`riscv`: All the CSR write operations should be unsafe by default

rust-embedded / riscv

Low level access to RISC-V processors

818 stars 160 forks source link

`riscv`: All the CSR write operations should be unsafe by default #209

Open jsgf opened 3 months ago

jsgf commented 3 months ago

In general we should assume that writing to CSRs could do something that potentially violates the Rust abstract model.

Macros like write_csr_as and write_csr_as_usize should at least default to unsafe, and maybe have an option to make a safe variant on a CSR by CSR basis.

romancardenas commented 3 months ago

As I always do, I checked the cortex-m crate and... they use the same fashion you propose 😁

In other words, I am in favor of your proposal.

alistair23 commented 2 months ago

I agree. Writing to RISC-V CSRs can cause all sorts of unsafe behaviour. There are a few that probably aren't unsafe but they need some reasoning about why they aren't. unsafe by default is the way to go

romancardenas commented 2 months ago

We commented this issue in yesterday's meeting and the general impression is that we should:

By default, make all writes unsafe for every CSR
Then go CSR by CSR analyzing their implications and, if it applies, make particular cases safe (when it is not harmful).