From 195ff99138621b55c0645930eca28790b4cb738e Mon Sep 17 00:00:00 2001 From: Ruihan Li Date: Tue, 10 Feb 2026 23:45:43 +0800 Subject: [PATCH] Mark `call_ostd_main` as unsafe --- ostd/src/arch/loongarch/boot/mod.rs | 4 +++- ostd/src/arch/riscv/boot/mod.rs | 4 +++- ostd/src/arch/x86/boot/linux_boot/mod.rs | 5 ++++- ostd/src/arch/x86/boot/multiboot/mod.rs | 5 ++++- ostd/src/arch/x86/boot/multiboot2/mod.rs | 5 ++++- ostd/src/boot/mod.rs | 17 ++++++++++------- 6 files changed, 28 insertions(+), 12 deletions(-) diff --git a/ostd/src/arch/loongarch/boot/mod.rs b/ostd/src/arch/loongarch/boot/mod.rs index 86e06aece..7620b268c 100644 --- a/ostd/src/arch/loongarch/boot/mod.rs +++ b/ostd/src/arch/loongarch/boot/mod.rs @@ -136,5 +136,7 @@ unsafe extern "C" fn loongarch_boot( memory_regions: parse_memory_regions(), }); - call_ostd_main(); + // SAFETY: The safety is guaranteed by the safety preconditions and the fact that we call it + // once after setting up necessary resources. + unsafe { call_ostd_main() }; } diff --git a/ostd/src/arch/riscv/boot/mod.rs b/ostd/src/arch/riscv/boot/mod.rs index 7a4e8b0f5..7fe2d339c 100644 --- a/ostd/src/arch/riscv/boot/mod.rs +++ b/ostd/src/arch/riscv/boot/mod.rs @@ -139,5 +139,7 @@ unsafe extern "C" fn riscv_boot(hart_id: usize, device_tree_paddr: usize) -> ! { memory_regions: parse_memory_regions(), }); - call_ostd_main(); + // SAFETY: The safety is guaranteed by the safety preconditions and the fact that we call it + // once after setting up necessary resources. + unsafe { call_ostd_main() }; } diff --git a/ostd/src/arch/x86/boot/linux_boot/mod.rs b/ostd/src/arch/x86/boot/linux_boot/mod.rs index fc7d576d8..9046fa3df 100644 --- a/ostd/src/arch/x86/boot/linux_boot/mod.rs +++ b/ostd/src/arch/x86/boot/linux_boot/mod.rs @@ -198,6 +198,7 @@ fn parse_memory_regions(boot_params: &BootParams) -> MemoryRegionArray { /// /// - This function must be called only once at a proper timing in the BSP's boot assembly code. /// - The caller must follow C calling conventions and put the right arguments in registers. +/// - If this function is called, entry points of other boot protocols must never be called. // SAFETY: The name does not collide with other symbols. #[unsafe(no_mangle)] unsafe extern "sysv64" fn __linux_boot(params_ptr: *const BootParams) -> ! { @@ -218,5 +219,7 @@ unsafe extern "sysv64" fn __linux_boot(params_ptr: *const BootParams) -> ! { memory_regions: parse_memory_regions(params), }); - call_ostd_main(); + // SAFETY: The safety is guaranteed by the safety preconditions and the fact that we call it + // once after setting up necessary resources. + unsafe { call_ostd_main() }; } diff --git a/ostd/src/arch/x86/boot/multiboot/mod.rs b/ostd/src/arch/x86/boot/multiboot/mod.rs index 83c335a6e..bf650b64e 100644 --- a/ostd/src/arch/x86/boot/multiboot/mod.rs +++ b/ostd/src/arch/x86/boot/multiboot/mod.rs @@ -368,6 +368,7 @@ impl Iterator for MemoryEntryIter { /// /// - This function must be called only once at a proper timing in the BSP's boot assembly code. /// - The caller must follow C calling conventions and put the right arguments in registers. +/// - If this function is called, entry points of other boot protocols must never be called. // SAFETY: The name does not collide with other symbols. #[unsafe(no_mangle)] unsafe extern "sysv64" fn __multiboot_entry(boot_magic: u32, boot_params: u64) -> ! { @@ -386,5 +387,7 @@ unsafe extern "sysv64" fn __multiboot_entry(boot_magic: u32, boot_params: u64) - memory_regions: parse_memory_regions(mb1_info), }); - call_ostd_main(); + // SAFETY: The safety is guaranteed by the safety preconditions and the fact that we call it + // once after setting up necessary resources. + unsafe { call_ostd_main() }; } diff --git a/ostd/src/arch/x86/boot/multiboot2/mod.rs b/ostd/src/arch/x86/boot/multiboot2/mod.rs index 2be4638a6..6d8f37a6e 100644 --- a/ostd/src/arch/x86/boot/multiboot2/mod.rs +++ b/ostd/src/arch/x86/boot/multiboot2/mod.rs @@ -143,6 +143,7 @@ fn parse_memory_regions(mb2_info: &BootInformation) -> MemoryRegionArray { /// /// - This function must be called only once at a proper timing in the BSP's boot assembly code. /// - The caller must follow C calling conventions and put the right arguments in registers. +/// - If this function is called, entry points of other boot protocols must never be called. // SAFETY: The name does not collide with other symbols. #[unsafe(no_mangle)] unsafe extern "sysv64" fn __multiboot2_entry(boot_magic: u32, boot_params: u64) -> ! { @@ -161,5 +162,7 @@ unsafe extern "sysv64" fn __multiboot2_entry(boot_magic: u32, boot_params: u64) memory_regions: parse_memory_regions(&mb2_info), }); - call_ostd_main(); + // SAFETY: The safety is guaranteed by the safety preconditions and the fact that we call it + // once after setting up necessary resources. + unsafe { call_ostd_main() }; } diff --git a/ostd/src/boot/mod.rs b/ostd/src/boot/mod.rs index 91dd9b81d..0c0b8367c 100644 --- a/ostd/src/boot/mod.rs +++ b/ostd/src/boot/mod.rs @@ -113,13 +113,18 @@ pub(crate) fn init_after_heap() { }); } -/// Calls the OSTD-user defined entrypoint of the actual kernel. +/// Initializes OSTD and then jumps to the `#[ostd::main]` entry point. /// /// Any kernel that uses the `ostd` crate should define a function marked with -/// `ostd::main` as the entrypoint. +/// `#[ostd::main]` as the kernel's entry function. /// -/// This function should be only called from the bootloader-specific module. -pub(crate) fn call_ostd_main() -> ! { +/// # Safety +/// +/// This function must be called only once at a proper timing on the BSP by the +/// [`arch::boot`] module. +/// +/// [`arch::boot`]: crate::arch::boot +pub(crate) unsafe fn call_ostd_main() -> ! { // The entry point of kernel code, which should be defined by the package that // uses OSTD. unsafe extern "Rust" { @@ -131,7 +136,5 @@ pub(crate) fn call_ostd_main() -> ! { // SAFETY: This external function is defined by the package that uses OSTD, // which should be generated by the `ostd::main` macro. So it is safe. - unsafe { - __ostd_main(); - } + unsafe { __ostd_main() }; }