From 22bef1fd0a4e8a7c67dc0a89cc238b4acb0ec094 Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Fri, 26 Jun 2026 06:02:06 +0000 Subject: [PATCH] docs(windows-host): record the Goal-3 unsafe reductions (OwnedHandle rollout + pod_init!) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Scorecard Goal 3 + §4 P2: the OwnedHandle RAII rollout (idd_push 011607e — also a view-leak fix; service child/job 4c95ba7) and the driver pod_init! macro (bf57704, 27→1) landed. Recorded the remaining items (service SCM-handler event smuggling, driver IOCTL-dispatch / KeyedMutexGuard levers, the deferred D1-host lint sweep) and that ThreadBound was skipped as not-a-clean-win. Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/windows-host-rewrite.md | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/docs/windows-host-rewrite.md b/docs/windows-host-rewrite.md index 3876bf1..6de783f 100644 --- a/docs/windows-host-rewrite.md +++ b/docs/windows-host-rewrite.md @@ -34,7 +34,7 @@ which kept the live-validated host working at every step. The driver, by contras |---|---|---| | **Goal 1** — clean, layered host architecture | ✅ **DONE** | `config.rs` (`HostConfig`), `session_plan.rs` (`SessionPlan`), `SessionContext`, `windows/`+`linux/` confinement (`38c68c3`), `VirtualDisplayManager` (§2.5), `EncoderCaps` (`0ccd0fe`) | | **Goal 2** — drop every trace of SudoVDA | ✅ **DONE** | reach-in decoupled (F1: `d638a93`/`e60cda3` → `win_adapter`/`win_display`), then the `sudovda.rs` backend + the dual-backend select **deleted** (this branch) — pf-vdisplay is the sole Windows virtual-display backend | -| **Goal 3** — minimize `unsafe` + P0 lints | 🟡 **PARTIAL** | driver `deny(unsafe_op_in_unsafe_fn)` (`a755d6e`); host crate has **no** P0 lints yet; `OwnedHandle` adopted in `manager.rs`/`pf_vdisplay.rs`/`sudovda.rs`, **not** `idd_push.rs` | +| **Goal 3** — minimize `unsafe` + P0 lints | 🟡 **PARTIAL** | driver `deny(unsafe_op_in_unsafe_fn)` (`a755d6e`); **`OwnedHandle` RAII rollout** — `idd_push.rs` (`011607e`, also fixes a view leak) + `service.rs` child/job (`4c95ba7`), on top of `manager.rs`/`pf_vdisplay.rs`; **driver `pod_init!`** (`bf57704`, 27→1). Remaining: host-crate P0 lints (deferred — high churn, low value), the `service.rs` SCM-handler event smuggling, the driver IOCTL-dispatch / `KeyedMutexGuard` levers | | **M0** — proto ABI + driver toolchain + `/INTEGRITYCHECK` + `iddcx` | ✅ **DONE** | `pf-driver-proto`; vendored `windows-drivers-rs` 0.5.1; `clear-force-integrity.ps1`; CI-green | | **M1** — new IddCx driver, first light + HDR | ✅ **DONE (on-glass)** | STEP 0–8 (`d7a9fbf`…`cd59151`); HDR live ("Mac connects WITH HDR", `6399d28`) | | **M2** — IDD-push capture + NVENC, glass-to-glass | ✅ **DONE (on-glass)** | 5120×1440@240 HDR zero-copy; integrated into the host path | @@ -226,17 +226,23 @@ These are expensive empirical wins; keep them intact when touching the code: `unsafe fn`s need an inner `unsafe {}`). Stage it **per-module, Linux-first** (item-level `#[deny]` on `linux/zerocopy/cuda.rs`/`egl.rs`, `encode/linux/vaapi.rs` — locally verifiable), then the Windows modules (CI-gated), then promote to crate-level. The driver already has the deny. -5. **D2 — `OwnedHandle` rollout.** Highest-impact first: `windows/service.rs` (the `AtomicIsize` - STOP/SESSION event smuggling + the Job + the `PROCESS_INFORMATION` handles across 5 cleanup arms — deletes - ~15 manual `CloseHandle`), then `capture/windows/idd_push.rs` (`map`/`event`/`dbg_map`), then the gamepad - shm handles. `manager.rs`/`pf_vdisplay.rs` already use `OwnedHandle` (the pattern). RAII close + fixes - leak-on-error. +5. **D2 — `OwnedHandle` rollout.** ✅ **mostly done** — `capture/windows/idd_push.rs` (`011607e`: a + `MappedSection` RAII for the mapping handle **+** the leaked `MapViewOfFile` view, + `OwnedHandle` for the + event / ring-slot shared handles) and `windows/service.rs` (`4c95ba7`: the child process/thread + Job + handles, ~9 `CloseHandle` deleted). **Remaining:** the `service.rs` `AtomicIsize` STOP/SESSION events + (deliberately left — smuggled into the C SCM handler, a separate riskier redesign) and the gamepad shm + handles. `manager.rs`/`pf_vdisplay.rs` already used the pattern. 6. **Driver unsafe levers** (the driver is already `deny`-clean with per-site SAFETY; these *reduce count*): - a `pod_init!` macro for the ~11 `mem::zeroed()` POD inits (Linux-verifiable as a macro), one audited - `ThreadBound`/`SendPtr` replacing the 8 scattered `unsafe impl Send`, a generic IOCTL dispatch - helper in `control.rs`, and a `KeyedMutexGuard`/`AcquiredSurface` RAII for the frame-transport hot loop - (needs an on-glass latency check). ~157 → ~105. -7. **M6 scaffolding cleanup** — delete the bring-up diagnostics (`spawn_observer`/`DebugBlock` in + ✅ **`pod_init!` macro done** (`bf57704`, 27 `mem::zeroed` → 1). **Skipped `ThreadBound`** — not a + clean win (each `unsafe impl Send` wraps a distinct type; consolidating churns every access for no real + safety gain over the per-struct `// SAFETY:`). **Remaining:** a generic IOCTL dispatch helper in + `control.rs`, and a `KeyedMutexGuard`/`AcquiredSurface` RAII for the frame-transport hot loop (needs an + on-glass latency check). +7. **D1-host P0 lints — deferred (low value / high churn).** A crate-wide `#![deny(unsafe_op_in_unsafe_fn)]` + produced 100+ FFI-wrap sites across the Linux modules; it *wraps* unsafe (discipline) rather than + reducing it and doesn't improve stability, so it was deprioritized vs the `OwnedHandle`/RAII reductions + above. Revisit as a final discipline pass (staged per-module) if desired. +8. **M6 scaffolding cleanup** — delete the bring-up diagnostics (`spawn_observer`/`DebugBlock` in `idd_push.rs`) and, once full parity is proven on glass, the host monoliths. **Explicitly NOT doing (stability decision): E1 — driver `DeviceContext` ownership + per-`IDDCX_MONITOR`