On Thu Mar 26, 2026 at 6:43 AM CET, Alexandre Courbot wrote:
> + // - Since `data` was created from a valid pointer, both
> `tail_slice` and `wrap_slice` are
> + // pointers to valid arrays.
> + // - The area starting at `tx` and ending at `rx - 2` modulo
> `MSGQ_NUM_PAGES`,
> + // inclusive, belongs to the driver for writing and is not
> accessed concurrently by
> + // the GSP.
> + // - The caller holds a reference to `self` for as long as the
> returned slices are live,
> + // meaning the CPU write pointer cannot be advanced and thus that
> the returned area
> + // remains exclusive to the CPU for the duration of the slices.
> + (unsafe { &mut *tail_slice }, unsafe { &mut *wrap_slice })
I think this does miss the justification for tail_slice and wrap_slice to not
overlap, i.e. don't we need something like:
- `tail_slice` and `wrap_slice` point to non-overlapping sub-ranges of
`data` in all
branches (in the `rx <= tx` case, `wrap_slice` ends at `rx - 1` which
is strictly less
than `tx` where `tail_slice` starts; in the other cases one of the
slices is empty),
so creating two `&mut` references from them does not violate aliasing
rules.
With this considered,
Reviewed-by: Danilo Krummrich <[email protected]>
