Add `NullTerminatedFormatter`, a formatter that writes a null terminated
string to an array or slice buffer. Because this type needs to manage the
trailing null marker, the existing formatters cannot be used to implement
this type.
Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
---
rust/kernel/str.rs | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
index b1bc584803b0..c58925438c6e 100644
--- a/rust/kernel/str.rs
+++ b/rust/kernel/str.rs
@@ -838,6 +838,56 @@ fn write_str(&mut self, s: &str) -> fmt::Result {
}
}
+/// A mutable reference to a byte buffer where a string can be written into.
+///
+/// The buffer will be automatically null terminated after the last written character.
+///
+/// # Invariants
+///
+/// `buffer` is always null terminated.
+pub(crate) struct NullTerminatedFormatter<'a> {
+ buffer: &'a mut [u8],
+}
+
+impl<'a> NullTerminatedFormatter<'a> {
+ /// Create a new [`Self`] instance.
+ pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
+ *(buffer.first_mut()?) = 0;
+
+ // INVARIANT: We null terminated the buffer above.
+ Some(Self { buffer })
+ }
+
+ #[expect(dead_code)]
+ pub(crate) fn from_array<const N: usize>(
+ buffer: &'a mut [crate::ffi::c_char; N],
+ ) -> Option<NullTerminatedFormatter<'a>> {
+ Self::new(buffer)
+ }
+}
+
+impl Write for NullTerminatedFormatter<'_> {
+ fn write_str(&mut self, s: &str) -> fmt::Result {
+ let bytes = s.as_bytes();
+ let len = bytes.len();
+
+ // We want space for a null terminator. Buffer length is always at least 1, so no overflow.
+ if len > self.buffer.len() - 1 {
+ return Err(fmt::Error);
+ }
+
+ let buffer = core::mem::take(&mut self.buffer);
+ // We break the null termination invariant for a short while.
+ buffer[..len].copy_from_slice(bytes);
+ self.buffer = &mut buffer[len..];
+
+ // INVARIANT: We null terminate the buffer.
+ self.buffer[0] = 0;
+
+ Ok(())
+ }
+}
+
/// An owned string that is guaranteed to have exactly one `NUL` byte, which is at the end.
///
/// Used for interoperability with kernel APIs that take C strings.
--
2.47.2
> On 11 Jul 2025, at 08:43, Andreas Hindborg <a.hindborg@kernel.org> wrote:
>
> Add `NullTerminatedFormatter`, a formatter that writes a null terminated
> string to an array or slice buffer. Because this type needs to manage the
> trailing null marker, the existing formatters cannot be used to implement
> this type.
>
> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
> ---
> rust/kernel/str.rs | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 50 insertions(+)
>
> diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
> index b1bc584803b0..c58925438c6e 100644
> --- a/rust/kernel/str.rs
> +++ b/rust/kernel/str.rs
> @@ -838,6 +838,56 @@ fn write_str(&mut self, s: &str) -> fmt::Result {
> }
> }
>
> +/// A mutable reference to a byte buffer where a string can be written into.
> +///
> +/// The buffer will be automatically null terminated after the last written character.
Hmm, I suppose you want this to be the only null? See below.
> +///
> +/// # Invariants
> +///
> +/// `buffer` is always null terminated.
> +pub(crate) struct NullTerminatedFormatter<'a> {
> + buffer: &'a mut [u8],
> +}
> +
> +impl<'a> NullTerminatedFormatter<'a> {
> + /// Create a new [`Self`] instance.
> + pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
> + *(buffer.first_mut()?) = 0;
> +
> + // INVARIANT: We null terminated the buffer above.
> + Some(Self { buffer })
> + }
> +
> + #[expect(dead_code)]
> + pub(crate) fn from_array<const N: usize>(
> + buffer: &'a mut [crate::ffi::c_char; N],
> + ) -> Option<NullTerminatedFormatter<'a>> {
> + Self::new(buffer)
> + }
> +}
> +
> +impl Write for NullTerminatedFormatter<'_> {
> + fn write_str(&mut self, s: &str) -> fmt::Result {
> + let bytes = s.as_bytes();
> + let len = bytes.len();
> +
> + // We want space for a null terminator. Buffer length is always at least 1, so no overflow.
Perhaps this should be a type invariant? I know this is a logical conclusion
from saying “buffer is always NULL terminated”, but it’s always
nice to be even more explicit.
> + if len > self.buffer.len() - 1 {
> + return Err(fmt::Error);
> + }
> +
> + let buffer = core::mem::take(&mut self.buffer);
> + // We break the null termination invariant for a short while.
> + buffer[..len].copy_from_slice(bytes);
> + self.buffer = &mut buffer[len..];
As I said in my first comment, if you want this to be the only null, I
don’t think the copy above enforces it?
> +
> + // INVARIANT: We null terminate the buffer.
> + self.buffer[0] = 0;
> +
> + Ok(())
> + }
> +}
> +
> /// An owned string that is guaranteed to have exactly one `NUL` byte, which is at the end.
> ///
> /// Used for interoperability with kernel APIs that take C strings.
>
> --
> 2.47.2
>
>
>
— Daniel
"Daniel Almeida" <daniel.almeida@collabora.com> writes:
>> On 11 Jul 2025, at 08:43, Andreas Hindborg <a.hindborg@kernel.org> wrote:
>>
>> Add `NullTerminatedFormatter`, a formatter that writes a null terminated
>> string to an array or slice buffer. Because this type needs to manage the
>> trailing null marker, the existing formatters cannot be used to implement
>> this type.
>>
>> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
>> ---
>> rust/kernel/str.rs | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 50 insertions(+)
>>
>> diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
>> index b1bc584803b0..c58925438c6e 100644
>> --- a/rust/kernel/str.rs
>> +++ b/rust/kernel/str.rs
>> @@ -838,6 +838,56 @@ fn write_str(&mut self, s: &str) -> fmt::Result {
>> }
>> }
>>
>> +/// A mutable reference to a byte buffer where a string can be written into.
>> +///
>> +/// The buffer will be automatically null terminated after the last written character.
>
> Hmm, I suppose you want this to be the only null? See below.
This code went through some iteration. In the original code, I kept a
pointer to the beginning of the buffer and an offset. It made sense to
require the buffer to be null terminated.
In this iteration, I let go of the pointer to the beginning of the
buffer and point to the next writable byte. If this byte is zero, the
original buffer is null terminated. Alice suggested rephrase, and I put
this for the next spin:
/// # Invariants
///
/// * The first byte of `buffer` is always zero.
At any rate, the final string is allowed to have multiple null
characters in it.
>
>> +///
>> +/// # Invariants
>> +///
>> +/// `buffer` is always null terminated.
>> +pub(crate) struct NullTerminatedFormatter<'a> {
>> + buffer: &'a mut [u8],
>> +}
>> +
>> +impl<'a> NullTerminatedFormatter<'a> {
>> + /// Create a new [`Self`] instance.
>> + pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
>> + *(buffer.first_mut()?) = 0;
>> +
>> + // INVARIANT: We null terminated the buffer above.
>> + Some(Self { buffer })
>> + }
>> +
>> + #[expect(dead_code)]
>> + pub(crate) fn from_array<const N: usize>(
>> + buffer: &'a mut [crate::ffi::c_char; N],
>> + ) -> Option<NullTerminatedFormatter<'a>> {
>> + Self::new(buffer)
>> + }
>> +}
>> +
>> +impl Write for NullTerminatedFormatter<'_> {
>> + fn write_str(&mut self, s: &str) -> fmt::Result {
>> + let bytes = s.as_bytes();
>> + let len = bytes.len();
>> +
>> + // We want space for a null terminator. Buffer length is always at least 1, so no overflow.
>
> Perhaps this should be a type invariant? I know this is a logical conclusion
> from saying “buffer is always NULL terminated”, but it’s always
> nice to be even more explicit.
I can add a minimum size 1 byte requirement 👍
>
>> + if len > self.buffer.len() - 1 {
>> + return Err(fmt::Error);
>> + }
>> +
>> + let buffer = core::mem::take(&mut self.buffer);
>> + // We break the null termination invariant for a short while.
>> + buffer[..len].copy_from_slice(bytes);
>> + self.buffer = &mut buffer[len..];
>
> As I said in my first comment, if you want this to be the only null, I
> don’t think the copy above enforces it?
It does not need to be the only one, as long as there is a null at the
end of the final string, we are good.
Best regards,
Andreas Hindborg
On Fri, Jul 11, 2025 at 01:43:06PM +0200, Andreas Hindborg wrote:
> Add `NullTerminatedFormatter`, a formatter that writes a null terminated
> string to an array or slice buffer. Because this type needs to manage the
> trailing null marker, the existing formatters cannot be used to implement
> this type.
>
> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
> ---
> rust/kernel/str.rs | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 50 insertions(+)
>
> diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
> index b1bc584803b0..c58925438c6e 100644
> --- a/rust/kernel/str.rs
> +++ b/rust/kernel/str.rs
> @@ -838,6 +838,56 @@ fn write_str(&mut self, s: &str) -> fmt::Result {
> }
> }
>
> +/// A mutable reference to a byte buffer where a string can be written into.
> +///
> +/// The buffer will be automatically null terminated after the last written character.
> +///
> +/// # Invariants
> +///
> +/// `buffer` is always null terminated.
Since you modify the buffer range, the actual invariant is that the
first byte of `buffer` is zero.
> +pub(crate) struct NullTerminatedFormatter<'a> {
Isn't it called "nul" rather than "null"? My understanding is that
"null" is for the pointer case, and "nul" is the name of the ascii
character at codepoint zero.
> + buffer: &'a mut [u8],
> +}
> +
> +impl<'a> NullTerminatedFormatter<'a> {
> + /// Create a new [`Self`] instance.
> + pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
> + *(buffer.first_mut()?) = 0;
> +
> + // INVARIANT: We null terminated the buffer above.
> + Some(Self { buffer })
> + }
> +
> + #[expect(dead_code)]
> + pub(crate) fn from_array<const N: usize>(
> + buffer: &'a mut [crate::ffi::c_char; N],
> + ) -> Option<NullTerminatedFormatter<'a>> {
Can't you just call `::new` where you use this method?
> + Self::new(buffer)
> + }
> +}
> +
> +impl Write for NullTerminatedFormatter<'_> {
> + fn write_str(&mut self, s: &str) -> fmt::Result {
> + let bytes = s.as_bytes();
> + let len = bytes.len();
> +
> + // We want space for a null terminator. Buffer length is always at least 1, so no overflow.
overflow -> underflow
> + if len > self.buffer.len() - 1 {
this is just `len >= self.buffer.len()`.
> + return Err(fmt::Error);
> + }
> +
> + let buffer = core::mem::take(&mut self.buffer);
> + // We break the null termination invariant for a short while.
> + buffer[..len].copy_from_slice(bytes);
> + self.buffer = &mut buffer[len..];
> +
> + // INVARIANT: We null terminate the buffer.
> + self.buffer[0] = 0;
> +
> + Ok(())
> + }
> +}
> +
> /// An owned string that is guaranteed to have exactly one `NUL` byte, which is at the end.
> ///
> /// Used for interoperability with kernel APIs that take C strings.
>
> --
> 2.47.2
>
>
"Alice Ryhl" <aliceryhl@google.com> writes:
> On Fri, Jul 11, 2025 at 01:43:06PM +0200, Andreas Hindborg wrote:
>> Add `NullTerminatedFormatter`, a formatter that writes a null terminated
>> string to an array or slice buffer. Because this type needs to manage the
>> trailing null marker, the existing formatters cannot be used to implement
>> this type.
>>
>> Signed-off-by: Andreas Hindborg <a.hindborg@kernel.org>
>> ---
>> rust/kernel/str.rs | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 50 insertions(+)
>>
>> diff --git a/rust/kernel/str.rs b/rust/kernel/str.rs
>> index b1bc584803b0..c58925438c6e 100644
>> --- a/rust/kernel/str.rs
>> +++ b/rust/kernel/str.rs
>> @@ -838,6 +838,56 @@ fn write_str(&mut self, s: &str) -> fmt::Result {
>> }
>> }
>>
>> +/// A mutable reference to a byte buffer where a string can be written into.
>> +///
>> +/// The buffer will be automatically null terminated after the last written character.
>> +///
>> +/// # Invariants
>> +///
>> +/// `buffer` is always null terminated.
>
> Since you modify the buffer range, the actual invariant is that the
> first byte of `buffer` is zero.
It is still null terminated, although your suggestion is more precise.
>
>> +pub(crate) struct NullTerminatedFormatter<'a> {
>
> Isn't it called "nul" rather than "null"? My understanding is that
> "null" is for the pointer case, and "nul" is the name of the ascii
> character at codepoint zero.
I don't know. I did a quick internet search but got no definitive
answer. Wikipedia says "Null character" [1].
[1] https://en.wikipedia.org/wiki/Null_character
>
>> + buffer: &'a mut [u8],
>> +}
>> +
>> +impl<'a> NullTerminatedFormatter<'a> {
>> + /// Create a new [`Self`] instance.
>> + pub(crate) fn new(buffer: &'a mut [u8]) -> Option<NullTerminatedFormatter<'a>> {
>> + *(buffer.first_mut()?) = 0;
>> +
>> + // INVARIANT: We null terminated the buffer above.
>> + Some(Self { buffer })
>> + }
>> +
>> + #[expect(dead_code)]
>> + pub(crate) fn from_array<const N: usize>(
>> + buffer: &'a mut [crate::ffi::c_char; N],
>> + ) -> Option<NullTerminatedFormatter<'a>> {
>
> Can't you just call `::new` where you use this method?
Yes, this can be elided, thanks.
>
>> + Self::new(buffer)
>> + }
>> +}
>> +
>> +impl Write for NullTerminatedFormatter<'_> {
>> + fn write_str(&mut self, s: &str) -> fmt::Result {
>> + let bytes = s.as_bytes();
>> + let len = bytes.len();
>> +
>> + // We want space for a null terminator. Buffer length is always at least 1, so no overflow.
>
> overflow -> underflow
Coming from a computer architecture background, these are the same to
me. Also, core has `u16::overflowing_sub` [2].
[2] https://doc.rust-lang.org/stable/core/primitive.u16.html#method.overflowing_sub
>
>> + if len > self.buffer.len() - 1 {
>
> this is just `len >= self.buffer.len()`.
It is, but is it better?
Best regards,
Andreas Hindborg
© 2016 - 2025 Red Hat, Inc.