03:45 <re_irc> <GrantM11235> henrikssn: I have looked in to this before,and based on my understanding, using "read_volatile" and "write_volatile" like this is technically UB

03:46 <re_irc> > In particular, a race between a read_volatile and any write operation to the same location is undefined behavior.

03:46 <re_irc> <GrantM11235> https://doc.rust-lang.org/core/ptr/fn.read_volatile.html

03:51 <re_irc> <GrantM11235> The only way that I can think of to get around that is to use asm

04:03 <re_irc> <Lachlan> I think you can absolutely use read_volatile/write_volatile here

04:09 <re_irc> <GrantM11235> I think it would probably work fine in this case, but it is still technically UB

04:11 <re_irc> <Lachlan> Why would it be ub?

04:12 <re_irc> <GrantM11235> Because a dma operation could race with the read, which the docs say is UB

04:14 <re_irc> <Lachlan> Ah

04:15 <re_irc> <thalesfragoso> GrantM11235: Well, you just don't touch the buffer until the DMA is done

04:16 <re_irc> <thalesfragoso> And being sure to use fences to avoid having to read_volatile the entire buffer, which is sad

04:16 <re_irc> <GrantM11235> thalesfragoso: Ah, I didn't realize that that was an option. In that case it is fine

04:18 <re_irc> <GrantM11235> When I was looking in to it for my use case, it was to read data from a buffer while a circular dma was writing to it continously

04:18 <re_irc> <thalesfragoso> It's all very finicky though and has to be done with care

04:19 <re_irc> <thalesfragoso> GrantM11235: You can still split that borrow or use an array with two buffers. But it's still hard to ensure that the user is faster than the DMA

04:20 <re_irc> <thalesfragoso> You can panic if you detect a overrun, it's still technically UB if the overrun happens though

04:21 <re_irc> <thalesfragoso> But I don't see how the compiler could exploit that UB in any meaningful way, specially if you panic right away

04:22 <re_irc> <thalesfragoso> But yeah, stick to double buffering DMA if you can, it's more flexible than circular and easy to work with

04:22 <re_irc> <thalesfragoso> * easier

04:23 <re_irc> <Lachlan> Yeah, this is runtime ub which is much better than compile time ub

04:24 <re_irc> <thalesfragoso> Don't quote me on that though, I don't recommend doing it :)

04:26 <re_irc> <GrantM11235> Yeah I really don't like the idea of trying to detect that something went wrong _after_ I hit UB

04:29 <re_irc> <GrantM11235> Even though in my case, I don't think that the Abstract Machine :tm: would have any way of knowing that a "read_volatile" raced with a dma write

04:33 <re_irc> <9names (@9names:matrix.org)> I wonder if the wording there is intensionally incorrect to forcefully dissuade folks from trying to sync cores via volatile accesses

04:35 <re_irc> <GrantM11235> It is definitely possible in general to get some juicy UB if your "read_volatile" races with a write

04:37 <re_irc> <GrantM11235> For example if you have a NonZeroU64 that you try to read while something else is changing it from "0xFFFFFFFF00000000" to "0x00000000FFFFFFFF", you could read a zero, which would be bad

04:38 <re_irc> <Lachlan> Yeah, you’d want to make sure you don’t read larger than the cache size I guess

04:39 <re_irc> <Lachlan> +line

04:41 <re_irc> <GrantM11235> Even if it was just a u8, I don't think there is any guarantee that "x = 0x0F;" is atomic

06:13 <re_irc> <henrikssn> GrantM11235: You can configure the DMA write unit to what you want (so that this case cannot happen). I guess this still makes it UB though

06:15 <re_irc> <henrikssn> thalesfragoso: I don't think I can handle the runtime and memory overhead of having two buffers unfortunately

06:15 <re_irc> <henrikssn> The buffer contains zerocopy types so that I can update them in place without a memcpy

06:17 <re_irc> <henrikssn> It's all really low level but I hoped there were a way to stay in rust (vs doing it in asm) where the compiler isn't gonna screw me over

06:19 <re_irc> <GrantM11235> You don't need very much asm, just a "super_volatile_read" function that can read a "u32" or whatever. Everything else can be in rust

07:37 <re_irc> <henrikssn> Btw, doesn't this also affect soundness of embedded-dma?

07:37 <re_irc> <henrikssn> I.e. that is UB

07:42 <re_irc> fn transfer_dma<BUF: ReadBuffer>(buf: BUF) -> BUF {

07:42 <re_irc> <henrikssn> My understanding is that typical use case looks something like this:

07:42 <re_irc> let (ptr, len) = buf.read_buffer();

07:42 <re_irc> ... long message truncated: https://psion.agg.io/_matrix/media/r0/download/psion.agg.io/cff83743e9ce536a4bd636d60f5002126ba76e38d9fad90db0e53205de97de6d (7 lines)

07:42 <re_irc> start_dma();

07:42 <re_irc> <henrikssn> My understanding is that typical use case looks something like this:

07:42 <re_irc> let (ptr, len) = buf.read_buffer();

07:42 <re_irc> fn transfer_dma<BUF: ReadBuffer>(buf: BUF) -> BUF {

07:42 <re_irc> ... long message truncated: https://psion.agg.io/_matrix/media/r0/download/psion.agg.io/2a8e3a992b4c81605caa5e084abcc54e76f18e6c83f127572b5fb381e45278b2 (8 lines)

07:42 <re_irc> start_dma();

07:43 <re_irc> <henrikssn> the compiler is allowed to insert a spurious read from "buf" between "start_dma" and "wait_for_dma", which makes this UB

07:43 <re_irc> <henrikssn> My understanding is that typical use case looks something like this:

07:43 <re_irc> fn transfer_dma<BUF: ReadBuffer>(buf: BUF) -> BUF {

07:43 <re_irc> start_dma();

07:43 <re_irc> let (ptr, len) = buf.read_buffer();

07:43 <re_irc> ... long message truncated: https://psion.agg.io/_matrix/media/r0/download/psion.agg.io/723a839a5b0595555ec39b0fa609577cfb4ddf4c6be190c567f2a1bcb970fce9 (8 lines)

07:44 <re_irc> <henrikssn> My understanding is that typical use case looks something like this:

07:44 <re_irc> fn transfer_dma<BUF: ReadBuffer>(buf: BUF) -> BUF {

07:44 <re_irc> let (ptr, len) = buf.read_buffer();

07:44 <re_irc> start_dma(ptr, len);

07:44 <re_irc> ... long message truncated: https://psion.agg.io/_matrix/media/r0/download/psion.agg.io/e0b8a4626373c00933d9c1874598c01d43b75d4a36c57764608dcfd44c6b0b33 (8 lines)

07:44 <re_irc> <henrikssn> My understanding is that typical use case looks something like this:

07:44 <re_irc> fn transfer_dma<BUF: WriteBuffer>(buf: BUF) -> BUF {

07:44 <re_irc> let (ptr, len) = buf.write_buffer();

07:44 <re_irc> start_dma(ptr, len);

07:44 <re_irc> ... long message truncated: https://psion.agg.io/_matrix/media/r0/download/psion.agg.io/cf2a0283d57b70b604b358914a1c92af681880bddfb15ef05b80b7cb8bea3b1e (8 lines)

07:45 <re_irc> <GrantM11235> Once you start doing stuff with the raw pointer, rust doesn't make any assumptions about whether the underlying data changes or not

07:45 <re_irc> <MathiasKoch> jamesmunns: Would it be possible/feasible to write a CBOR flavor for postcard? "serde_cbor" is no longer maintained, and it seems like postcard produces much leaner codesizes in general..

07:46 <re_irc> <GrantM11235> It's basically the same rules as when interacting with an FFI

07:50 <re_irc> <henrikssn> GrantM11235: I think the problem here is that the raw pointer breaks aliasing rules afaiu

07:51 <re_irc> <GrantM11235> That's not a problem, that's what raw pointers are for

07:52 <re_irc> <GrantM11235> I'm not sure I can explain it very well, but it has to do with reborrows

07:56 <re_irc> <henrikssn> hmm

07:57 <re_irc> <henrikssn> isn't the compiler allowed to do something like this?

07:57 <re_irc> start_dma(ptr, len);

07:57 <re_irc> let _ = buf; // This is UB

07:57 <re_irc> wait_for_dma();

07:57 <re_irc> <henrikssn> * &buf;

07:57 <re_irc> <GrantM11235> For example, here we have two &muts to the same place, but it is okay because the borrowchecker limits how we can use them https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=f6e414276b6d0fbbd2a77751c6f1eace

07:58 <re_irc> <GrantM11235> With raw pointers, we have to follow some of the same rules, but the borrowchecker doesn't check it for us

07:59 <re_irc> <GrantM11235> This can probably explain the rules better that I can https://plv.mpi-sws.org/rustbelt/stacked-borrows/

08:02 <re_irc> <henrikssn> GrantM11235: I think the point is that in this case it isn't okay, because the borrowchecker assumes that the mutable borrow in "WriteBuffer::write_buffer" respects the aliasing rules, which it doesn't by converting the reference to a raw pointer and handing that to DMA

08:03 <re_irc> <henrikssn> Docs say that:

08:03 <re_irc> > Once this method has been called, it is unsafe to call any &mut self methods, except for write_buffer, on this object as long as the returned value is in use (by DMA).

08:04 <re_irc> <henrikssn> I don't think that can be achieved in safe or unsafe rust because the compiler is free to introduce extra spurious reads even in the presence of compiler fences

08:06 <re_irc> <GrantM11235> It's not allowed to do that because that would invalidate the pointer. Once you cast a reference to a pointer, the compiler won't do anything with the reference until you are done with the pointer. It knows you are done with the pointer when _you_ do something with the reference

08:19 <re_irc> <henrikssn> thanks, I think that made it clear

08:19 <re_irc> <henrikssn> Sorry, I find this to be a really complex subject

08:21 <re_irc> <GrantM11235> Yeah, it's definitely complex. The only reason that I understand any of it at all is because someone on here explained it to me 😁

11:09 <re_irc> <James Munns> MathiasKoch: so, flavors are more for "customizing the postcard protocol", rather than "writing another protocol".

11:09 <re_irc> <James Munns> flavors mostly let you modify the stream of bytes in/out for ser/de, but it doesn't let you do "extra fancy" things per-item.

11:10 <re_irc> <MathiasKoch> makes sense :+1:

11:10 <re_irc> I thought of CBOR as comparable to COBS, but i guess it really isn't?

11:11 <re_irc> <James Munns> COBS is a framing technique

11:12 <re_irc> <James Munns> CBOR is a whole wire protocol :)

11:12 <re_irc> <MathiasKoch> Yeah, that is what i just realized ;)

23:21 <re_irc> <thalesfragoso> henrikssn: I mean, use a DMA that supports double buffering instead of circular mode, there isn't an overhead with that, you don't copy stuff from a buffer to another

23:22 <re_irc> <thalesfragoso> It's the DMA engine that switches its buffer when one is full

23:31 <re_irc> <thalesfragoso> henrikssn: Producing spurious reads between the fences would be the same as moving up an operation from after the fence, which isn't allowed