Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1560813rdh; Mon, 25 Sep 2023 17:27:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFu9853OQM6nqeGLqDjZ4c3XFu+GqHGeHY+xzzR7jqZLBwUOvJYk5EQVJgamKBYrbPJZwbX X-Received: by 2002:a05:6102:134c:b0:452:7380:5517 with SMTP id j12-20020a056102134c00b0045273805517mr5570148vsl.32.1695688076981; Mon, 25 Sep 2023 17:27:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695688076; cv=none; d=google.com; s=arc-20160816; b=0W7C4S+SztZsEnABQjXXBwWpkDRCdxk3kfKa4iFuWN4EYtIC70Sm+vWITZcfOPsJUt bl2YbitvPOF0m9t4WPMuBUVAO7+3sw4HACipJkCTfbbkUl7YPgCjzEYG11LZhFMqFeII XPT7HXCsnZXoTLcPnK6ukNFUo6C0ah814v+XvQQZkCREWvfbUY4WV82j6vljFN9azYKm K68a/Vh334ygkhStOrIyadvXW0FORLCU3vBxRRQTiceiJJehQnW7IhFqGx3GKVSBzNit 2+IWxg/NY5BC1Qt8npNKnsK0G2ituaXjsk1ZqIGbqk+95zaEjeAUEWjSmZFSzWmO7Ms2 3dzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:dkim-signature; bh=rrnK3OSDwClGzB3c8mNy8RVWjhRIEk6JVQN4DEKT7ew=; fh=2ahbEg1dNiLSpzr+DRgEJXS6HpoSgv+rQ3z7vc3m8bo=; b=mfaNsk4neZFPeVXABHlnM7m3Rm+JdnyAWKduEDpCDBo/jWbXUKmUcIWIL04iGZxHvC UKT+1czih1HnNM1dOgUVJXyeNzdSfPysg6XBlIvJEIhzv0WvA/gZIRzDMNJ46R8RWeO7 oUFkqIQL7LZIEyn1b1iymKtq66inzi47v9SU7AvhObgYpY/uWhEZlhDo7jAoN2uVSKxP XKsoyXRsZ19KQ8OMoOBVJqbOhf0/zeogtiJNOG9CPpWtoO0OTXH840pzMr+HUMASZpaT izYciwKxrZZxGEef5qC2DKqd2PZU6xFQu6PWOftEB1Tu0Urdy8nhkd1ug6XFWQKDTNaC wtRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=A2N+9JoQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id j70-20020a638049000000b005777535a67bsi11454870pgd.746.2023.09.25.17.27.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Sep 2023 17:27:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=A2N+9JoQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 35EC980CCD10; Mon, 25 Sep 2023 15:27:21 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232401AbjIYW1U (ORCPT + 99 others); Mon, 25 Sep 2023 18:27:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230097AbjIYW1T (ORCPT ); Mon, 25 Sep 2023 18:27:19 -0400 Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78BA911C for ; Mon, 25 Sep 2023 15:27:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1695680829; x=1695940029; bh=rrnK3OSDwClGzB3c8mNy8RVWjhRIEk6JVQN4DEKT7ew=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=A2N+9JoQgHF1Dg2sz/h8G4clisRoTT/kpxURvqX2ko0uZt+4HDv5N1F0DfXzraO8/ laJKhTeLRhbKqqXqM4AGHs/X6sWabMzHf0E47DAt0JgJXPuxrXfEIeyhOv4FNhysfu qW796QiK675CfYKiLEr+nEVN77gbE624qQiePVbZt7TglUt6+Og8lhf/uFnDKE2eNa hKenxHXleLLuagSy0IpWXNjYV1eIZqHT2U5tufvSzPjsHN9Ip6LmrxYJqi3vhHxMJm /erthkRfdlNXRg+EyAwWKbOqmJvsA3NtU44vbyakIK4h/rOT7dgFjPvlGrZM3HE90v f7MQ5IgtGXwoA== Date: Mon, 25 Sep 2023 22:26:56 +0000 To: Boqun Feng , Alice Ryhl From: Benno Lossin Cc: Alice Ryhl , Wedson Almeida Filho , rust-for-linux@vger.kernel.org, Miguel Ojeda , Alex Gaynor , Gary Guo , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , linux-kernel@vger.kernel.org, Wedson Almeida Filho Subject: Re: [PATCH v2 2/2] rust: arc: remove `ArcBorrow` in favour of `WithRef` Message-ID: <61ccfb87-54fd-3f1b-105c-253d0350cd56@proton.me> In-Reply-To: References: <14513589-cc31-8985-8ff6-a97d2882f593@proton.me> <9d6d6c94-5da6-a56d-4e85-fbf8da26a0b0@proton.me> Feedback-ID: 71780778:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Mon, 25 Sep 2023 15:27:21 -0700 (PDT) On 26.09.23 00:02, Boqun Feng wrote: > On Mon, Sep 25, 2023 at 11:58:46PM +0200, Alice Ryhl wrote: >> On 9/25/23 23:55, Boqun Feng wrote: >>> On Mon, Sep 25, 2023 at 09:03:52PM +0000, Benno Lossin wrote: >>>> On 25.09.23 20:51, Boqun Feng wrote: >>>>> On Mon, Sep 25, 2023 at 05:00:45PM +0000, Benno Lossin wrote: >>>>>> On 25.09.23 18:16, Boqun Feng wrote: >>>>>>> On Mon, Sep 25, 2023 at 03:07:44PM +0000, Benno Lossin wrote: >>>>>>>> ```rust >>>>>>>> struct MutatingDrop { >>>>>>>> value: i32, >>>>>>>> } >>>>>>>> >>>>>>>> impl Drop for MutatingDrop { >>>>>>>> fn drop(&mut self) { >>>>>>>> self.value =3D 0; >>>>>>>> } >>>>>>>> } >>>>>>>> >>>>>>>> let arc =3D Arc::new(MutatingDrop { value: 42 }); >>>>>>>> let wr =3D arc.as_with_ref(); // this creates a shared `&` referen= ce to the MutatingDrop >>>>>>>> let arc2: Arc =3D wr.into(); // increments the refer= ence count to 2 >>>>>>> >>>>>>> More precisely, here we did a >>>>>>> >>>>>>> =09&WithRef<_> -> NonNull> >>>>>>> >>>>>>> conversion, and later on, we may use the `NonNull>` in >>>>>>> `drop` to get a `Box>`. >>>>>> >>>>>> Indeed. >>>>>> >>>>> >>>>> Can we workaround this issue by (ab)using the `UnsafeCell` inside >>>>> `WithRef`? >>>>> >>>>> impl From<&WithRef> for Arc { >>>>> fn from(b: &WithRef) -> Self { >>>>> // SAFETY: The existence of the references proves that >>>>> =09// `b.refcount.get()` is a valid pointer to `WithRef`. >>>>> =09let ptr =3D unsafe { NonNull::new_unchecked(b.refcount.get().cast:= :>()) }; >>>>> >>>>> =09// SAFETY: see the SAFETY above `let ptr =3D ..` line. >>>>> ManuallyDrop::new(unsafe { Arc::from_inner(ptr) }) >>>>> .deref() >>>>> .clone() >>>>> } >>>>> } >>>>> >>>>> This way, the raw pointer in the new Arc no longer derives from the >>>>> reference of `WithRef`. >>>> >>>> No, the code above only obtains a pointer that has provenance valid >>>> for a `bindings::refcount_t` (or type with the same layout, such as >>>> `Opaque`). But not the whole `WithRef`, so ac= cessing >>>> it by reading/writing will still be UB. >>>> >>> >>> Hmm... but we do the similar thing in `Arc::from_raw()`, right? >>> >>> =09pub unsafe fn from_raw(ptr: *const T) -> Self { >>> =09 .. >>> =09} >>> >>> , what we have is a pointer to T, and we construct a pointer to >>> `ArcInner/WithRef`, in that function. Because the `sub` on pointe= r >>> gets away from provenance? If so, we can also do a sub(0) in the above >>> code. >> >> Not sure what you mean. Operations on raw pointers leave provenance >> unchanged. >=20 > Let's look at the function from_raw(), the input is a pointer to T, > right? So you only have the provenance to T, but in that function, the > pointer is casted to a pointer to WithRef/ArcInner, that means you > have the provenance to the whole WithRef/ArcInner, right? My > question is: why isn't that a UB? The pointer was originally derived by a call to `into_raw`: ``` pub fn into_raw(self) -> *const T { let ptr =3D self.ptr.as_ptr(); core::mem::forget(self); // SAFETY: The pointer is valid. unsafe { core::ptr::addr_of!((*ptr).data) } } ``` So in this function the origin (also the origin of the provenance) of the pointer is `ptr` which is of type `NonNull>`. Raw pointers do not lose this provenance information when you cast it and when using `addr_of`/`addr_of_mut`. So provenance is something that is not really represented in the type system for raw pointers. When doing a round trip through a reference though, the provenance is newly assigned and thus would only be valid for a `T`: ``` let raw =3D arc.into_raw(); let reference =3D unsafe { &*raw }; let raw: *const T =3D reference; let arc =3D unsafe { Arc::from_raw(raw) }; ``` Miri would complain about the above code. --=20 Cheers, Benno