References to MMIO space are (probably?) UB

[thejpster]

I was looking at tock-registers in detail for the first time today, and I think you have the same soundness issue that we fell over in the svd2rust generated output.

As far as we (me, and others in the Embedded Devices WG) can tell, it is UB to have a reference which points to MMIO address space. I believe tock-registers generates such MMIO references.

The UB comes about because references in Rust are marked as dereferencable when handed to LLVM, and that means LLVM is allowed to read from them whenever it likes. This would be incorrect for a reference to MMIO space, because the read may have side-effects. I think currently LLVM does not actually do any unexpected dereferencing, but it remains allowable.

I believe the only correct approach is to only ever construct pointers to MMIO space, and not references, and be very careful to never accidentally conjure up a reference. This is the approach taken by safe-mmio and derive-mmio, and is what svd2rust is working towards.

[thejpster]

I think rust-embedded/wg#791 has most of the details, and links to bits of history.

[brghena]

Thanks!! I believe we're aware of this issue, although revising the implementation of tock-registers has become a rather long-term endeavor. It's the first item @jrvanwhy notes in the draft he made discussing how to start revising tock-registers, which is still over on the main Tock repo: tock/tock#4001

More references to the issue and pointers to community solutions to it is super helpful though.

[jrvanwhy]

Yes, this is the soundness issue I've been wanting to fix for years, and yes tock/tock#4001 is the most recent attempt to alleviate it.

One thing that is delaying the fix is that I'm trying to fix a second design issue at the same time: the fact that tock-registers does nothing to make code that uses it unit-testable. I'm trying to fix both in a big monolithic redesign, and that is quite a bit of effort. To my knowledge, the only Rust registers library that is unit testable is Caliptra's ureg... maybe. I haven't fully figured out how it works to confirm that it is easy to unit test drivers built on ureg. Even if ureg does support that, we'll almost certainly implement our own because the APIs are too different (we have enough code that it is easier to redesign tock-registers than to migrate to a drastically-different API).

I've recently (as of 4 days ago!) resumed working on the redesign. My past attempt petered out as a result of team changes/reprioritization at my previous employer; I have solid reason to believe that this time will be different and we'll be able to get the fix/redesign across the finish line.

[thejpster]

Great. Thanks for the links.

derive-mmio has unit tests, but obviously your tests cannot build handles to MMIO space and must alias local objects instead.