Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp2239879rdh; Tue, 26 Sep 2023 17:58:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEk9BsADBT0WPc8a9fDUep7wFwz0lnpz7VNkG6fabKgTRdbyrdrx2cDzcQzyxIA9IkDEvUW X-Received: by 2002:a17:90a:5907:b0:274:6cc9:ec6d with SMTP id k7-20020a17090a590700b002746cc9ec6dmr290335pji.44.1695776327381; Tue, 26 Sep 2023 17:58:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695776327; cv=none; d=google.com; s=arc-20160816; b=nTLETWQ/wTZZ09B7K0Uwd139kDIhkBj6waMeh3n45xSLDkQhYgELvEhCQgNsbddIgg ir5elSOt88ikzadJLE9rNoQCfsJQq8re7WsQQvhwtdNvQJV5EhLDktkt/ai3/IrbMcUB MID6cE3z1z0tRhpq5AjgHAHDE2AvO2TAA2QFpKw0/2sjhQXgTY0o2vDct2A0u7iT9z/G SqhtYxpwUpzOrXtChJHIlvAlpWZpItE7N8B444TrQ8V1RXydufdnVUH6HcOOxBG/QJS5 2HT1snBrlNlvNDcyK6BVXWWfHRU4s84kiuHl7gT3uCu0I2kQk8WRe/asd6ItMStdPJ/m yz0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=61qUDQIUo4t4iOJB48yhTUPDpR6d+0iCSSZ6+kuW/VA=; fh=6npmdinJhEkkpCJ7XCLOy8F/4cHCy/eztGlEDQ99YZ4=; b=zyNA/w9g3DDc7VniloP3LCCz4c7kz0em+XANMDYvAuKBa0FhWwTjPJL6mNaKbQ2I/X 1hXKAD/o3LZ62X3mdcss1K1p6NZ/catUxPDsu+TaQABChy19ATVEg698qNKNn91UuNpb JiBNCfD4k9Tn4h0CAgZuDAygJCihP9O7ZDttUQnnQ/nTBJxTXVAAhGH7L6HBGuANyoxw hSHDcSR9BZVHutO0LEyZZpWCK+5hoiTRLUXZrp628PGgDDMpeAkaaJFbpp1rvlqQeQrq VXj++6TBIJsknIrwHr7mKFI3rdVgYSvD6nPd+Ur0eVlQM9yL1c7tVeqSdFL7u4lXoU+q 38ZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=NJ+AlP6A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id pf2-20020a17090b1d8200b0024e47fae466si4400975pjb.180.2023.09.26.17.58.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 17:58:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=NJ+AlP6A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id AC9448049057; Tue, 26 Sep 2023 08:41:38 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235095AbjIZPli (ORCPT + 99 others); Tue, 26 Sep 2023 11:41:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48236 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235089AbjIZPlh (ORCPT ); Tue, 26 Sep 2023 11:41:37 -0400 Received: from mail-vk1-xa36.google.com (mail-vk1-xa36.google.com [IPv6:2607:f8b0:4864:20::a36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B762F120 for ; Tue, 26 Sep 2023 08:41:29 -0700 (PDT) Received: by mail-vk1-xa36.google.com with SMTP id 71dfb90a1353d-495c9eb8911so3304737e0c.2 for ; Tue, 26 Sep 2023 08:41:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1695742889; x=1696347689; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=61qUDQIUo4t4iOJB48yhTUPDpR6d+0iCSSZ6+kuW/VA=; b=NJ+AlP6A4Utyu8vfpKspu5qn2Hx9pdiYnxnUvBYF0AwqrQwfaIIK6vXTyGwSXW7jTS ZSLCQwZde7Cw7eyiLNOTtpXT7zYYoZFWR141LXuv+QlfQPe88rT+lMnxkmtxCa7wF2y4 +t5MlEWEyC0bKVCcW4NUdTEwZeFO2OWDh0ZFWF69SlkXsPeGjHoBcIacnm7KD9BQKtea uRCwVCD1VO3689nEgl2wmvAT9ov3DdLQOs5FESNPNIozrp8TVXwMdEv9meqlKiLghE/8 NL5xvaDqcZVRgBYLKwXa6wy8kQCpeBnMEGuiL7GR7VlrDKBwPhap4mk+B2nvoeMaTxse FuXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695742889; x=1696347689; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=61qUDQIUo4t4iOJB48yhTUPDpR6d+0iCSSZ6+kuW/VA=; b=InG2F+JJxcbj5FH3PQSLoMm8EpGMtLZ91j4nhJL+tlCIXkV0eYwAn09FkXaSxvWGex ewvGoDv2KSC//zf66clocSYMzQwlkbtRMFCeiGOdc5C6OHOle/VjxjQliZIWL+oF0IfX diIFVn6c5QPZ0dGDWOFRZHUv0CG88GEuagSoS/MQbfess07ShznRk3teOCGk9TkLwPP+ RFtLbCtYkx0mIpw0nlR63MUDPJfao1mrUv7ul2+98zzR2lFgMeN9KvpW5mt6/ivnqN+W 8b3+v6vWWmHirBE3kDsQsdBnK683CsCW0MMvu1Ubcv0WkZPDkhDKiII28wFENrgA9i1P Z1Cg== X-Gm-Message-State: AOJu0Ywm0tq1VaF4us98h1DXWdZS/wpSYICyHoc5JlXrc/I2MxT/40bD 6CvHvFcUEEA1bDDBBTCKCVBBgIGOIK68yURNJnkFuQ== X-Received: by 2002:a1f:4a41:0:b0:490:1114:f3ee with SMTP id x62-20020a1f4a41000000b004901114f3eemr6724907vka.8.1695742888603; Tue, 26 Sep 2023 08:41:28 -0700 (PDT) MIME-Version: 1.0 References: <14513589-cc31-8985-8ff6-a97d2882f593@proton.me> <9d6d6c94-5da6-a56d-4e85-fbf8da26a0b0@proton.me> <61ccfb87-54fd-3f1b-105c-253d0350cd56@proton.me> <20230926162659.6555bcdc@gary-lowrisc-laptop> In-Reply-To: From: Alice Ryhl Date: Tue, 26 Sep 2023 17:41:17 +0200 Message-ID: Subject: Re: [PATCH v2 2/2] rust: arc: remove `ArcBorrow` in favour of `WithRef` To: Boqun Feng Cc: Gary Guo , Benno Lossin , Alice Ryhl , Wedson Almeida Filho , rust-for-linux@vger.kernel.org, Miguel Ojeda , Alex Gaynor , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , linux-kernel@vger.kernel.org, Wedson Almeida Filho Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 26 Sep 2023 08:41:38 -0700 (PDT) On Tue, Sep 26, 2023 at 5:24=E2=80=AFPM Boqun Feng w= rote: > > On Tue, Sep 26, 2023 at 04:26:59PM +0800, Gary Guo wrote: > > On Mon, 25 Sep 2023 22:26:56 +0000 > > Benno Lossin wrote: > > > [...] > > > > > > The pointer was originally derived by a call to `into_raw`: > > > ``` > > > pub fn into_raw(self) -> *const T { > > > let ptr =3D self.ptr.as_ptr(); > > > core::mem::forget(self); > > > // SAFETY: The pointer is valid. > > > unsafe { core::ptr::addr_of!((*ptr).data) } > > > } > > > ``` > > > So in this function the origin (also the origin of the provenance) > > > of the pointer is `ptr` which is of type `NonNull>`. > > > Raw pointers do not lose this provenance information when you cast > > > it and when using `addr_of`/`addr_of_mut`. So provenance is something > > > that is not really represented in the type system for raw pointers. > > > > > > When doing a round trip through a reference though, the provenance is > > > newly assigned and thus would only be valid for a `T`: > > > ``` > > > let raw =3D arc.into_raw(); > > > let reference =3D unsafe { &*raw }; > > > let raw: *const T =3D reference; > > > let arc =3D unsafe { Arc::from_raw(raw) }; > > > ``` > > > Miri would complain about the above code. > > > > > > > One thing we can do is to opt from strict provenance, so: > > > > A few questions about strict provenance: > > > ``` > > let raw =3D arc.into_raw(); > > let _ =3D raw as usize; // expose the provenance of raw > > Should this be a expose_addr()? Pointer to integer cast is equivalent to expose_addr. > > let reference =3D unsafe { &*raw }; > > let raw =3D reference as *const T as usize as *const T; > > and this is a from_exposed_addr{_mut}(), right? Integer to pointer cast is equivalent to from_exposed_addr. > > let arc =3D unsafe { Arc::from_raw(raw) }; > > ``` > > > > One step back, If we were to use strict provenance API (i.e. > expose_addr()/from_exposed_addr()), we could use it to "fix" the > original problem? By: > > * expose_addr() in as_with_ref() > * from_exposed_addr() in `impl From<&WithRef> for Arc` > > right? > > More steps back, is the original issue only a real issue under strict > provenance rules? Don't make me wrong, I like the ideas behind strict > provenance, I just want to check, if we don't enable strict provenance > (as a matter of fact, we don't do it today), Outside of miri, strict provenance is not really something you enable. It's a set of rules that are stricter than the real rules, that are designed such that when you follow them, your code will be correct under any conceivable memory model we might end up with. They will never be the rules that the compiler actually uses. I think by "opt out from strict provenance", Gary just meant "use int2ptr and ptr2int casts to reset the provenance". > will the original issue found by Alice be a UB? Yes, it's UB under any ruleset that exists out there. There's no flag to turn it off. > Or is there a way to disable Miri's check on > strict provenance? IIUC, the cause of the original issue is that "you > cannot reborrow a pointer derived from a `&` to get a `&mut`, even when > there is no other alias to the same object". Maybe I'm still missing > something, but without strict provenance, is this a problem? Or is there > a provenance model of Rust without strict provenance? It's a problem under all of the memory models. The rule being violated is exactly the same rule as the one behind this paragraph: > Transmuting an & to &mut is Undefined Behavior. While certain usages may = appear safe, note that the Rust optimizer is free to assume that a shared r= eference won't change through its lifetime and thus such transmutation will= run afoul of those assumptions. So: > > Transmuting an & to &mut is always Undefined Behavior. > No you can't do it. > No you're not special. From: https://doc.rust-lang.org/nomicon/transmutes.html Alice