Controller Area Network (CAN) Take 4

[timokroeger]

Updated to the latest HAL changes:

• Removed try_ prefix
• Moved non-blocking implementation to nb module
• Removed default blocking implementaions

Usage Example

stm32-fwupdate

Implementations

Updated for this PR:

• pcan-basic on top of an existing software API
• bxcan

Based on the very similar predecessor traits embedded-can v0.3 (diff v0.3 -> this PR)

• candev implementing the traits for linux SocketCAN
• socketcan-isotc

Previous Discussion

• Controller Area Network (CAN) Take 3 #212
• [WIP] CAN Interface take 2 #77
• CAN/CAN-FD API? #21
• added a HAL for CAN interfaces #53

[rust-highfive]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @therealprof (or someone else) soon.

Please see the contribution instructions for more information.

[adamgreig]

This looks good to me! I have a couple of thoughts but apologies if they've already been discussed in the previous threads...

• Does new_unchecked actually need to be unsafe, i.e. might any memory safety rely on it later?
• For CAN, might it make more sense to call it transmit and receive in both the blocking and nb traits, rather than read and write in blocking?
• I saw you mentioned this on the old PR thread but it does seem like it would be nice to add some error types to Add error traits for communication interfaces #296 for things like invalid ID or data-too-long.
• Could you add a CHANGELOG entry?

[therealprof]

@timokroeger If you could resolve the merge conflict, this seems to be ready to merge to us.

[eldruin]

We agreed this is ready for merge. Could you rebase/resolve the conflict @timokroeger ?

[timokroeger]

Rebased to resolve the changelog conflict. The PR is ready to be merged.

[eldruin]

The MSRV would need to be raised to Rust 1.46.0 in order to keep the StandardId::new as a const function.
Raising the MSRV would be fine with me.

[andresv]

Just in right time. I would like to use it in https://github.com/esp-rs/esp-idf-hal.

[andresv]

Is anybody opposing increasing MSRV to 1.46 to get this over finish line?

[eldruin]

Opinions @therealprof, @ryankurte ?

[Rahix]

Does new_unchecked() actually need to be unsafe, i.e. might any memory safety rely on it later?

I'd actually argue that yes, it must be an unsafe function. Implementations and users of the traits should be able to rely on StandardId/ExtendedId always containing a valid ID. In my opinion, that's the entire point of using such wrapper types in the first place (ref "Parse, don't validate"). "Relying on" should then mean that even writing unsafe code based on this assumption should be possible - without the need for additional validation of the passed IDs.

[andresv]

Hmm, for StandardId it is not marked as unsafe but for ExtendedId it is:

embedded-hal/src/can/id.rs

Lines 62 to 66 in 6b3820e

	/// Creates a new `ExtendedId` without checking if it is inside the valid range.
	#[inline]
	pub const unsafe fn new_unchecked(raw: u32) -> Self {
	Self(raw)
	}

[timokroeger]

The unsafe on ExtendedId was an oversight, pushed a fix.

[timokroeger]

IMO both perspectives on the unsafe are appropriate here. Are there any "unsafe API guidelines" which could help us find a decision?

[Rahix]

My reasoning for functions needing to be unsafe is as follows: As soon as there exists a way to create an instance of StandardId containing an invalid ID from safe Rust, any possible downstream code which wants to rely on it containing a valid ID must add its own validation checks to ensure that it does. The is necessary for logic purposes and UB-purposes alike.

If, however, the API "contract" of the StandardId type is to only ever contain a valid ID and from safe Rust only abiding instances can be created, then downstream code can rely on this guarantee. Again, this is useful for logic reasons and UB avoidance alike.

As an example from the Rust stdlib, from_utf8_unchecked() is also unsafe. The reason is that some code handling strs downstream might want to optimize on the guarantee that str always contains valid UTF-8 data. Analogous, a CAN peripheral driver might want to optimize on the assumption that the u16 representing an ID will only ever have some of its lower 13 bits set. By keeping these functions safe, we're disallowing any such downstream code to be sound without additional code for validation.

---

Asking the other way around: What is gained from making these functions safe in the first place? For statically initializing a variable of type StandardId, it is irrelevant: The check in ::new() will be constant-folded away in probably all conceivable cases. The only place where ::new_unchecked() is really needed is when an ID is dynamically retrieved from elsewhere and you can guarantee that it has already been validated before. And even then, it is only relevant for edge-cases where the last bytes of memory and cycles of CPU time need to be optimized.

[andresv]

I agree with @Rahix. It seems *_unchecked() APIs are typically marked as unsafe in rust std lib and also for example in heapless.

Are those CAN traits going to be in v1.0?

[adamgreig]

I am generally against marking functions as unsafe unless they actually lead to UB, and especially against doing it just because they seem like "scary" functions or some extra care (unrelated to UB) is required. In this case though I think @Rahix is right: the list of Rust UB explicitly includes "Producing an invalid value... The following values are invalid: Invalid values for a type with a custom definition of invalid values".

So, if we do reasonably define this type as only containing valid IDs, then it's right to say producing an invalid valid could cause UB, if some other code later depended on this property in order to be sound. I can't think of any such situations but I guess they could exist.

[andresv]

What if we just remove new_unchecked() for now?

One downside is that using unwrap and expect introduces format bloat and makes binaries bigger and in this case there is also a little performance hit by always checking those values.

let canid = read_can();
let id = ExtendedId::new(canid).expect("always valid");
vs
let id = unsafe { ExtendedId::new_unchecked(canid) };

[ryankurte]

lgtm, MSRV bump seems fine to me, and real excited to try this...

thanks everyone for the huuge effort in prior PRs and to get this over the line!

[eldruin]

@timokroeger Could you also do the following?

• Add a couple of unit tests for the functions that have an implementation.
• Raise the MSRV to 1.46.0

[therealprof]

Looks good to me as well. 👍🏻

[chemicstry]

A bit late, but what about the timestamp API, which was proposed in earlier PR? I would like to use this for UAVCAN, which needs timestamp support.

I guess it can also be added later as a non breaking change to not block this merge with discussions on wether to use embedded-time.

[andresv]

rtic folks found that embedded-time moves too slowly is too complicated and tries to do too much, therefore korken89 created https://github.com/korken89/const-embedded-time which is not yet released.

It would be better if timestamp API is added later. It might take a lot of time to figure out what is the best way for that.

[ryankurte]

I guess it can also be added later as a non breaking change to not block this merge with discussions on wether to use embedded-time.

It would be better if timestamp API is added later. It might take a lot of time to figure out what is the best way for that.

yep, definitely a few other dependencies so we won't include this here. feel free to open a new issue / PR to discuss this ^_^

[eldruin]

Alright, let's get this merged. I will add the couple of unit tests in a separate PR.
Thank you @timokroeger for your work!
Thank you as well to everybody else involved in all the previous PRs and discussions!

bors merge

[bors]

Build succeeded:

• ci-linux (1.46.0, x86_64-unknown-linux-gnu)
• ci-linux (stable, thumbv6m-none-eabi)
• ci-linux (stable, thumbv7m-none-eabi)
• ci-linux (stable, x86_64-unknown-linux-gnu)
• ci-linux-test (1.46.0, x86_64-unknown-linux-gnu)
• ci-linux-test (stable)
• fmt

[burrbull]

Should we backport this to 0.2?

[eldruin]

This could be backported if there is interest. We would need to remove the const in the const fns and see if there are other things that do not build with Rust 1.31.0.

[andresv]

I guess it also depends on when 1.0 is going to be released. If this happens rather quickly then I think it is not needed to backport it. We actually want that 1.0 is adopted and all the stuff is updated from 0.2 to 1.0.
Otherwise we have python 2 vs 3 situation.

[burrbull]

I guess it also depends on when 1.0 is going to be released. If this happens rather quickly then I think it is not needed to backport it. We actually want that 1.0 is adopted and all the stuff is updated from 0.2 to 1.0. Otherwise we have python 2 vs 3 situation.

Sure. But we need several implementations to be sure all work as expected before stabilize in 1.0. I see 0.2 as test playground, not alternative implementaion. Nothing similar to python2/3.