Skip to content

Use const operand for ARM syscall implementation #572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 13, 2025
Merged

Use const operand for ARM syscall implementation #572

merged 1 commit into from
Jun 13, 2025

Conversation

Ioan-Cristian
Copy link
Contributor

asm_const feature has been stabilized in Rust 1.82. Using const operands for inline assembly eliminates a lot of the duplicated code in the ARM syscall implementation.

This commit has been tested by running a simple application that periodically blinks and writes a message on Raspberry Pi Pico.

@Ioan-Cristian
Use const operand for ARM syscall implementation
4c7eb30 
`asm_const` feature has been stabilized in Rust 1.82. Using const
operands for inline assembly eliminates a lot of the duplicated code in
the ARM syscall implementation.

This commit has been tested by running a simple application that
periodically blinks and writes a message on Raspberry Pi Pico.
@lschuermann
Copy link
Member

The only difference I can see between this and the previous version is that now, you technically can invoke a system call class with a syscallX function that doesn't match its arity whereas previously the CLASS argument would've either been ignored, or an incorrect one would have resulted in an unreachable! panic.

However, these are clearly low-level unsafe primitives that have been intended as "raw" gadgets to issue system calls, and trust their caller's CLASS argument. So this difference seems unproblematic, or even desirable.

@lschuermann lschuermann added this pull request to the merge queue Jun 13, 2025
Merged via the queue into tock:master with commit 5b4d692 Jun 13, 2025
3 checks passed
@Ioan-Cristian
Copy link
Contributor Author

@lschuermann These are unsafe functions and unsafe functions can involve undefined behaviour if not used correctly. As such, it is in the caller's responsability to ensure they are correctly used, as you said.

@lschuermann
Copy link
Member

@Ioan-Cristian While it is true that they are unsafe functions, the story is often more nuanced. If an unsafe function could do arbitrarily bad things, it'd never be safe to call. Therefore, the unsafe function should have a clear and concise contract that details the exact invariants that the caller must uphold for that unsafe function call to be sound.

In fact, these functions do have such a contract specified, namely in raw_syscalls.rs in libtock-platform:

libtock-rs/platform/src/raw_syscalls.rs

Lines 130 to 133 in 5b4d692

/// # Safety
/// This directly makes a system call. It can only be used for Memop calls
/// that accept 1 argument and only overwrite r0 and r1 on return. It is
/// unsafe any time the underlying system call is unsafe.

What I was trying to do with my comment above is reason about this contract (in particular, reasoning through the difference in behavior between the old and new versions), to conclude that these changes have no meaningful implications on existing callers.

In particular, the safety documentation of all syscallX and yieldX functions already contains a clause that implicitly limits the allowed CLASS arguments, which renders this change unproblematic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alevy alevy alevy approved these changes

@lschuermann lschuermann lschuermann approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ioan-Cristian @lschuermann @alevy