-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove panic opportunities #1661
Comments
validate_cast_and_convert_metadata
, use post-monomorphization error to ban ZSTs instead of panicking
|
Once our MSRV is high enough, maybe we can pass the |
Hello! I am hoping you can help me on this topic. ProblemI'm working on migrating from zerocopy v0.6.6 to v0.8.6. This is an embedded RISCV codebase, that is strictly no-panic but I see the same behavior on my x86_64 Linux workstation. I am blocked on I'm hoping you might have some suggestions on how to tackle this. ExamplesHere is a stripped down example of my code. This will introduce use core::mem::size_of;
use zerocopy::FromBytes;
fn main() {
let q = [0x1, 0x1, 0x1, 0x1, 0x2, 0x2, 0x2, 0x2, 0xA];
let count = q.len() / size_of::<u32>();
let (word_buf, _suffix) = <[u32]>::ref_from_prefix_with_elems(&q, count).unwrap();
let mut p = [0x1, 0x1, 0x1, 0x1, 0x2, 0x2, 0x2, 0x2, 0xA];
let p_count = p.len() / size_of::<u32>();
let (mut writeable_word_buf, _suffix) = <[u32]>::mut_from_prefix_with_elems(&mut p, p_count).unwrap();
} This example will optimize use core::mem::size_of;
use zerocopy::FromBytes;
fn main() {
let q = [0x1, 0x1, 0x1, 0x1, 0x2, 0x2, 0x2, 0x2, 0xA];
let count = q.len() / size_of::<u32>();
let (word_buf, _suffix) = <[u32]>::ref_from_prefix_with_elems(&q, count).unwrap();
} Here are the profile options:
WorkaroundsSo far I have identified two workarounds with significant drawbacks. Deserialize one u32 at a time for the immutable code pathI can deserialize one u32 at a time using This has two major drawbacks:
Only use the mutable APII can refactor the code to only use the mutable The major drawback here is that byte slices that were once immutable are now mutable across several layers of code, which could lead to future bugs. I don't think this workaround will get much buy in. SourcesI've posted an example repo on my GitHub profile. You can compile with Additionally I can share the production changes, since it's an open source project. |
This patch proposed by @jhand2 solves my problem. clundin25@1068bb7 I'm going to spend some more time to verify it, but I wanted to share it to get your thoughts on this. Would you consider adding this patch to 0.8? |
#1997 Resolves the issue I was facing. |
These are the result of auditing (as of 0003184) for panic opportunities. Some have been left off which are either unavoidable, in progress of being removed (#1658), or downstream of ones listed here (namely, downstream of
is_bit_valid
).validate_cast_and_convert_metadata
zerocopy/src/layout.rs
Lines 444 to 445 in 0003184
We should be able to make this work via a post-monomorphization error instead, and thus avoid a panic opportunity.
PointerMetadata::size_for_metadata
zerocopy/src/lib.rs
Lines 719 to 721 in 0003184
TryFromBytes::is_bit_valid
zerocopy/src/lib.rs
Lines 1243 to 1251 in 0003184
Now that const eval semantics are more nailed down, we can probably stop hedging that this might panic and just guarantee a post-monomorphization error.
Note that many panics are downstream of
is_bit_valid
. If we tackle this, we should make sure to remove panic documentation from all downstream functions.round_down_to_next_multiple_of_alignment
zerocopy/src/util/mod.rs
Lines 623 to 624 in 0003184
We could benefit from a power-of-two witness type.
The text was updated successfully, but these errors were encountered: