Commit graph

286 commits

Author SHA1 Message Date
Jorge Aparicio
4742da94e7 changelog: note that new syntax is documented in the book 2019-02-12 17:28:16 +01:00
bors[bot]
ed6460f6dc Merge #140
140: fix soundness issue: forbid early returns in init r=japaric a=japaric

TL;DR

1. v0.4.1 will be published once this PR lands

2. v0.4.0 will be yanked once v0.4.1 is out

3. v0.4.1 will reject code that contains early returns in `init` *and* contains
   late resources. Yes, this is a breaking change but such code is unsound /
   has undefined behavior.

4. as of v0.4.1 users are encouraged to use `fn init() -> init::LateResources`
   instead of `fn init()` when they make use of late resources.

---

This PR fixes a soundness issue reported by @RalfJung. Basically, early
returning from `init` leaves *late resources* (runtime initialized statics)
uninitialized, and this produces undefined behavior as tasks rely on those
statics being initialized. The example below showcases a program that runs into
this soundness issue.

``` rust
 #[rtfm::app(device = lm3s6965)]
const APP: () = {
    // this is actually `static mut UNINITIALIZED: MaybeUninit<bool> = ..`
    static mut UNINITIALIZED: bool = ();

    #[init]
    fn init() {
        // early return
        return;

        // this is translated into `UNINITIALIZED.set(true)`
        UNINITIALIZED = true; // the DSL forces you to write this at the end
    }

    #[interrupt(resources = [UNINITIALIZED])]
    fn UART0() {
        // `resources.UNINITIALIZED` is basically `UNINITIALIZED.get_mut()`

        if resources.UNINITIALIZED {
            // undefined behavior
        }
    }
};
```

The fix consists of two parts. The first part is producing a compiler error
whenever the `app` procedural macro finds a `return` expression in `init`. This
covers most cases, except for macros (e.g. `ret!()` expands into `return`) which
cannot be instrospected by procedural macros. This fix is technically a
breaking change (though unlikely to affect real code out there) but as per our
SemVer policy (which follows rust-lang/rust's) we are allowed to make breaking
changes to fix soundness bugs.

The second part of the fix consists of extending the `init` syntax to let the
user return the initial values of late resources in a struct. Namely, `fn() ->
init::LateResources` will become a valid signature for `init` (we allowed this
signature back in v0.3.x). Thus the problematic code shown above can be
rewritten as:

``` rust
 #[rtfm::app(device = lm3s6965)]
const APP: () = {
    static mut UNINITIALIZED: bool = ();

    #[init]
    fn init() -> init::LateResources {
        // rejected by the compiler
        // return; //~ ERROR expected `init::LateResources`, found `()`

        // initialize late resources
        init::LateResources {
            UNINITIALIZED: true,
        }
    }

    #[interrupt(resources = [UNINITIALIZED])]
    fn UART0() {
        if resources.UNINITIALIZED {
            // OK
        }
    }
};
```

Attempting to early return without giving the initial values for late resources
will produce a compiler error.

~~Additionally, we'll emit warnings if the `init: fn()` signature is used to
encourage users to switch to the alternative `init: fn() -> init::LateResources`
signature.~~ Turns out we can't do this on stable. Bummer.

The book and examples have been updated to make use of `init::LateResources`.

In the next minor version release we'll reject `fn init()` if late resources
are declared. `fn init() -> init::LateResources` will become the only way to
initialize late resources.

This PR also prepares release v0.4.1. Once that version is published the unsound
version v0.4.0 will be yanked.


Co-authored-by: Jorge Aparicio <jorge@japaric.io>
2019-02-12 14:28:42 +00:00
Jorge Aparicio
519d7ca056 update CHANGELOG with alt init syntax 2019-02-12 15:27:08 +01:00
Jorge Aparicio
1e9058cab2 (en) update the text related to late resources
cc @burrbull
2019-02-12 15:13:41 +01:00
Jorge Aparicio
89c922079e update examples and tests 2019-02-12 15:08:46 +01:00
Jorge Aparicio
88599780e0 accept init: fn() -> init::LateResources 2019-02-12 14:53:49 +01:00
Jorge Aparicio
8890f10e1c v0.4.1 2019-02-12 11:28:34 +01:00
Jorge Aparicio
1ba03b9f00 document MSRV and SemVer policy 2019-02-12 11:08:39 +01:00
Jorge Aparicio
557a51ede1 forbid early returns in init 2019-02-12 11:07:15 +01:00
Jorge Aparicio
91962d21fe (ru) fix includes in the preface 2019-02-12 11:04:54 +01:00
Jorge Aparicio
26e0054419 fix ci/after-success.sh 2019-02-11 22:07:15 +01:00
bors[bot]
672886a67a Merge #139
139: russian translation r=japaric a=japaric



Co-authored-by: Jorge Aparicio <jorge@japaric.io>
Co-authored-by: Andrey Zgarbul <zgarbul.andrey@gmail.com>
2019-02-11 20:41:49 +00:00
Jorge Aparicio
0007a35a27 change layout of books 2019-02-11 21:40:53 +01:00
Andrey Zgarbul
68a937a72a (ru) not a beta 2019-02-10 14:40:40 +03:00
Andrey Zgarbul
0fcc31f58e (ru) changes according review 2019-02-09 08:48:12 +03:00
Andrey Zgarbul
5ef1f2088a russian translation 2019-02-08 23:18:51 +03:00
Jorge Aparicio
45659fdbbc skeleton for the Russian translation of the book 2019-02-08 19:58:55 +01:00
bors[bot]
1d52964df7 Merge #137
137: impl Default for Duration r=japaric a=japaric

closes #134

Co-authored-by: Jorge Aparicio <jorge@japaric.io>
2019-02-08 10:55:45 +00:00
Jorge Aparicio
e7586f4a8a impl Default for Duration 2019-02-08 11:54:41 +01:00
bors[bot]
60478f3623 Merge #133
133: Fix build on recent nightlies. r=japaric a=hugwijst



Co-authored-by: Hugo van der Wijst <hvanderwijst@tesla.com>
2019-01-22 09:00:02 +00:00
Hugo van der Wijst
45e98afbc1 Fix build on recent nightlies. 2019-01-17 10:55:21 -08:00
Jorge Aparicio
438a6207fb
Merge pull request #125 from eddyp/master
Absolute link to the book so it works on crates.io
2019-01-09 01:01:34 +01:00
Eddy Petrișor
8ac179d8ee Absolute link to the book so it works on crates.io
Signed-off-by: Eddy Petrișor <eddy.petrisor@gmail.com>
2019-01-09 01:56:21 +02:00
Jorge Aparicio
44ee464cd1
Merge pull request #120 from kraai/patch-2
Fix grammar
2019-01-03 16:28:37 +01:00
Matt Kraai
17459b8f7d
Fix grammar 2018-12-21 12:52:57 -08:00
Jorge Aparicio
0d2d0e1e1c
Merge pull request #119 from kraai/patch-1
Fix misspelling of "capacity"
2018-12-21 19:18:50 +01:00
Matt Kraai
c61eb46149
Fix misspelling of "capacity" 2018-12-21 09:15:16 -08:00
bors[bot]
61bb830285 Merge #118
118: a few doc tweaks r=japaric a=japaric



Co-authored-by: Jorge Aparicio <jorge@japaric.io>
2018-12-19 00:51:36 +00:00
Jorge Aparicio
7de9687dfa note that entering / leaving a critical section is always constant time 2018-12-17 01:43:12 +01:00
Jorge Aparicio
313a2074d7 make docs.rs build docs with +timer-queue 2018-12-17 01:42:53 +01:00
bors[bot]
3511e915b5 Merge #116
116: v0.4.0 r=japaric a=japaric



Co-authored-by: Jorge Aparicio <jorge@japaric.io>
2018-12-16 21:05:56 +00:00
Jorge Aparicio
22140fbc49 don't pin to an older nightly 2018-12-16 22:05:32 +01:00
Jorge Aparicio
1643dd0a57 actually, don't check the output of the cfg example 2018-12-16 22:02:06 +01:00
Jorge Aparicio
5b032243e6 book: add some notes about the timer queue 2018-12-16 21:24:10 +01:00
Jorge Aparicio
d98f6c9a61 v0.4.0 2018-12-16 21:19:19 +01:00
Jorge Aparicio
34e74f4bb3 book: add an example of conditional compilation of resources and tasks 2018-12-16 20:57:04 +01:00
Jorge Aparicio
06c1e2f9b4 note that the timer queue is not supported on ARMv6-M 2018-12-16 19:38:22 +01:00
bors[bot]
c2fbb28488 Merge #114
114: properly handle conditional compilation r=japaric a=japaric

of resources and tasks

Co-authored-by: Jorge Aparicio <jorge@japaric.io>
2018-12-16 18:18:17 +00:00
Jorge Aparicio
d35f5bc0b0 use edition idioms in the top crate 2018-12-16 19:16:19 +01:00
Jorge Aparicio
56d09a12dd move macros crate to the 2018 edition 2018-12-16 19:14:58 +01:00
Jorge Aparicio
8e9a91d0b0 properly handle #[cfg] (conditional compilation) on tasks 2018-12-16 19:10:36 +01:00
Jorge Aparicio
4345c10596 properly handle #[cfg] (conditional compilation) on resources 2018-12-16 18:37:36 +01:00
bors[bot]
5c458fc115 Merge #113
113: use the single core variant of spsc::Queue r=japaric a=japaric



Co-authored-by: Jorge Aparicio <jorge@japaric.io>
2018-12-16 00:12:43 +00:00
Jorge Aparicio
9757c33b00 use the single core variant of spsc::Queue 2018-12-16 01:11:54 +01:00
Jorge Aparicio
8ac60ce369 bump cortex-m-rt dep 2018-12-15 22:40:45 +01:00
bors[bot]
c4b7fbeb02 Merge #112
112: codegen/statics: forward #[cfg] attributes r=japaric a=japaric

fixes #110

Co-authored-by: Jorge Aparicio <jorge@japaric.io>
2018-12-15 21:05:34 +00:00
Jorge Aparicio
4f00d8bd78 codegen/statics: forward #[cfg] attributes
fixes #110
2018-12-15 22:04:30 +01:00
bors[bot]
eba691a5f2 Merge #111
111: some refactors r=japaric a=japaric



Co-authored-by: Jorge Aparicio <jorge@japaric.io>
2018-12-15 20:18:11 +00:00
Jorge Aparicio
e03c09874f ci: switch to an older nightly
to work around rust-lang/rust#56814
2018-12-15 21:17:14 +01:00
Jorge Aparicio
d14e25d72d move some interrupt configuration to pre_init 2018-12-15 20:35:00 +01:00