Alexandre Courbot
2025-Sep-29 14:44 UTC
[PATCH v4 6/6] rust: bitfield: Use 'as' operator for setter type conversion
On Mon Sep 29, 2025 at 10:59 PM JST, Miguel Ojeda wrote:> On Sat, Sep 20, 2025 at 8:23?PM Joel Fernandes <joelagnelf at nvidia.com> wrote: >> >> The bitfield macro's setter currently uses the From trait for type >> conversion, which is overly restrictive and prevents use cases such as >> narrowing conversions (e.g., u32 storage size to u8 field size) which >> aren't supported by From. > > Being restrictive is a good thingOn that note, I have been wondering whether we should not push the restriction up to having bounded primitive types with only a set number of bits valid, e.g. `bound_u8::<2>` is guaranteed to only contain values in the range `0..=3`. Getters and setters would use these types depending on the number of bits of the field, meaning that a caller would have to validate the value they want to write if it does not implement e.g. `Into<bound_u8<2>>`. A bit radical maybe, but correcness ensues. :)
Joel Fernandes
2025-Sep-30 12:03 UTC
[PATCH v4 6/6] rust: bitfield: Use 'as' operator for setter type conversion
On Mon, Sep 29, 2025 at 11:44:56PM +0900, Alexandre Courbot wrote:> On Mon Sep 29, 2025 at 10:59 PM JST, Miguel Ojeda wrote: > > On Sat, Sep 20, 2025 at 8:23?PM Joel Fernandes <joelagnelf at nvidia.com> wrote: > >> > >> The bitfield macro's setter currently uses the From trait for type > >> conversion, which is overly restrictive and prevents use cases such as > >> narrowing conversions (e.g., u32 storage size to u8 field size) which > >> aren't supported by From. > > > > Being restrictive is a good thing > > On that note, I have been wondering whether we should not push the > restriction up to having bounded primitive types with only a set number > of bits valid, e.g. `bound_u8::<2>` is guaranteed to only contain values > in the range `0..=3`. > > Getters and setters would use these types depending on the number of > bits of the field, meaning that a caller would have to validate the > value they want to write if it does not implement e.g. > `Into<bound_u8<2>>`. > > A bit radical maybe, but correcness ensues. :)In my v5, I will be rejecting setter inputs that are out of range. Do we have a usecase where we want the inputs to exceed the bit width range? If not, let us keep the API simple. I should probably post v5 today so we have a full discussion on the same and get alignment from everyone. Thanks