Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2345770rwb; Sun, 2 Oct 2022 21:50:21 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5fe0FUfeIew/HwN9ZbLT2tz8maBzArxKI/pUBF58/m+sxBwF4XP+mlWFlwaJjjnkmIvvKD X-Received: by 2002:a65:6708:0:b0:450:72a7:e32d with SMTP id u8-20020a656708000000b0045072a7e32dmr1635292pgf.354.1664772621285; Sun, 02 Oct 2022 21:50:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664772621; cv=none; d=google.com; s=arc-20160816; b=tr1aR2oc3ItTxhiehHds/BwuZz/QpcFW4fUzLLJjdsfU6ovD61NKNR+ipTGvCKQ9Tb Ubf0pNP1fIc+gaPkFWj+3vLVg3oiNaXhHsOXTsv9kduLGhKga5qOPQbVx366+yxjiZde ZVVBGkC6BwmpmpYaQVrJjfJHq32Bo68ziftFMCl/TushGvx5E218cIiv/Qj4ygbZly7g c+LS3leFwBO+gGQODjtlwpacOmX2szRJasOgEHp+VYAcjpVOHFwcmwGhMT3F3eNwlaDs L2bsyEdReZtgEwZ4eEBMjtX2KxoMKvs+eLeqQomV8UoD/62c2YqTU5ifzjiIiBzulEqX KlwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=9ksXVMaoyiezvzOT4T4fypchzJ4+YFvVGZ+lnFeb2aw=; b=bS5IR6wAJY7teFpIoliHLiyhJD2xh87SQZ47cZRpTHTRBdAqxw2D/pHJRFXi4MRJ9q KHktrNiXxeOCi9iraPL9aAWcMJsa3KHBjTjmKDFWbI0aJQOluklsJJeOLqoOYGpjonmQ +78GYIbkv/ohvjSKd66FpD3WIVociWFdzMTM+1LPfcQtr/RFsH3SeBZvO0n7sVjn/JxP f/OATT6D7kkzqcHTmuPYGXwb6IPV44cmTmaiHjRvzyWplWxzlUIIR4/cfHwtrToDQidt fn+0ZskfOFhY8nrwqoXTHerMGHearodQAF3N4lzXKhEZaeK6s8Fr1mdUJeJHYSJJVJmh W+9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=PmCcPLFj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r15-20020a63514f000000b0043961d06e6bsi9099701pgl.787.2022.10.02.21.49.59; Sun, 02 Oct 2022 21:50:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=PmCcPLFj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229544AbiJCER2 (ORCPT + 99 others); Mon, 3 Oct 2022 00:17:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229511AbiJCER0 (ORCPT ); Mon, 3 Oct 2022 00:17:26 -0400 Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B514F2F036; Sun, 2 Oct 2022 21:17:25 -0700 (PDT) Received: by mail-ej1-x62d.google.com with SMTP id fj18so1113174ejc.10; Sun, 02 Oct 2022 21:17:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=9ksXVMaoyiezvzOT4T4fypchzJ4+YFvVGZ+lnFeb2aw=; b=PmCcPLFjvenmI+fhAgzbecuICa+ogZ6PoCekZGUDFtxsTMtlUe1IQcEpjv+eJNUrTv 01Krqp8RPW56WQvJ0a+WN0uM0/ED6/U8cQuKFLtLHpe3DfWS00jq7q0l0oEbriwseYT9 5lh+K4TjZtGgZnJ1UDQMyUjzQHCoXlz1DGxNfLM4K9fyRbwdsrOOsamNeS3m0V5n3b2v L3tBTF6XW5d/kJeONeDt2NGLtQ/nry1+LzizOR26iYSlPamJbMyFb4db7SnBTqkgp/lx fDbKOLxyaJM1x5hMFzFuxyx0I9GSbYzj5h2kQERuiB5P4gjeVfCWtrtkciRnQ8uDQ3D/ lWfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=9ksXVMaoyiezvzOT4T4fypchzJ4+YFvVGZ+lnFeb2aw=; b=ESefkQrrTdpFspnXlJ8DGzUz5AXaLJT1UOPnC1H5UEYFa2wMlRe2L8mbi2fpU2s6+u 6YDBFnGx5yBw1ONeH/Htwr1KD5O1CTsxwYPnjcNephDi9AMflvTr8LpPTW4fTQVTaH61 G//nPSa65sTrWIMrIOq8MC+aJpmfkG1uPRnr2dJVQrIWn3oa66LueYmF7DTg7rsJxUUD J4pl/ovV83ijHHN5WdWn3lsPrhQCr6mIjhRJT7UpsUta6zYHGIl/W/wLLDsrxgGbzmEc TFbmGj8wItVNAGKMMATxFqLzzr1bn0UkZ8ImYLTPagw7gwoXrFKGblaOqmp1vdZAIyhJ boIA== X-Gm-Message-State: ACrzQf3kEHp/CyZ4qNNQYPB0zaail5OxSSozoX7SqANUkwo33pJO/IuI UX5GkspK+fVnoiSs9SOPS1Gn8N/MM0+9FbQbNRc= X-Received: by 2002:a17:907:1c24:b0:78a:3d92:7701 with SMTP id nc36-20020a1709071c2400b0078a3d927701mr4516406ejc.131.1664770644115; Sun, 02 Oct 2022 21:17:24 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kyle Strand Date: Sun, 2 Oct 2022 22:17:10 -0600 Message-ID: Subject: Re: [PATCH v9 12/27] rust: add `kernel` crate To: Boqun Feng Cc: Linus Torvalds , Alex Gaynor , Wedson Almeida Filho , Matthew Wilcox , Kees Cook , Miguel Ojeda , Konstantin Shelekhin , ojeda@kernel.org, ark.email@gmail.com, bjorn3_gh@protonmail.com, bobo1239@web.de, bonifaido@gmail.com, davidgow@google.com, dev@niklasmohrin.de, dsosnowski@dsosnowski.pl, foxhlchen@gmail.com, gary@garyguo.net, geofft@ldpreload.com, gregkh@linuxfoundation.org, jarkko@kernel.org, john.m.baublitz@gmail.com, leseulartichaut@gmail.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, m.falkowski@samsung.com, me@kloenk.de, milan@mdaverde.com, mjmouse9999@gmail.com, patches@lists.linux.dev, rust-for-linux@vger.kernel.org, thesven73@gmail.com, viktor@v-gar.de, Andreas Hindborg Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I don't know if there was ever a direct answer to this question; I was hoping someone with more involvement in the project would jump in. > In this early experiment stage, if something is unsafe per Rust safety > requirements, maybe we should mark it as "unsafe"? Not because Rust > safety needs trump kernel needs, but because we need showcases to the > Rust langauge people the things that are not working very well in Rust > today. > > I definitely agree that we CANNOT change kernel behaviors to solely > fulfil Rust safety requirements, we (Rust-for-Linux people) should > either find a way to check in compiler time or just mark it as "unsafe". From the perspective of a Linux outsider, marking huge swaths of Rust code "unsafe" doesn't actually sound incorrect to me. If a function may exhibit undefined behavior, it's unsafe; thus, it should be marked as such. True, you lose some of Rust's guarantees within the code marked "unsafe", but this is what permits Rust to enforce those guarantees elsewhere. Having lots of uses of "unsafe" in kernel code is probably to be expected, and (in my opinion) not actually a sign that things "are not working very well in Rust." It's not even particularly verbose, if the callers of unsafe functions are generally also marked "unsafe"; in these cases, only the signatures are affected. The last sentence of Boqun's quote above captures the intent of "unsafe" perfectly: it simply indicates that code cannot be proven at compile time not to exhibit undefined behavior. It's important for systems languages to enable such code to be written, which is precisely why Rust has the "unsafe" keyword. On Mon, Sep 19, 2022 at 6:45 PM Boqun Feng wrote: > > On Mon, Sep 19, 2022 at 04:58:06PM -0700, Linus Torvalds wrote: > > On Mon, Sep 19, 2022 at 4:50 PM Alex Gaynor wrote: > > > > > > Rust's rules are that a function that's safe must not exhibit UB, no > > > matter what arguments they're called with. This can be done with > > > static checking or dynamic checking, with obvious trade offs between > > > the two. > > > > I think you are missing just how many things are "unsafe" in certain > > contexts and *cannot* be validated. > > > > This is not some kind of "a few special things". > > > > This is things like absolutely _anything_ that allocates memory, or > > takes a lock, or does a number of other things. > > > > Those things are simply not "safe" if you hold a spinlock, or if you > > are in a RCU read-locked region. > > > > And there is literally no way to check for it in certain configurations. None. > > > > So are you going to mark every single function that takes a mutex as > > being "unsafe"? > > > > In this early experiment stage, if something is unsafe per Rust safety > requirements, maybe we should mark it as "unsafe"? Not because Rust > safety needs trump kernel needs, but because we need showcases to the > Rust langauge people the things that are not working very well in Rust > today. > > I definitely agree that we CANNOT change kernel behaviors to solely > fulfil Rust safety requirements, we (Rust-for-Linux people) should > either find a way to check in compiler time or just mark it as "unsafe". > > Maybe I'm naive ;-) But keeping Rust safety requirements as they are > helps communication with the people on the other side (Rust > langauge/compiler): "Hey, I did everything per your safety requirements, > and it ends like this, I'm not happy about it, could you figure out > something helpful? After all, Rust is a *system programming" language, > it should be able to handle things like these". > > Or we want to say "kernel is special, so please give me a option so that > I don't need to worry about these UBs and deal with my real problems"? > I don't have the first hand experience, but seems this is what we have > been doing with C for many years. Do we want to try a new strategy? ;-) > But perhaps it's not new, maybe it's done a few times already but didn't > end well.. > > Anyway, if I really want to teach Rust language/compiler people "I know > what I'm doing, the problem is that the language is not ready". What > should I do? > > Regards, > Boqun > > > Or are you just going to accept and understand that "hey, exactly like > > with integer overflows, sometimes it will be checked, and sometimes it > > just won't be". > > > > Because that is literally the reality of the kernel. Sometimes you > > WILL NOT have the checks, and you literally CANNOT have the checks. > > > > This is just how reality is. You don't get to choose the universe you live in. > > > > Linus