Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp442580pxb; Fri, 16 Apr 2021 09:15:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxvhfp/mSj6II1EySlFR0ubo7sn63tS596EatDetDNmjIUtemQfyT07htnUIfIcDv20IJrW X-Received: by 2002:a17:906:7257:: with SMTP id n23mr9237313ejk.412.1618589737095; Fri, 16 Apr 2021 09:15:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618589737; cv=none; d=google.com; s=arc-20160816; b=UYooi7rCPbZVpueNzyuGqKNxuapQHzA/lney0GZQONJCYmZl3j2NwJGrgP5ywRzPED teYj8BAHG7KJKyWalIvZQ0JLISgiBg/rEYX+uh6UKHhU8utrU03PmaBzEhpZ53CkBFGa jC4j9xTwqjpYid9BsEc6NQJoOxhlbNQzo86tkpLA5V4mZgq5CZ3Slbnar62Lwg5yiSTV LeGyFValSAEPcfBx8pCaJ3m9XveIPwok0WT68Gk6Hu6AestuYpI1gQcNoGqknkOvG4o5 Y1x5ZsXgmvii0tNDR9cZqMKkiYxz+3W9RST9KX9T5wq80Mh9lCK1B545wLDW/7mLcOFY 6U3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=ytm6x2vLN84smHgW7vb9p/KsJj33G3R6bvIaflLv16E=; b=ZUSqSKaUbMrcAUfmczFnLQgoGTtc7K3PxMIa+aiOkp0scFhF9mf9Zi+oLnohGOnVV5 czcMFEKn1VP/+2aYKDRE7YsEmIfxIK510IPt65TIkPf39bg3XCvKbGxRIPE3jHiPsPtP fb8OtmUe0ZC5ci1wZMOXbfy8nZ+QXJcIBuI/LqUcQgBJT7W/DtCYSWVqVTYlRA5JMh0Z /75oDS8cUS0rH72bdmS4n6tCDPtQHFBONc3A04+LTva9tRHW0MsPO29oCOxKGLUCvYGa duVtR3fArrdvKd5DOvBGjQrimEAGruPuhowf2NKac/SDRJbHIR23Is3FdHAZ5VK8u7/q 5kWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=hJXWLfp4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id nd11si4963218ejc.470.2021.04.16.09.15.14; Fri, 16 Apr 2021 09:15:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=hJXWLfp4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243326AbhDPPeX (ORCPT + 99 others); Fri, 16 Apr 2021 11:34:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234887AbhDPPeW (ORCPT ); Fri, 16 Apr 2021 11:34:22 -0400 Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C053FC061756 for ; Fri, 16 Apr 2021 08:33:57 -0700 (PDT) Received: by mail-wm1-x32d.google.com with SMTP id n127so2757653wmb.5 for ; Fri, 16 Apr 2021 08:33:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=ytm6x2vLN84smHgW7vb9p/KsJj33G3R6bvIaflLv16E=; b=hJXWLfp4f8CDzTqfIgdSOObQIM1FLOSrZ2p0XRVjGVtTQi4L+zsddWxRrhd4kWa7n5 X3ydnDUq9ENQeqWuhpQ390B65NX0dxsqk6MoVuNK6IeWQF4VkNmJu5a8gd9aHQosmUs6 nWtcutBvfOyzxz9QkWvxlEJXnplGbhvOLECd7FYnvdJZX5h/Z+uHG/BaXbS7yCJPnodK Dz1jB/kk7PsZZ3I0jmXb3sx5LkoXoLCIKAmb6JdAl+DBvXK0XW7zQ7+maLVlgz3K/H4e aEYAoCCpW1z6qx9z0St9cTzk6VsvofHR9i5pU84J7acECE0VRI6BCXYPFAcCGgbrFNa4 oRIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=ytm6x2vLN84smHgW7vb9p/KsJj33G3R6bvIaflLv16E=; b=S7RMyFiYbzw3x0fVwKhQLbgY935qzjHo5S/jxi5q5eact5ccg2ATAl99GtpHFvzG7h BetuzWxOodwVqaUGDIe/kxA8JM7CyZkaWbzPtD1XwsRU0pV09E+RvRTBfpJmOLhcAS2y 9gDEn2sbTlOPFuSw8JxxevIYR6V5IdkvoWWNgHFg3/dxTNBz2G6B9IUDBzKBeaZs0OTO PWPw6jFtixHojSK5B+mnz++effhngG0aWmirAUr3DPBY2MQXJbIr9tuYJeQweNuIkqVk DbL4XsBZvlFspiq3dykyFeOwSg6J7fU0C+u0mecEW/SIytqIYvMhw3EbSnU5r5QakYcy BCuA== X-Gm-Message-State: AOAM530a7Qy6Ot8AJNGBmPgWS9S4pGfYJQiHQMwR3Vyb7ksZ3LXFIvCQ h7zZdqUnSL6/lJ6NK5oQDPfz X-Received: by 2002:a1c:6646:: with SMTP id a67mr8967894wmc.86.1618587236337; Fri, 16 Apr 2021 08:33:56 -0700 (PDT) Received: from google.com ([2a00:79e0:d:209:51db:fb7a:d252:e3c1]) by smtp.gmail.com with ESMTPSA id h17sm11209854wru.67.2021.04.16.08.33.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Apr 2021 08:33:56 -0700 (PDT) Date: Fri, 16 Apr 2021 16:33:51 +0100 From: Wedson Almeida Filho To: Peter Zijlstra Cc: ojeda@kernel.org, Linus Torvalds , Greg Kroah-Hartman , rust-for-linux@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 00/13] [RFC] Rust support Message-ID: References: <20210414184604.23473-1-ojeda@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 16, 2021 at 04:19:07PM +0200, Peter Zijlstra wrote: > Does this also not prohibit constructs where modification must be done > while holding two locks, but reading can be done while holding either > lock? I don't believe it does. Remember that we have full control of the abstractions, so we can (and will when the need arises) build an abstraction that provides the functionality you describe. For the read path, we can have functions that return a read-only guard (which is the gateway to the data in Rust) when locking either of the locks, or when showing evidence that either lock is already locked (i.e., by temporarily transferring ownership of another guard). Note that this is another area where Rust offers advantages: read-only guards (in C, if you take a read lock, nothing prevents you from making changes to fields you should only be allowed to read); and the ability to take temporary ownership, giving it back even within the same function. Similarly, to access a mutable guard, you'd have to show evidence that both locks are held. > That's a semi common scheme in the kernel, but not something that's > expressible by, for example, the Java sync keyword. > > It also very much doesn't work for RCU, where modification must be done > under a lock, but access is done essentially lockless. Why not? RCU is a lock -- it may have zero cost in most (all?) architectures on the read path, but it is a lock. We can model access to variables/fields protected by it just like any other lock, with the implementation of lock/unlock optimizing to no-ops on the read path where possible. In fact, this is also an advantage of Rust. It would *force* developers to lock/unlock the RCU lock before they can access the protected data. > I would much rather have a language extention where we can associate > custom assertions with variable access, sorta like a sanitizer: > > static inline void assert_foo_bar(struct foo *f) > { > lockdep_assert_held(&f->lock); > } > > struct foo { > spinlock_t lock; > int bar __assert__(assert_foo_bar); > }; > > Such things can be optional and only enabled for debug builds on new > compilers. These would be great, but would still fall short of the compile-time guaranteed safety that Rust offers in these cases. > C does indeed not have the concept of ownership, unlike modern C++ I > think. But I would much rather see a C language extention for that than > go Rust. > > This would mean a far more agressive push for newer C compilers than > we've ever done before, but at least it would all still be a single > language. Convertion to the new stuff can be done gradually and where > it makes sense and new extentions can be evaluated on performance impact > etc. I encourage you to pursue this. We'd all benefit from better C. I'd be happy to review and provide feedback on proposed extensions that are deemed equivalent/better than what Rust offers. My background is also in C. I'm no Rust fanboy, I'm just taking what I think is a pragmatic view of the available options.