Re: [PATCH V4 4/8] libgpiod: Add rust wrapper crate

From: Kent Gibson <warthog618@gmail.com>
To: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc: "Viresh Kumar" <viresh.kumar@linaro.org>,
	"Linus Walleij" <linus.walleij@linaro.org>,
	"Bartosz Golaszewski" <brgl@bgdev.pl>,
	"Vincent Guittot" <vincent.guittot@linaro.org>,
	"open list:GPIO SUBSYSTEM" <linux-gpio@vger.kernel.org>,
	"Wedson Almeida Filho" <wedsonaf@google.com>,
	"Alex Bennée" <alex.bennee@linaro.org>,
	stratos-dev@op-lists.linaro.org,
	"Gerard Ryan" <g.m0n3y.2503@gmail.com>
Subject: Re: [PATCH V4 4/8] libgpiod: Add rust wrapper crate
Date: Thu, 28 Jul 2022 11:11:04 +0800	[thread overview]
Message-ID: <20220728031104.GB15896@sol> (raw)
In-Reply-To: <CANiq72nGS492exNopKBZnbS72A4jaCYHAV_faSaMDuqE2P23=g@mail.gmail.com>

On Wed, Jul 27, 2022 at 03:02:10PM +0200, Miguel Ojeda wrote:
> On Wed, Jul 27, 2022 at 2:40 PM Kent Gibson <warthog618@gmail.com> wrote:
> >
> > Unfortunately the C header doesn't currently provide any guarantee -
> > except in the cases where it CAN return NULL.
> > But we can fix that.
> 
> Yeah, fixing that is what I was suggesting, since it is a possibility
> here, and would improve things for C users too.
> 
> > Not sure I'm onboard with that.  Unless the API has a contract not to
> > return a NULL then it is free to at a later date. The user should
> > always assume that NULL is a possibility, even if they have never seen
> > one.
> >
> > But in practice you are probably right.
> 
> I definitely agree that a client should aim to avoid assuming anything.
> 
> However, if we are strict, given C pointers are unconstrained, all
> pointers would be useless unless told otherwise, because checking for
> NULL is not a guarantee of validity either.
> 
> Also, if an C API just says "returns the name", for instance, it is
> reasonable to assume it is a valid name because it is not said
> otherwise (e.g. it does not say "returns the name, if available" nor
> "returns an optional name").
> 
> And, of course, eventually consumers will end up relying on your
> particular implementation no matter what, and returning invalid
> pointers where there weren't before is a very dangerous idea for a C
> library.
> 

All true, but practically speaking the only cases we need to be
concerned with here are NULL and valid.  NULL is the only one we can
detect for certain, and we have no alternative but to assume valid if not.

> > I'd be fine with that.
> > I'd also be satisfied with a comment in the Rust that the C guarantees a
> > non-NULL where that is the case.  That would at least demonstrate that the
> > possibility has been duly considered.
> 
> I think the current `SAFETY` comment already intends to imply that,
> but yeah, it could be clarified.
> 

The comment is:

    // SAFETY: The string is guaranteed to be valid here.

and that is whether there a NULL check or not, so it isn't clear what
the source of the guarantee is.
I would prefer:

    // SAFETY: The string is guaranteed to be valid by the C API.

and updating the C header to explicitly state it returns a valid pointer.
It currently says "Pointer to a human-readable string" which could be
taken to mean valid, but making it "Valid pointer to..." would more
clearly place the onus of it actually being valid on the C library.

Cheers,
Kent.

> In any case, I would say it always returns a valid pointer, not
> "non-NULL", since the latter does not really show it is a valid
> pointer (it could point to a non-NULL, bad address).
> 
> Cheers,
> Miguel