
> > + /// - it accepts any pointer to a valid memory allocation allocated by this function.
> > + /// - memory allocated by this function remains valid until it is passed to this function.
> > + unsafe fn call(
> > + &self,
> > + ptr: Option<NonNull<u8>>,
> > + layout: Layout,
> > + flags: Flags,
> > + ) -> Result<NonNull<[u8]>, AllocError> {
> > + let size = aligned_size(layout);
> > + let ptr = match ptr {
> > + Some(ptr) => ptr.as_ptr(),
> > + None => ptr::null(),
> > + };
> > +
> > + // SAFETY:
> > + // - `self.0` is one of `krealloc`, `vrealloc`, `kvrealloc` and thus only requires that
> > + // `ptr` is NULL or valid.
> > + // - `ptr` is either NULL or valid by the safety requirements of this function.
> > + //
> > + // GUARANTEE:
> > + // - `self.0` is one of `krealloc`, `vrealloc`, `kvrealloc`.
> > + // - Those functions provide the guarantees of this function.
> > + let raw_ptr = unsafe {
> > + // If `size == 0` and `ptr != NULL` the memory behind the pointer is freed.
> > + self.0(ptr.cast(), size, flags.0).cast()
> > + };
> > +
> > + let ptr = if size == 0 {
> > + NonNull::dangling()
> > + } else {
> > + NonNull::new(raw_ptr).ok_or(AllocError)?
> > + };
> > +
> > + Ok(NonNull::slice_from_raw_parts(ptr, size))
> > + }
> > +}
>
> I remember asking you to split this into a different commit. I think you
> argued that it would be better to keep it in the same commit when
> bisecting. I don't think that applies in this case, are there any other
> disadvantages?
I don't really like the intermediate `#[expect(dead_code)]`, plus it's
additional work you didn't really give me a motivation for, i.e. you did not
mention what would be the advantage.
But sure, I will change it for the next version.
>
> ---
> Cheers,
> Benno
>
> > +
> > +// SAFETY: `realloc` delegates to `ReallocFunc::call`, which guarantees that
> > +// - memory remains valid until it is explicitly freed,
> > +// - passing a pointer to a valid memory allocation is OK,
> > +// - `realloc` satisfies the guarantees, since `ReallocFunc::call` has the same.
> > +unsafe impl Allocator for Kmalloc {
> > + #[inline]
> > + unsafe fn realloc(
> > + ptr: Option<NonNull<u8>>,
> > + layout: Layout,
> > + flags: Flags,
> > + ) -> Result<NonNull<[u8]>, AllocError> {
> > + // SAFETY: `ReallocFunc::call` has the same safety requirements as `Allocator::realloc`.
> > + unsafe { ReallocFunc::KREALLOC.call(ptr, layout, flags) }
> > + }
> > +}
>
>
> > +
> > unsafe impl GlobalAlloc for Kmalloc {
> > unsafe fn alloc(&self, layout: Layout) -> *mut u8 {
> > // SAFETY: `ptr::null_mut()` is null and `layout` has a non-zero size by the function safety
> > --
> > 2.46.0
> >
>
