"Extra Sections" example is potentially unsound #498
Comments
|
@Dirbaio noted (and I agree) that changing it to: #[link_section=".ccmram.BUFFERS"]
static mut BUF: MaybeUninit<[u8; 1024]> = MaybeUninit::uninit();alleviates the majority of the UB (though, still recommends |
|
Can you soundly perform the initialisation in |
In my opinion, yes.
Assembly has no "abstract machine" requirements - so there isn't any soundness requirement here. I'm not certain we could use inline assembly within a rust edit: I was incorrect that |
|
I've updated the documentation in #525 to specify that you have to use |
In the
cortex-m-rtdocs, the extra sections example shows the definition of a zero-initialized static mut array in a section outside of RAM.I believe this to be unsound, and difficult, if not impossible, to use totally soundly.
The CRT is required to initialize all statics, either to their default value (in
.data), or to zero (in.bss). cortex-m-rt explicitly only performs initialization for data and bss sections in theRAMregion, meaning theCCRAMmust be considered to be uninitialized in the example as currently written.At the very least if we include an example like this, we should discuss this deficiency, and state that
pre_initmust be used to guarantee that the static is initialized at the start of the program.I personally am of the opionion that we cannot soundly perform this initialization in a
pre_initin Rust, as that means that Rust code is running without all statics initialized, which violates the agreement the language makes with the platform environment.This argument is part of why we switched to an assembly CRT, rather than the previously Rust-based init sequence.
The text was updated successfully, but these errors were encountered: