New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add utilities for allocating dynamic grants. #2053
Add utilities for allocating dynamic grants. #2053
Conversation
This adds two new utilities allocating arbitrary types as grants to kernel::grant::Allocator, and splits the internal `alloc_unowned` method into `alloc_raw` and `alloc_default_unowned` to allow allocating non-`Default` values. The new `alloc` allows allocating values not default-initializable, such as references to AppSlices. I believe this is a reasonable change, as no existing methods use `alloc`, and the new interface more closely matches other Rust allocation interfaces, such as `std::boxed::Box`. The new `alloc_n_with` then allows allocating a runtime-determined number of values. This will be useful if, for example, the size of allocation needed is determined by a variable given by a TockOS app. This is motivated by a use case in the Rubble BLE capsule, storing attributes. The number of attributes is usually known at compile-time for the app, but not for the kernel. If the capsule ends up using an array-like structure, `alloc_n_with` will be useful to allocate app-specific memory meant for dealing with attributes the app provides. If the capsule ends up using a linked-list-like structure, then the new `alloc` will allow allocating list nodes which contain non-Default data, such as `AppSlice`s. We don't necessarily need both interfaces, but I believe that together they form a sane base for everything one might need for dynamic memory allocation. Signed-off-by: David Ross <David.Ross@wdc.com>
I'm dropping a note that @daboross and I discussed this change one-on-one and I believe it is (a) necessary for safety and (b) correct. Because this is a security critical change, we should review this more carefully than normal and probably document it. Currently, I'm looking through this style (importantly, can we reduce the number of types which would help reason about security) as well as convince myself this is indeed correct this time. |
I in general like these changes, but I'm worried they undo #2003 which can cause stack overflows. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks right to me.
Also, otherwise this looks correct me now that I've looked through it more carefully |
This also renames the function, as I think the closure makes it more of a "_with" function than not. Signed-off-by: David Ross <David.Ross@wdc.com>
Ping |
I added the last call label, hopefully someone can merge this soon. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tested with IPC on hail and looks good
bors r+ |
Pull Request Overview
This pull request is intended to expand the basic functionality for dynamically allocating values. It:
alloc
method to accept non-Default
valuesalloc_n_with
, for allocating a runtime-determined number of contiguous valuesalloc_unowned
intoalloc_raw
andalloc_default_unowned
to allow for allocating non-Default
valuesI believe all of these changes will be useful, but the one which motivated this PR was
alloc_n_with
. To support connections in the Rubble BLE capsule, we'll need to support attributes, and the capsule won't know ahead of time how many attributes any given app will want to have in a connection. Attributes are most naturally stored in an array, and since the kernel won't know at compile time how many attributes an app has, we need dynamic allocation. Hence,alloc_n_with
.Note that this PR leaves the usage of
Owned
, which I believe is unsound. Once we re-exportOwned
so that applications can store them, those applications could potentially store them outside of app-specific grant memory, and then access them after the app has been restarted (thus accessing deallocated memory). I have a fix for this, but since the changes are fairly separate, I've submitted it as a separate PR - #2052.If one PR is merged first, the other will need a rebase, but it shouldn't matter which one that is.
CC @alevy
Testing Strategy
I created a temporary test capsule and app which calls
alloc
andalloc_n_with
every other tick until we hitOutOfMemory
, keeps each allocation one tick, and prints the data out after retrieving it.TODO or Help Wanted
While this was manually tested, automated testing would be better. Do we have a place for unit tests for kernel functionality exposed to capsules?
Documentation Updated
/docs
, or no updates are required.Formatting
make prepush
.