Skip to content

AK+Kernel+Userland: Don't allow AK::{Byte,}String and Vector::append() in the kernel #26406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 17, 2025
Merged

AK+Kernel+Userland: Don't allow AK::{Byte,}String and Vector::append() in the kernel #26406

merged 5 commits into from
Nov 17, 2025
+151 −119

Conversation

@spholz
Copy link
Member

@spholz spholz commented Nov 16, 2025

Kernel code should use KString instead of AK::{Byte,}String. Enforce this by making it a compile-time error to include <AK/String.h> or <AK/ByteString.h>.

Additional, make it not as easy to forget to handle OOMs by only allowing Vector::try_append() in the kernel.
(Not all Vector::append() overloads were guarded behind a #ifndef KERNEL before)

@spholz
AK+Kernel: Don't allow AK::String in the kernel
1c7c4d7 
Kernel code should use KString instead. Compared to AK::String, KString
is a very simple string class that just wraps a char array and doesn't
have any fancy features such as reference counting.
@github-actions github-actions bot added the 👀 pr-needs-review PR needs review from a maintainer or community member label Nov 16, 2025
spholz
spholz commented Nov 16, 2025
View reviewed changes
AK/StringView.cpp
Vector<StringView> parts;
for_each_split_view(separator, split_behavior, [&](StringView view) {
parts.append(view);
parts.try_append(view).release_value_but_fixme_should_propagate_errors();
Copy link
Member Author

@spholz spholz Nov 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not really sure if this is the right solution. Maybe we should instead not allow split_view() in the kernel at all. Directly using for_each_split_view() should be enough for most use cases in the kernel, otherwise we could maybe add try_split_view().

Copy link
Contributor

@nico nico Nov 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can always think about that in a follow-up 🙂

@nico
Copy link
Contributor

nico commented Nov 16, 2025

(a bit surprising match() isn't allowed; I'm guessing it internally allocates)

Hendiadyoin1
Hendiadyoin1 reviewed Nov 16, 2025
View reviewed changes
@Hendiadyoin1
Copy link
Contributor

Hendiadyoin1 commented Nov 16, 2025
edited
Loading

Would be nice if we could make this a decorator or the like,
which seems to be feasible with an

#ifdef KERNEL
#define NOKERNEL [[error("Implicit allocation is disallowed in the Kernel")]]
#else
#define NOKERNEL
#endif

decorator

diagnose_if may also work, less if-def

@spholz
Copy link
Member Author

spholz commented Nov 16, 2025

Would be nice if we could make this a decorator or the like

Yeah the current #ifdef zoo isn't nice and I thought of maybe reorganizing some of these functions to only have one big #ifndef KERNEL block of functions that aren't allowed in the kernel.

which seems to be feasible with an

#ifdef KERNEL
#define NOKERNEL [[error("Implicit allocation is disallowed in the Kernel")]]
#else
#define NOKERNEL
#endif

decorator

diagnose_if may also work, less if-def

For some things I may want to include an additional message with what to use instead like:

#ifndef KERNEL
Vector(const&) = delete("use .clone() instead");
#endif

With that NOKERNEL approach we would need an overload with a message, but macros don't support overloading, so we would need a second version of that macro.

@spholz spholz force-pushed the kernel-dont-allow-some-ak-stuff branch from ea70035 to 31269f4 Compare November 16, 2025 18:51
@spholz
Copy link
Member Author

spholz commented Nov 16, 2025

I think I'm going to keep using #ifndef KERNEL for now, as that is what we currently use in other places as well. If you want to change that, feel free to do so in another PR!

@spholz
AK: Don't allow AK::ByteString in the kernel
7775ba8 
Kernel code should use KString instead. Compared to AK::ByteString,
KString is a very simple string class that just wraps a char array and
doesn't have any fancy features such as reference counting.

Additionally, AK::ByteString isn't OOM-safe at all currently.
@spholz spholz force-pushed the kernel-dont-allow-some-ak-stuff branch from 31269f4 to 14f5b8e Compare November 16, 2025 18:59
@spholz
Kernel: Propagate errors in USBManagement::register_driver()
160800c 
We currently don't support loadable modules, so all callers of this
function use `MUST()` on the result for now.
@spholz
AK: Guard some APIs that use Vector::append() behind #ifndef KERNEL
3bb80b0 
Vector::append() will be disallowed in the kernel by the next commit.
@spholz
AK+Kernel+Userland: Don't allow Vector::append() in the kernel
5bd4d9b 
This makes it not as easy to forgot to handle OOMs in the kernel.

This commit replaces most usages of this function with
`try_append(...).release_value_but_fixme_should_propagate_errors()`.
But in some cases, using the `TRY` macro or `unchecked_append()` is
already possible.

In places where allocations should not fail or an OOM would be fatal
anyways, `MUST(try_append(...))` should be used explicitly.
@spholz spholz force-pushed the kernel-dont-allow-some-ak-stuff branch from 14f5b8e to 5bd4d9b Compare November 16, 2025 19:00
@spholz spholz merged commit e8d9734 into SerenityOS:master Nov 17, 2025
12 checks passed
@spholz spholz deleted the kernel-dont-allow-some-ak-stuff branch November 17, 2025 10:08
@github-actions github-actions bot removed the 👀 pr-needs-review PR needs review from a maintainer or community member label Nov 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nico nico nico approved these changes

+1 more reviewer

@Hendiadyoin1 Hendiadyoin1 Hendiadyoin1 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@spholz @nico @Hendiadyoin1