Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp2972713lqp; Mon, 25 Mar 2024 15:09:44 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVvw5GE1AR8dtuvB3v24wVlccaXaU4/esRw/TdTKu3y1j783KNI0giGPx4k2K4Icl1OQtHt1f9OYEgQ58banzlWHUm7s6izGwfzdy5Apw== X-Google-Smtp-Source: AGHT+IG9p/xckL5h4C8Rnjc4dHxz3v2jHtLqrqLNkCpxxvYP0oa8/E8fsGTdmcxC2OzspeAabAjB X-Received: by 2002:a05:6808:138c:b0:3c3:d727:6b38 with SMTP id c12-20020a056808138c00b003c3d7276b38mr1097905oiw.17.1711404584007; Mon, 25 Mar 2024 15:09:44 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711404583; cv=pass; d=google.com; s=arc-20160816; b=L8/8unhiEw2V9b43kuTajiFbS443XcV0HILRPWzlmOwicLpeV845JJXwMg+djxV0bC rZQqZ4QvsVJ3+kcYXyEMsp+iyYUzDWHMztVI5XN4lVtyYFu6vGl7sQaMlNXSdge5uoqP 2i2Rxocz73NhKC85ShyL8hPN/jXkHwQWe0YxcSj+aOFWa4c/htCm6AGi7aw3ekHMael7 yvHsDx/8QB3r5Quu82ncaepujhKD5zIB+Ah/3AbBnN75Lyv8DM9L618VnYn+4cavRPZD 3xMNve1ZGAJLme+FyzJCosSesdQmjAZTAXUHFmuvbD0qfxhFItaM8cTip9IDxhXYmQrQ f+9Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:dkim-signature:date; bh=afGy8CRECdAELjgTa63PphAb8Je/7LgfWp/vpSHkqks=; fh=r4ImkfQ5Etlk9Kgqz8kT/4Yp8GXFlBNU8/Ja8s2L10Y=; b=t+pebKtIzv/OZatcoA5WoZK8h4Ga2kbyjQYnYrTi8mACldZB+9uHz+bwAElcH8Qf8r l4SJV5PHr2mKPRYMAwGIbBz2dj/DQ0yd2jFXNoYD3lS6ESWnhlgQwbgHe292T7Tfewz9 yjp/eIpABphoNgnay0Re1mCICufXw72QvLsVtqdU8M5aqxBKzPixokdzoqalamitMD0t U46MRgTWEIQWMsXR95sVvEs2AMaAMjgvjAY88l6CCYLRxy+cgtxPQnwgRENH8ONzOlZ4 BS5fJkIOgTjT8mp06S9ECk92cQpMYXKIaTe78ENSH6D03d4JdaPcgWhXdaywRlhRLmB4 YUxA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=b+sCf2Jf; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-118084-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-118084-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id t1-20020a05622a148100b004315af40767si2597352qtx.666.2024.03.25.15.09.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Mar 2024 15:09:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-118084-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=b+sCf2Jf; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-118084-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-118084-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id A7CB81C394E8 for ; Mon, 25 Mar 2024 22:09:43 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B26FE73506; Mon, 25 Mar 2024 22:09:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="b+sCf2Jf" Received: from out-174.mta1.migadu.com (out-174.mta1.migadu.com [95.215.58.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E92837175F for ; Mon, 25 Mar 2024 22:09:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711404570; cv=none; b=GZ9Kt/SMHbujanM19QdXBiJKYOL6PQZmJHbbxwJYCtkwtgLFj+5Fz31wHSV3DoL13L1GfETofP6xamhYstOYPX4IHUbPteeHTbZloviuXq6tsFovH85dwL2iY0NiwXmYb4TkuDBZMKh/TpmKfvuwapAnJhXDDSjxt56Ka/Q4HzU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711404570; c=relaxed/simple; bh=fW2hIWHhR41/L1F+bpZzRKnNxDSzchbJIxBCkq7SfGQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=GHp+gm6xIIIRW4aCOuXIJ4vtBPP/uiOEOa5Rvr503Z+SX7Gj4hr1fXfsF49tNFitM1Lqy6Qx+2yg/q4b0fcnrjB5qJ0W8RWsClsVlMqJlfrjsET86P1d1dQhKLjaYIwn4jTvWqgS2//0X7kd6qO9x5Nyq/NdUbpstAr3paNcBng= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=b+sCf2Jf; arc=none smtp.client-ip=95.215.58.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Date: Mon, 25 Mar 2024 18:09:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1711404566; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=afGy8CRECdAELjgTa63PphAb8Je/7LgfWp/vpSHkqks=; b=b+sCf2JfZ1bUx+SgaAuv492wBmpuur/6BjEMdbR9Z4ZCD4+uG7E/QItW3rmDr4vs7AeTLM Xi1XoeDaJNa86zHWG0ZtX4cQdV1EpkxCGd1xKdkCh2oT+rvTG85ldwxSNrlBGl947PDi2s eNzsKmqELeZnnjPlz9lpgr/m4xIcqSQ= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Boqun Feng Cc: Linus Torvalds , Philipp Stanner , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, llvm@lists.linux.dev, Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?utf-8?B?QmrDtnJu?= Roy Baron , Benno Lossin , Andreas Hindborg , Alice Ryhl , Alan Stern , Andrea Parri , Will Deacon , Peter Zijlstra , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes , Nathan Chancellor , Nick Desaulniers , kent.overstreet@gmail.com, Greg Kroah-Hartman , elver@google.com, Mark Rutland , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Catalin Marinas , linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org Subject: Re: [WIP 0/3] Memory model and atomic API in Rust Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Migadu-Flow: FLOW_OUT On Mon, Mar 25, 2024 at 02:37:14PM -0700, Boqun Feng wrote: > On Mon, Mar 25, 2024 at 05:14:41PM -0400, Kent Overstreet wrote: > > On Mon, Mar 25, 2024 at 12:44:34PM -0700, Linus Torvalds wrote: > > > On Mon, 25 Mar 2024 at 11:59, Kent Overstreet wrote: > > > > > > > > To be fair, "volatile" dates from an era when we didn't have the haziest > > > > understanding of what a working memory model for C would look like or > > > > why we'd even want one. > > > > > > I don't disagree, but I find it very depressing that now that we *do* > > > know about memory models etc, the C++ memory model basically doubled > > > down on the same "object" model. > > > > > > > The way the kernel uses volatile in e.g. READ_ONCE() is fully in line > > > > with modern thinking, just done with the tools available at the time. A > > > > more modern version would be just > > > > > > > > __atomic_load_n(ptr, __ATOMIC_RELAXED) > > Note that Rust does have something similiar: > > https://doc.rust-lang.org/std/ptr/fn.read_volatile.html > > pub unsafe fn read_volatile(src: *const T) -> T > > (and also write_volatile()). So they made a good design putting the > volatile on the accesses rather than the type. However, per the current > Rust memory model these two primitives will be UB when data races happen > :-( > > I mean, sure, if I use read_volatile() on an enum (whose valid values > are only 0, 1, 2), and I get a value 3, and the compiler says "you have > a logic bug and I refuse to compile the program correctly", I'm OK. But > if I use read_volatile() to read something like a u32, and I know it's > racy so my program actually handle that, I don't know any sane compiler > would miss-compile, so I don't know why that has to be a UB. Well, if T is too big to read/write atomically then you'll get torn reads, including potentially a bit representation that is not a valid T. Which is why the normal read_volatile<> or Volatile<> should disallow that. > > where T is any type that fits in a machine word, and the only operations > > it supports are get(), set(), xchg() and cmpxchG(). > > > > You DO NOT want it to be possible to transparantly use Volatile in > > place of a regular T - in exactly the same way as an atomic_t can't be > > used in place of a regular integer. > > Yes, this is useful. But no it's not that useful, how could you use that > to read another CPU's stack during some debug functions in a way you > know it's racy? That's a pretty difficult thing to do, because you don't know the _layout_ of the other CPU's stack, and even if you do it's going to be changing underneath you without locking. So the races thare are equivalent to a bad mem::transmute(), and that is very much UB. For a more typical usage of volatile, consider a ringbuffer with one thread producing and another thread consuming. Then you've got head and tail pointers, each written by one thread and read by another. You don't need any locking, just memory barriers and READ_ONCE()/WRITE_ONCE() to update the head and tail pointers. If you were writing this in Rust today the easy way would be an atomic integer, but that's not really correct - you're not doing atomic operations (locked arithmetic), just volatile reads and writes. Volatile would be Send and Sync, just like atomic integers. You don't need locking if you're just working with single values that are small enough for the machine to read/write atomically.