make HAL provenance-friendly
hawkw opened this issue · 8 comments
the Mycelium HAL's address types (and other code that does on MMIO) was mostly written before Rust had ways to do int2ptr conversions without totally violating pointer provenance. we should update this code to be less egregiously wrong.
this basically means replacing all the int2ptr casts with ptr::from_exposed_addr and friends.
we might also be better off changing the internal representation of VAddr from VAddr(usize) to VAddr(*const ()) so that when you construct one from a ptr it's "more provenance-preserving", and make the VAddr::from_usize constrictor be ptr::from_exposed_addr...
sure. fwiw the standard library seems to Love storing *mut () instead of *const () for some reason so if VAddr occasionally allows write permissions it might be worth using that as the storage. idk i'm not a compilers boy. in The Future tm once funty gets cool (and able to provide const fns...) this won't matter, it'll store the Correct pointer always.
anyway yeah i'll poke
yeah, it should probably be *mut () since it will grant write permissions through unsafe code --- that was what i meant.
in an ideal world we would also probably represent physical addresses as *mut () so that they were "more provenance preserving", but...they're probably going to have to stay integers forever because they can sometimes have bit patterns that aren't valid virtual addresses...
also sidenote please feel free to clean up any of the other messy stuff in the address types if you like.
@myrrlyn is this still something you're interested in taking a crack at? i might do it at some point, otherwise.
yes but feel free to beat me to it
i'm probably not going to start any time soon, so, i probably won't. but i figured i'd check.