Skip to content

[safety] Weaken lifetime in get_xde_state()#1016

Open
daniel-levin wants to merge 1 commit into
masterfrom
c3
Open

[safety] Weaken lifetime in get_xde_state()#1016
daniel-levin wants to merge 1 commit into
masterfrom
c3

Conversation

@daniel-levin

Copy link
Copy Markdown
Contributor

The pointer we get back from ddi_get_driver_private assuredly does not have a static lifetime. In practice, this was unlikely to lead to bugs. But, by weakening the promise we make to the compiler, we can prevent unsound optimizations before the compiler makes them, or before we accidentally induce the compiler to make them.

The pointer we get back from ddi_get_driver_private
assuredly does not have a static lifetime. In practice,
this was unlikely to lead to bugs. But, by weakening
the promise we make to the compiler, we can prevent
unsound optimizations before the compiler makes them,
or before we accidentally induce the compiler to make them.

Signed-off-by: Daniel Levin <daniel.levin@oxidecomputer.com>
Comment thread xde/src/xde.rs
}

fn get_xde_state() -> &'static XdeState {
fn get_xde_state<'a>() -> &'a XdeState {

@FelixMcFelix FelixMcFelix Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with this in principle, but I'm not sure that it helps in the worst case? I.e., any caller can still invoke let state: &'static _ = get_xde_state(); and get a static reference. If the compiler typically picks a narrower 'a when this isn't specified, that might suffice though.

I'm otherwise not sure what the best way is to encode the idea that this pointer's validity does outlive the scope of almost every method within the module. I.e., when the module is not attached I'd expect everything else to be functionally inert.

@daniel-levin daniel-levin Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good point... I think it may be possible to constrain the lifetime to non-static.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants