Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp2299797rdh; Tue, 26 Sep 2023 20:39:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFcVBS66waaKBXwURtJjhqMR/FT6izvM4xJMDfFjM8Mz97JmxV8dch1lysOw5H++vTN1VpJ X-Received: by 2002:a17:902:c412:b0:1c3:b0c7:38bf with SMTP id k18-20020a170902c41200b001c3b0c738bfmr8248826plk.12.1695785939623; Tue, 26 Sep 2023 20:38:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695785939; cv=none; d=google.com; s=arc-20160816; b=blmmJSl9OmhzGAcw0d61xPyoZ4D/CWyL1HVrwI8Szk0pHsGdIzvNyTWtQ5yw9tRKtC EHofMUdFaY8C7xGC+5s0eNn1VQyxHSN3vQA+Q5m7VxL4b7g0Sy5e1YHQQhHk/t8Cb74c tQyMLdQgPul8JIwv4QKY5fMBRhsKsadh2samwlR/NeQqqGsuCNJGpufHsvkJsgMABCnt EDISN89+2+dR5njYn+qTbPIlp6sTRls6CFMIGq/xLpvWjSkmDkO0oFPLfY0uMLFznpep yg9qNCJIDH4/utgAmWAXb9m5oWZmipwtRh01/LdAPhI0A9VDcwv87Lzbk9IOpVhbS6qO ueBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:feedback-id:dkim-signature; bh=u/0G7UZtp532WD4U9IqAMOL98DSIgotyWvhe40XiMkg=; fh=ZghOmOrlEMw62Z9AKvM/K7B9BuWiCL8YtmV3OEZoi5o=; b=wLMw7+0JzSaZD2RsBk85n/tZF0UWD88HE/KZ0Qsvtb9ZyLh/hc4v3YxHl4Fx9u98Ka 26lMuKzaQP11A4BjOY7708KIYoyT4SZ3Z6C6xoto0DHNmneYl51GvQjg5gi2Jb69xAuh uLGrM3NGiRDc+cruqj58IEUK9/O3j5UmpHd3J73kudTfsl+SHtOmlWAXucPUEcb8UIkp TyBcX+gFSOvR+9ZO30TAi4Xtavpz5e4TqGI6nCtfJZvS/CSy6mNooYgrE5xnTVLxZnNb Xq8vvW80J8rnVQVjc5uNfKHP2eLjo9r3kjowSk+GM3QwpPCDgKhHIVjLAFfKsO+Ggn0E /jNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="gMPJp9/s"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id d8-20020a170903230800b001b7f4696a2csi15625859plh.347.2023.09.26.20.38.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 20:38:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="gMPJp9/s"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id C2E5380BE0BC; Tue, 26 Sep 2023 10:44:11 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234339AbjIZRoK (ORCPT + 99 others); Tue, 26 Sep 2023 13:44:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229678AbjIZRoJ (ORCPT ); Tue, 26 Sep 2023 13:44:09 -0400 Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 395C59F; Tue, 26 Sep 2023 10:44:01 -0700 (PDT) Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-5033918c09eso15000362e87.2; Tue, 26 Sep 2023 10:44:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695750239; x=1696355039; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:from:to:cc:subject:date:message-id:reply-to; bh=u/0G7UZtp532WD4U9IqAMOL98DSIgotyWvhe40XiMkg=; b=gMPJp9/s9SgjrOgSzz0ta4gA2skueshXH2kRgPvt7uVJYX374OBl3hJafPT3uWeJVb DaLY5zZzGZKv2Ys3JGnpm6cAi4No3lSidclL1LK8X/vRgZRlWTs/6za3b644xdnAGC/R MgM056r4EYsfrFe0yEiBAcNHQfEqGb7SM4yh2dX88tNqqnL2DIPsRov6IuYkdKW6pOfY ZnV9Fe9MUS799nL44IAh3vb0G7W0hn4SIRU68D/15GXl5Ph0/sRpCWPMbrB4zn+SP0zB 8LwSVFnXMDQu5m7CveOCkUulh5cX0omFiwK2ZDV0n1j3quo9fUSb6ChfBA+4dPXfA+ro K/KQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695750239; x=1696355039; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :feedback-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=u/0G7UZtp532WD4U9IqAMOL98DSIgotyWvhe40XiMkg=; b=PrYwP+5f1FoxjFrK0MUorEjH3GGQwL9g/dcg9pwDXnvwAe2Rllar6Pn2CiL+Wi4vsG 75M64pLd8+DthZ068JJQAeRa21Iu7uNAZZAeyJeX39vYvyogUmjMopoH7Fh/ecdw7CaW QkA97MBDOlB3QjlZTBBNTHF/nkmnZvVqCzWkhhAu6nASHnbA5PQxZA7oalZleFBTTdd9 SB3B425bYu1Ddo9I/KMpI4MDEn5dBLKVwm/wc+KOHnpRjasJozbJsTLiHaBCgKOMjUJC GqABzX2QfMJvpuGeVGnOKZE2HfcL15oohA2dJ1wCS56mObXM0/ncZLnycqQ8JaiGLlsZ FavQ== X-Gm-Message-State: AOJu0YwPJ7HaM8w/Zgec1ZBrnfScyBQvOBVZYZNU+eBiU1580U5zuhXo 5/p0EKxlKEKmHDwCRpXht4M= X-Received: by 2002:ac2:5e85:0:b0:502:a4f4:ced9 with SMTP id b5-20020ac25e85000000b00502a4f4ced9mr8301552lfq.62.1695750238924; Tue, 26 Sep 2023 10:43:58 -0700 (PDT) Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com. [66.111.4.228]) by smtp.gmail.com with ESMTPSA id s13-20020a056402520d00b0053450b064e2sm1533521edd.3.2023.09.26.10.43.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 10:43:58 -0700 (PDT) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailauth.nyi.internal (Postfix) with ESMTP id 0CFEE27C0054; Tue, 26 Sep 2023 13:43:56 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Tue, 26 Sep 2023 13:43:56 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvjedrtddtgdekiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvvefukfhfgggtugfgjgesthekredttddtjeenucfhrhhomhepuehoqhhu nhcuhfgvnhhguceosghoqhhunhdrfhgvnhhgsehgmhgrihhlrdgtohhmqeenucggtffrrg htthgvrhhnpedtgeehvefghfegtdektdegtdfggfeitefgffetteetieeihfdtkeffieel vdeigfenucffohhmrghinhepphhtrhdrrghspdhruhhsthdqlhgrnhhgrdhorhhgnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepsghoqhhunhdo mhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqieelvdeghedtieegqddujeejke ehheehvddqsghoqhhunhdrfhgvnhhgpeepghhmrghilhdrtghomhesfhhigihmvgdrnhgr mhgv X-ME-Proxy: Feedback-ID: iad51458e:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 26 Sep 2023 13:43:54 -0400 (EDT) Date: Tue, 26 Sep 2023 10:43:21 -0700 From: Boqun Feng To: Benno Lossin Cc: Alice Ryhl , Gary Guo , Alice Ryhl , Wedson Almeida Filho , rust-for-linux@vger.kernel.org, Miguel Ojeda , Alex Gaynor , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Andreas Hindborg , linux-kernel@vger.kernel.org, Wedson Almeida Filho Subject: Re: [PATCH v2 2/2] rust: arc: remove `ArcBorrow` in favour of `WithRef` Message-ID: References: <9d6d6c94-5da6-a56d-4e85-fbf8da26a0b0@proton.me> <61ccfb87-54fd-3f1b-105c-253d0350cd56@proton.me> <20230926162659.6555bcdc@gary-lowrisc-laptop> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 26 Sep 2023 10:44:11 -0700 (PDT) On Tue, Sep 26, 2023 at 05:15:52PM +0000, Benno Lossin wrote: > On 26.09.23 18:35, Boqun Feng wrote: > > On Tue, Sep 26, 2023 at 05:41:17PM +0200, Alice Ryhl wrote: > >> On Tue, Sep 26, 2023 at 5:24 PM Boqun Feng wrote: > >>> > >>> On Tue, Sep 26, 2023 at 04:26:59PM +0800, Gary Guo wrote: > >>>> On Mon, 25 Sep 2023 22:26:56 +0000 > >>>> Benno Lossin wrote: > >>>> > >>> [...] > >>>>> > >>>>> The pointer was originally derived by a call to `into_raw`: > >>>>> ``` > >>>>> pub fn into_raw(self) -> *const T { > >>>>> let ptr = self.ptr.as_ptr(); > >>>>> core::mem::forget(self); > >>>>> // SAFETY: The pointer is valid. > >>>>> unsafe { core::ptr::addr_of!((*ptr).data) } > >>>>> } > >>>>> ``` > >>>>> So in this function the origin (also the origin of the provenance) > >>>>> of the pointer is `ptr` which is of type `NonNull>`. > >>>>> Raw pointers do not lose this provenance information when you cast > >>>>> it and when using `addr_of`/`addr_of_mut`. So provenance is something > >>>>> that is not really represented in the type system for raw pointers. > >>>>> > >>>>> When doing a round trip through a reference though, the provenance is > >>>>> newly assigned and thus would only be valid for a `T`: > >>>>> ``` > >>>>> let raw = arc.into_raw(); > >>>>> let reference = unsafe { &*raw }; > >>>>> let raw: *const T = reference; > >>>>> let arc = unsafe { Arc::from_raw(raw) }; > >>>>> ``` > >>>>> Miri would complain about the above code. > >>>>> > >>>> > >>>> One thing we can do is to opt from strict provenance, so: > >>>> > >>> > >>> A few questions about strict provenance: > >>> > >>>> ``` > >>>> let raw = arc.into_raw(); > >>>> let _ = raw as usize; // expose the provenance of raw > >>> > >>> Should this be a expose_addr()? > >> > >> Pointer to integer cast is equivalent to expose_addr. > >> > >>>> let reference = unsafe { &*raw }; > >>>> let raw = reference as *const T as usize as *const T; > >>> > >>> and this is a from_exposed_addr{_mut}(), right? > >> > >> Integer to pointer cast is equivalent to from_exposed_addr. > >> > > > > Got it, thanks! > > > >>>> let arc = unsafe { Arc::from_raw(raw) }; > >>>> ``` > >>>> > >>> > >>> One step back, If we were to use strict provenance API (i.e. > >>> expose_addr()/from_exposed_addr()), we could use it to "fix" the > >>> original problem? By: > >>> > >>> * expose_addr() in as_with_ref() > >>> * from_exposed_addr() in `impl From<&WithRef> for Arc` > >>> > >>> right? > >>> > >>> More steps back, is the original issue only a real issue under strict > >>> provenance rules? Don't make me wrong, I like the ideas behind strict > >>> provenance, I just want to check, if we don't enable strict provenance > >>> (as a matter of fact, we don't do it today), > >> > >> Outside of miri, strict provenance is not really something you enable. > >> It's a set of rules that are stricter than the real rules, that are > >> designed such that when you follow them, your code will be correct > >> under any conceivable memory model we might end up with. They will > >> never be the rules that the compiler actually uses. > >> > >> I think by "opt out from strict provenance", Gary just meant "use > >> int2ptr and ptr2int casts to reset the provenance". > >> > >>> will the original issue found by Alice be a UB? > >> > >> Yes, it's UB under any ruleset that exists out there. There's no flag > >> to turn it off. > >> > >>> Or is there a way to disable Miri's check on > >>> strict provenance? IIUC, the cause of the original issue is that "you > >>> cannot reborrow a pointer derived from a `&` to get a `&mut`, even when > >>> there is no other alias to the same object". Maybe I'm still missing > >>> something, but without strict provenance, is this a problem? Or is there > >>> a provenance model of Rust without strict provenance? > >> > >> It's a problem under all of the memory models. The rule being violated > >> is exactly the same rule as the one behind this paragraph: > >> > >>> Transmuting an & to &mut is Undefined Behavior. While certain usages may appear safe, note that the Rust optimizer is free to assume that a shared reference won't change through its lifetime and thus such transmutation will run afoul of those assumptions. So: > >>> > >>> Transmuting an & to &mut is always Undefined Behavior. > >>> No you can't do it. > >>> No you're not special. > >> From: https://doc.rust-lang.org/nomicon/transmutes.html > > > > But here the difference it that we only derive a `*mut` from a `&`, > > rather than transmute to a `&mut`, right? We only use `&` to get a > > pointer value (a usize), so I don't think that rule applies here? Or in > > other words, does the following implemenation look good to you? > > > > impl Arc { > > pub fn as_with_ref(&self) -> &WithRef { > > // expose > > let _ = self.ptr.as_ptr() as usize; > > unsafe { self.ptr.as_ref() } > > } > > } > > > > impl From<&WithRef> for Arc { > > fn from(b: &WithRef) -> Self { > > // from exposed > > let ptr = unsafe { NonNull::new_unchecked(b as *const _ as usize as *mut _) }; > > // SAFETY: The existence of `b` guarantees that the refcount is non-zero. `ManuallyDrop` > > // guarantees that `drop` isn't called, so it's ok that the temporary `Arc` doesn't own the > > // increment. > > ManuallyDrop::new(unsafe { Arc::from_inner(ptr) }) > > .deref() > > .clone() > > } > > } > > > > > > An equivalent code snippet is as below (in case anyone wants to try it > > in miri): > > ```rust > > let raw = Box::into_raw(arc); > > > > // as_with_ref() > > let _ = raw as usize; > > let reference = unsafe { &*raw }; > > > > // from() > > let raw: *mut T = reference as *const _ as usize as *mut _ ; > > > > // drop() > > let arc = unsafe { Box::from_raw(raw) }; > > ``` > > I don't understand why we are trying to use ptr2int to fix this. > Simply wrapping the `T` field inside `WithRef` with `UnsafeCell` > should be enough. > To me (and maybe the same for Wedson), it's actually Ok that we don't do the change (i.e. the ArcBorrow -> &WithRef) at all. It's more a code/concept simplification. Fixing with an `UnsafeCell` seems more like a workaround to me, because there is no interior mutable requirement here, so I just don't want to patch something unnecessary here just to make things work. Put it in another way, if `UnsafeCell` can fix this and no interior mutability is needed, we probably can fix this with another way or there is an API like `UnsafeCell` is missing here. Sorry for being stubborn here ;-) But I really want to find a better solution for the similar problems. What's the shortcoming of ptr2int? Regards, Boqun > -- > Cheers, > Benno > >