Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp269260rdb; Thu, 30 Nov 2023 04:34:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IFSaYo+KVXU839tLECvZtYohUrfqgHOxZx8b5RyKvyTDknVH+rm39ss2HJ1NlF8lntI7gAz X-Received: by 2002:a17:903:2345:b0:1cf:d8c5:2288 with SMTP id c5-20020a170903234500b001cfd8c52288mr13300327plh.41.1701347642781; Thu, 30 Nov 2023 04:34:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701347642; cv=none; d=google.com; s=arc-20160816; b=GxMoPZhU3WC8Lem0YfmGYEMM1UgmZFmqGC0w0v6g9i2rlQMssaw6LTmA7zGQsOMbw0 92IPyGpvCYVUMEK/orkbPqTErl+PUJF2naQW6Hib7TJAbfE+jV9pyze9DiMfeP49Pik2 M/pVABh8eYlGQeONV/P6eDJo10nbnWx2uNBs477CjihJ2vgy4pjA1TR9tpCDnXqYX5M+ Ea+17Q6dpY4GQuJXuq+beg7st32/locFau9dFMGm6wfUOAP/QjlE9kKQoUVEvmKmP8Do LttpxxYyJQVq/dsaLnWDugx43na+3SXXXhta3boh1h3PtODsDUQ8+TE8acClVtonOLYP Lvcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=92ZnPqbNjb3ve5vzAWiMFdMf7abzFHQhFTsW+mBlUZ8=; fh=ZqtdRmahApODx73J8gqtesv25UlylAv6YnckiNQISfY=; b=XM05fPush1yb8tl2mhXWGR4/FKwP9J4zf121sIs0q7QTQ7GRJiEGhOyqXPIFRu64rr /NMJU/kWzbDJwKQh/PgWnXgrqSB3LLff8ApH17eVbTdafL7dAsoHc5WCGOGkXNQRKC1K mnSPtxnt5O4X9q3Ba4RtpELTUyry0qoi8lnwnnRGR0EWAJFvTfuvph3qhGLQ62bfJYDD DUTwl52CERjx82PPw/XFWj+W1bEvkkShN+UJ52mJH1koPprlOKZn6YsBEA5OP75xH0kr 9RoMpdprD8P0xARB8r3jVZrMgh1aOQQDSCefeJjpnIpJGca1AfJJRq5oH4TZeIgx4fym 4+WQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Ep0gjFbr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id w3-20020a170902a70300b001cc0cd0772dsi1093563plq.86.2023.11.30.04.34.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Nov 2023 04:34:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Ep0gjFbr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id D3151826E303; Thu, 30 Nov 2023 04:33:58 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345353AbjK3Mdo (ORCPT + 99 others); Thu, 30 Nov 2023 07:33:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229503AbjK3Mdm (ORCPT ); Thu, 30 Nov 2023 07:33:42 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFBBDD4A for ; Thu, 30 Nov 2023 04:33:48 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 899E6C433C7; Thu, 30 Nov 2023 12:33:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1701347628; bh=51fXWxq6Hw7XhjVhkMIm4RN54bM85K0YyitPMl6vCWY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ep0gjFbrZeKdMPFrdioQYJ/GelBiEo1WtAb9TifyEqp37liL/MxNn/C6l9VWg8GWp vbvQnua6tP41WQ8lwJyb6h6+t2DFtdGOZ0juP9fM869yHsfI5GsKEzl3ZFbJhTUXo3 oqPpV8/GenMcDeEDwzF9zvMlc3pFOCPxY+fQBeeDvEIs0n8f51xl1Lq5UeFwGYkS0A XFGIj26d/KjPCNUQaUdZm1r6WZxXve1VeZSKGZkNPZNR4FImwaAprz4uTobqhHk6IN 7yMJEwhwcu0w/pszoWeDbvAmIQ0nP4mpSP5EM9SfRkpqPXKfAkeP9lQwBjoqXyxOt6 7q92Ne2ygVWZQ== Date: Thu, 30 Nov 2023 13:33:39 +0100 From: Christian Brauner To: Benno Lossin Cc: Alice Ryhl , a.hindborg@samsung.com, alex.gaynor@gmail.com, arve@android.com, bjorn3_gh@protonmail.com, boqun.feng@gmail.com, cmllamas@google.com, dan.j.williams@intel.com, dxu@dxuuu.xyz, gary@garyguo.net, gregkh@linuxfoundation.org, joel@joelfernandes.org, keescook@chromium.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, maco@android.com, ojeda@kernel.org, peterz@infradead.org, rust-for-linux@vger.kernel.org, surenb@google.com, tglx@linutronix.de, tkjos@android.com, viro@zeniv.linux.org.uk, wedsonaf@gmail.com, willy@infradead.org Subject: Re: [PATCH 4/7] rust: file: add `FileDescriptorReservation` Message-ID: <20231130-bestrafen-absieht-27dc986abc53@brauner> References: <20231130-windungen-flogen-7b92c4013b82@brauner> <20231130115451.138496-1-aliceryhl@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 30 Nov 2023 04:33:58 -0800 (PST) On Thu, Nov 30, 2023 at 12:17:14PM +0000, Benno Lossin wrote: > On 30.11.23 12:54, Alice Ryhl wrote: > > Christian Brauner writes: > >> On Thu, Nov 30, 2023 at 09:17:56AM +0000, Alice Ryhl wrote: > >>> Christian Brauner writes: > >>>>>>> + /// Prevent values of this type from being moved to a different task. > >>>>>>> + /// > >>>>>>> + /// This is necessary because the C FFI calls assume that `current` is set to the task that > >>>>>>> + /// owns the fd in question. > >>>>>>> + _not_send_sync: PhantomData<*mut ()>, > >>>>>> > >>>>>> I don't fully understand this. Can you explain in a little more detail > >>>>>> what you mean by this and how this works? > >>>>> > >>>>> Yeah, so, this has to do with the Rust trait `Send` that controls > >>>>> whether it's okay for a value to get moved from one thread to another. > >>>>> In this case, we don't want it to be `Send` so that it can't be moved to > >>>>> another thread, since current might be different there. > >>>>> > >>>>> The `Send` trait is automatically applied to structs whenever *all* > >>>>> fields of the struct are `Send`. So to ensure that a struct is not > >>>>> `Send`, you add a field that is not `Send`. > >>>>> > >>>>> The `PhantomData` type used here is a special zero-sized type. > >>>>> Basically, it says "pretend this struct has a field of type `*mut ()`, > >>>>> but don't actually add the field". So for the purposes of `Send`, it has > >>>>> a non-Send field, but since its wrapped in `PhantomData`, the field is > >>>>> not there at runtime. > >>>> > >>>> This probably a stupid suggestion, question. But while PhantomData gives > >>>> the right hint of what is happening I wouldn't mind if that was very > >>>> explicitly called NoSendTrait or just add the explanatory comment. Yes, > >>>> that's a lot of verbiage but you'd help us a lot. > >>> > >>> I suppose we could add a typedef: > >>> > >>> type NoSendTrait = PhantomData<*mut ()>; > >>> > >>> and use that as the field type. The way I did it here is the "standard" > >>> way of doing it, and if you look at code outside the kernel, you will > >>> also find them using `PhantomData` like this. However, I don't mind > >>> adding the typedef if you think it is helpful. > >> > >> I'm fine with just a comment as well. I just need to be able to read > >> this a bit faster. I'm basically losing half a day just dealing with > >> this patchset and that's not realistic if I want to keep up with other > >> patches that get sent. > >> > >> And if you resend and someone else review you might have to answer the > >> same question again. > > > > What do you think about this wording? > > > > /// Prevent values of this type from being moved to a different task. > > /// > > /// This field has the type `PhantomData<*mut ()>`, which does not > > /// implement the Send trait. By adding a field with this property, we > > /// ensure that the `FileDescriptorReservation` struct will not > > /// implement the Send trait either. This has the consequence that the > > /// compiler will prevent you from moving values of type > > /// `FileDescriptorReservation` into a different task, which we want > > /// because other tasks might have a different value of `current`. We > > /// want to avoid that because `fd_install` assumes that the value of > > /// `current` is unchanged since the call to `get_unused_fd_flags`. > > /// > > /// The `PhantomData` type has size zero, so the field does not exist at > > /// runtime. > > > > Alice > > I don't think it is a good idea to add this big comment to every > `PhantomData` field. I would much rather have a type alias: > > /// Zero-sized type to mark types not [`Send`]. > /// > /// Add this type as a field to your struct if your type should not be sent to a different task. > /// Since [`Send`] is an auto trait, adding a single field that is [`!Send`] will ensure that the > /// whole type is [`!Send`]. > /// > /// If a type is [`!Send`] it is impossible to give control over an instance of the type to another > /// task. This is useful when a type stores task-local information for example file descriptors. > pub type NotSend = PhantomData<*mut ()>; > > If you have suggestions for improving the doc comment or the name, > please go ahead. > > This doesn't mean that there should be no comment on the `NotSend` > field of `FileDescriptorReservation`, but I don't want to repeat > the `Send` stuff all over the place (since it comes up a lot): > > /// Ensure that `FileDescriptorReservation` cannot be sent to a different task, since there the > /// value of `current` is different. We want to avoid that because `fd_install` assumes that the > /// value of `current` is unchanged since the call to `get_unused_fd_flags`. > _not_send: NotSend, Seems sane to me. But I would suggest to move away from the "send" terminology? * CurrentOnly * AccessCurrentTask vs AccessForeignTask * NoForeignTaskAccess * TaskLocalContext * TaskCurrentAccess Or some other variant thereof.