05:52 <emmanuelsearch[m> is there already a tentative date/location for the next f2f meeting of the embedded wg similar to what happened at RustWeek?

05:52 <emmanuelsearch[m> Context: we (Ariel OS folks) talk to ST folks later today and would like to suggest they show up next time ;)

05:53 <emmanuelsearch[m> maybe therealprof James Munns adamgreig you have info to share on this?

05:54 <emmanuelsearch[m> * is there already a tentative date/location for the next f2f meeting of the Rust Embedded wg similar to what happened at RustWeek?

05:55 <emmanuelsearch[m> * Context: we (Ariel OS folks) talk to ST folks later today and would like to invite them to show up next time ;)

06:11 <JamesMunns[m]> There's none planned

06:12 <JamesMunns[m]> Probably next rustweek?

07:09 <therealprof[m]> <emmanuelsearch[m> "is there already a tentative..." <- Yeah, sorry, nothing planned at this point.

07:30 <thejpster[m]> How about at Oxidize in Berlin in September?

07:31 <thejpster[m]> If that’s of interest I can ask the right people. Maybe concurrent with the workshops on day 1? Or the day after the conference?

07:33 <thejpster[m]> https://oxidizeconf.com/

10:22 <thejpster[m]> Well I got into an interesting discussion today.... (full message at <https://catircservices.org/_irc/v1/media/download/AXAT_HCZsNcBcotz4Zol6VgZehgmXI1KwiTBB9cRcs59fKBm1AGdFeGxPIc0-qLK3aNEn7ulwBcuThUKVhUAfmS_8AAAAAAAAGNhdGlyY3NlcnZpY2VzLm9yZy9pYUpvZWxGa3pYRkZKWXpxaGVnbHhDUGw>)

10:22 <thejpster[m]> I would point to `&str`, where creating a `&str` from random bytes without checking that they are valid UTF-8 is `unsafe`. But does making an invalid `&str` cause UB, or does it just cause the API to Not Work?

10:26 <dngrs[m]> hmmm, I think there was something written about std::fs and guarantees/checks that Rust cannot make. But where was that...

10:28 <dngrs[m]> "Note that, although read and write methods require a `&mut File`, because of the interfaces for [`Read`] and [`Write`], the holder of a `&File` can still modify the file, either through methods that take `&File` or by retrieving the underlying OS object and modifying the file that way. Additionally, many operating systems allow concurrent modification of files by different processes. Avoid assuming that holding a `&File` means that

10:28 <dngrs[m]> the file will not change." - https://doc.rust-lang.org/std/fs/struct.File.html#examples

10:38 <diondokter[m]> <thejpster[m]> "I would point to `&str`, where..." <- I think it can cause actual UB

10:40 <diondokter[m]> <thejpster[m]> "Well I got into an interesting..." <- > <@thejpster:matrix.org> Well I got into an interesting discussion today.... (full message at <https://catircservices.org/_irc/v1/media/download/AaZM2n9rDMcrPdDHwNNyHQ3fwqToNChE83NrcvQy8xcJN-MPxvNQLVjaWkYqrDVFLdTSaLKQb_EfgJDmLXkZPCi_8AAAAAAAAGNhdGlyY3NlcnZpY2VzLm9yZy9RaUdsenVzZW9WYWdZRnVYR253Zk5Ed1Y>)

10:41 <dngrs[m]> the [nomicon](https://doc.rust-lang.org/nomicon/safe-unsafe-meaning.html) might also be interesting here:

10:41 <dngrs[m]> > The Unsafe Rust code just can't trust the Safe Rust code to be written correctly. That said, BTreeMap will still behave completely erratically if you feed in values that don't have a total ordering. It just won't ever cause Undefined Behavior.

10:41 <dngrs[m]> (also what follows the paragraph I quoted)

10:48 <dngrs[m]> s/also/and/

10:48 <JamesMunns[m]> I agree w/ dion that calling unvalidated utf-8 can cause UB if the bytes are not valid

10:49 <JamesMunns[m]> IMO items like voltage regulator are not `unsafe`, because safety is a *language* construct, and the voltage regulator is part of the "system contract" with the language

10:50 <JamesMunns[m]> if you do something that makes your system invalid or to violate the systemic contract (e.g. unmapping the flash you are executing from), the program is invalid, not just unsafe

10:51 <dngrs[m]> #[deny(holding_it_wrong)]

10:51 <JamesMunns[m]> Violating the unsafe preconditions (in this case: from_utf8_unchecked) IS UB, even if it does not immediately cause a crash, or happens towork

10:52 <thejpster[m]> but why is it UB?

10:56 <thejpster[m]> actually, scratch that. I can dig into it myself.

10:56 <thejpster[m]> <dngrs[m]> "the [nomicon](https://doc.rust-..." <- This is excellent. Thanks!

10:58 <thejpster[m]> ok, so to ask a more pointed question ... why is it unsafe to steal an svd2rust handle to a Peripheral? What UB can you cause by racing on MMIO registers? They are all accessed using volatile loads and stores of CPU register size, which is equivalent to what AtomicU32 does.

11:15 <Kaspar[m]> <thejpster[m]> "ok, so to ask a more pointed..." <- There could be something inside the implementation that assumes unique access, e.g., rmw. So code depends on nothing else modifying e.g., the registers. The type system *can* enforce this, unless bypassed. It might be that bypassing this causes memory safety issues (e.g., concurrent access to DMA peripheral), so it must be prohibited. So bypassing that contract is 'unsafe'.

11:17 <JamesMunns[m]> <thejpster[m]> "ok, so to ask a more pointed..." <- Disagree it is the same as atomic because volatile read/writes don't use ldrex/strex

11:17 <JamesMunns[m]> <thejpster[m]> "ok, so to ask a more pointed..." <- But as for why it is unsafe is mostly "vibes" and because it seemed reasonable at the time

11:18 <JamesMunns[m]> <thejpster[m]> "ok, so to ask a more pointed..." <- (Ah you mean just atomic load/stores, not atomic updates, separate load stores are memory safe but may not be correct)

11:20 <Kaspar[m]> JamesMunns[m]: My understanding was that this is about soundness.

11:20 <JamesMunns[m]> iirc chiptool doesn't make stealing unsafe, but you might get a ptr or something you have to deref? I forget

11:22 <JamesMunns[m]> If you have a moral "&mut" of the peripheral, that can't alias. But if you are clear you only have/need a shared ref to mutate, like atomics, it is morally fine

11:23 <thejpster[m]> To get to the root of the matter:... (full message at <https://catircservices.org/_irc/v1/media/download/AZsrtQr989fVamVno1MR_dCVKy0kQTFfISmhVTPXb5suUbBJWOL_v9uFNyTwPdNUavMV8m0_-aFGjr1Cnw-dB3S_8AAAAAAAAGNhdGlyY3NlcnZpY2VzLm9yZy9JZU9JRHJJb05neWpMdWRpR3d5eWpraFc>)

11:24 <JamesMunns[m]> Yeah, if you accept an arbitrary ptr, definitely unsafe. If a known good pointer for a good location, that's kinda up to you to set the api as safe or not

11:25 <thejpster[m]> > “up to you”

11:25 <thejpster[m]> oh no

11:25 <JamesMunns[m]> By "moral &mut" I specifically mean:

11:25 <JamesMunns[m]> * If you ever make an &mut of struct you are pointing to, or

11:25 <JamesMunns[m]> * you allude to users that they can ASSUME they have exclusive access to the item while they hold an &mut

11:26 <JamesMunns[m]> if you ONLY use ptr methods (not mapped struct references), and ALWAYS tell users that anyone can alias at any time and they might observe tearing/lost writes/etc. and its up to them to CS that, then it's fine

11:26 <JamesMunns[m]> because you are not morally promising exclusivity in your API

11:27 <thejpster[m]> The compromise answer is probably a BSP that uses an atomicbool to let you safely create everything exactly once.

11:27 <JamesMunns[m]> (which I think svd used to do both, may only do the latter now)

11:27 <JamesMunns[m]> I mean that's what svd2rust does?

11:27 <JamesMunns[m]> its a CS bool, but yeah

11:28 <JamesMunns[m]> JamesMunns[m]: re: this: I'm noting the *exclusive* part of &mut is more important here than the *mutable* part.

11:28 <thejpster[m]> This was useful, thanks.

11:28 <JamesMunns[m]> because &mut pointers are both exclusive and mutable, vs & pointers

11:28 <thejpster[m]> A chapter for the embedonomicon perhaps

11:29 <dngrs[m]> mut stands for mutex 🤓

11:31 <JamesMunns[m]> yeah, there's basically three levels of things that operate very differently:... (full message at <https://catircservices.org/_irc/v1/media/download/AT37o1RBZK1TJFrYwMaHcHy3YMNi9MCCMr1_wRP06gSjC7U63INrubaZHbUZW4iUoD4gj1qtVw6sDt3I_9tnIq6_8AAAAAAAAGNhdGlyY3NlcnZpY2VzLm9yZy9zdnF3aWNacHJWbkpWRUtNcEdqUHdYVHI>)

11:32 <thejpster[m]> And Handle(*mut T) should be clear about which of the above it is emulating

11:33 <JamesMunns[m]> Yep, just because it's ACTUALLY a ptr in the struct, doesn't mean that MORALLY it isn't, that's why `PhantomData` exists

11:33 <JamesMunns[m]> * it isn't something else, that's

11:34 <thejpster[m]> I wonder if it’s UB to create a PhantomData<&mut RegisterBlock>

11:34 <JamesMunns[m]> (Box is a good example of this: it's Just a pointer under the hood, but it plays nice with all the kinds of variance)

11:34 <JamesMunns[m]> to create it, afaik, no

11:34 <JamesMunns[m]> to use it as a bounds/guarantee of something, maybe

11:35 <wassasin[m]> thejpster[m]: That is how Embassy manages ownership https://github.com/embassy-rs/embassy/blob/main/embassy-hal-internal/src/peripheral.rs#L21

12:21 <jason-kairos[m]> suppose the map file for your binary shows a bunch of formatting operations related to a panic handler in some third party library

12:21 <jason-kairos[m]> is there some way to reduce the size of those sorts of error handlers?

12:33 <jannic[m]> IMHO unsafe should be used in a way that provides the most value. And therefore there is a large grey area where some judgement is required.... (full message at <https://catircservices.org/_irc/v1/media/download/AQpXaQqQzcYFIDsHa5TekRN4y_fh6bMhA-p2BXyhrAAzI16nvOHfSU0FtFPQ7VLOAkvwyEyQOzZQutVd6wma_kq_8AAAAAAAAGNhdGlyY3NlcnZpY2VzLm9yZy91VFRWS3ZNdnZXRmZJeXFBTnl6RnRvT1Q>)

12:57 <jason-kairos[m]> s/handler//

13:17 <thejpster[m]> I like that! Thanks jannic