Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp3079199lqp; Mon, 25 Mar 2024 20:29:03 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUQn2gb2/Ci55jD90Dt3e8Qom4lyM/RtPYoUYELxfSW/DoY+F+Wnn196By7Lj4cDUc7GIpvg9oLbttG2sT2XGI52x3zq+vq+O114IpybQ== X-Google-Smtp-Source: AGHT+IFb7ZT7a+Hp7nMpoivyWOnWJ9RjS4hSMGdjyyxZIxH5gCOSjod/XpnIm7uGqg3RiOxesknK X-Received: by 2002:a2e:350a:0:b0:2d4:7a3:67a7 with SMTP id z10-20020a2e350a000000b002d407a367a7mr35497ljz.22.1711423743597; Mon, 25 Mar 2024 20:29:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711423743; cv=pass; d=google.com; s=arc-20160816; b=f9bVHMqd/xznLPoVkxTkBoU6tbXiHehXy6eRFDLUq7UaErWfU01qayQRo7g8nnEGit 1GrEZ+o3HzhSwVoz8PMdTXzqefpidHaP8AWkwBrFJReS4Uijfz/uZZz6b9dQx3BZ7wNL H8iLxapaesjSSyXTkVvb5nm3ILI7QpEuOfTqus/gNAEz2YWa5H1/e2mXmlIAx//Dd9C2 AA6BtIKoOk11oX3VhOfdkn2cbKGZI9P2zauim6EYRAOChDFLIffI26UctxwETb/eKB1k UJ0ruc+3sfudBppXJuh/aYPqpDqhxSKFUYk7iBU/1dflggTNh+P1S5KP4uvl7ub1Tt+v 7HLA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:dkim-signature:date; bh=zbz8JSdX4HImrXyDSvkZNWHjmt/U+lnpC2qNDFF4hDk=; fh=MxrPzrf2Tab41glFGFL5GWHQ6T02Lt7HSPTzMyRVZmA=; b=K5WJ+1nJaS3coGO3u1rSCWvQI5BwrqrdM2GcoDPBTNTOhcGFbP+6Qk4MI4s4hqnVrk qU9zQOp7gukm/QN0hIMqWR1UieFeBuRSQhExH2Whl/sf+DZQND6eEdxZnRvPVg5o+yLo o1a272NcrRMhOGrlNKMALBKd3js2nL04z7VNZ4ElegpwReDPU8sWV13gs1zrVGGQ17FS QTJGxDiDjhrrPFCp+JGNaim+mDr4XHp2NoWzHPYPRVyTjnw2T9S0G62HhCYnWjlsGQad 6MLxIeuwNeT1QEqlmr5lGWa0yYeYLoGdOG/1m3fMxhNIqfTJvSRnxdiCPqub/MHh2Bjk J7uQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=iPRgLzgy; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-118334-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-118334-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id w8-20020a056402128800b0056bf4989638si3051161edv.669.2024.03.25.20.29.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Mar 2024 20:29:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-118334-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=iPRgLzgy; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-118334-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-118334-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 135AE1F3EF6B for ; Tue, 26 Mar 2024 03:29:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2E87A129A83; Tue, 26 Mar 2024 03:28:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="iPRgLzgy" Received: from out-182.mta1.migadu.com (out-182.mta1.migadu.com [95.215.58.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 517461292D0 for ; Tue, 26 Mar 2024 03:28:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711423730; cv=none; b=oBeQZ7ai7gnIzDsBdFqgVkHK4iDWbtNuz2CDUvH2zmf37+E0Ftl7sz1YzyzjvBCZAwR7MsD37XVRdTDBW1ZrRX8FE+gQhbIRtWXZIELfXOkHytoNGaXie05DjbKrP0mqRTnDrzmGD2UBVuouZ+hiQOch9FQAfdzCYm4cW4GeFJg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711423730; c=relaxed/simple; bh=zbz8JSdX4HImrXyDSvkZNWHjmt/U+lnpC2qNDFF4hDk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=d22Necv/EMbCiC2O78+/kDp2kos5IQJpAAnVe9JrkCDlb7wRm2fP3RWkruaObTB/pETgCuvDGsQ/5cmHuvVqSzfGw6LPubQe0tYcc7XGF+xcBRlry0p4pQ5moonuN7C+H93juMnyPsjKfUGUMndYdnJr5dhl4Tw3/N+c//Aq3gE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=iPRgLzgy; arc=none smtp.client-ip=95.215.58.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Date: Mon, 25 Mar 2024 23:28:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1711423726; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=zbz8JSdX4HImrXyDSvkZNWHjmt/U+lnpC2qNDFF4hDk=; b=iPRgLzgyqe8KY1dSoWPYlt/aLh26NUBnBpny3uA+K8hQM6biRkS8YxVymU+AB0tgmAfTHH VbEu5miz1s3JErGsWakBsX2Unnpvso/q0bxFyUZTzY70FSuse4dOSVWy2xyabsWKBeP95k xdeHD23g82UYYfGhnWk/GMILpw/WhTE= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: "Dr. David Alan Gilbert" Cc: Linus Torvalds , Philipp Stanner , Boqun Feng , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, llvm@lists.linux.dev, Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?utf-8?B?QmrDtnJu?= Roy Baron , Benno Lossin , Andreas Hindborg , Alice Ryhl , Alan Stern , Andrea Parri , Will Deacon , Peter Zijlstra , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes , Nathan Chancellor , Nick Desaulniers , kent.overstreet@gmail.com, Greg Kroah-Hartman , elver@google.com, Mark Rutland , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Catalin Marinas , linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org Subject: Re: [WIP 0/3] Memory model and atomic API in Rust Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Migadu-Flow: FLOW_OUT On Tue, Mar 26, 2024 at 01:35:46AM +0000, Dr. David Alan Gilbert wrote: > OK, so that's essentially the opposite worry of what I was saying; I was > worrying about people forgetting to use an atomic access to a shared > variable; I think you're worrying about people forgetting to mark > a variable shared and since the accesses are the same nothing shouts? In biological evolution, novel useful traits are generally not accessible via a single mutation; many neutral mutations are required first. Evolution is able to proceed quickly because there are a great many neutral mutations (that is, evolution quickly searches all possible paths to find accessible positive mutations), and because negative mutations are culled quickly - often before the first cell division. (The most common mutation being the addition or deletion of a base pair; but amino acids are coded for by groups of three base pairs, so that shifts everything on the chromosone after the mutation so that it codes for completely different amino acids. That cell won't live to divide again). Actual genetic diseases that significantly impair fitness are quite rare, and if they weren't we'd have a major problem. Programming at scale is million monkeys stuff - we're all hammering on our keyboards at random, the good programs survive and the bad programs are forgotten. Similarly to biological evolution, we want most edits to a program to result in a program that either still works, or fails immediately - fails to compile, or is caught immediately by basic testing. If edits can result in latent undefined behaviour or programs that _mostly_ work, and then explode in unpredictable ways weeks/months/years later - that's a huge problem. In the worst case, those bugs/negative mutations accumulate faster than they can be culled. Thank god we have source control. Places where we're working with extremely loose synchronization - no locking, raw memory barriers - are the worst kind of hand grenade, they result in bugs that are impossible to cull quickly. In kernel programming, we're always walking around with live hand grenades. So what do we do? We slow down, we take every step slowly and intentionally while telling everyone not to bump us because we're holding a live hand grenade - raw atomics, raw unlocked variables, memory barriers, they all get special care and extra comments. And we all have fuck-tons of code we need to be able to understand, review, debug and maintain, so we always try to write our code in a style where the if it's wrong, we'll see that _locally_, without having to go through and remember how _everything_ out of the possibly thousands of relevant lines work. I'm personally responsible for over 100k LOC of highly intricate code with high consequences for failure, and regularly have to debug issues arising somewhere in north of a million LOC - and when something goes wrong I have to be able to fully debug it _quickly_. What C++ does is like taking those hand grenades, with the pin already out - and leaving one under the couch cushions, another in the silverware drawer, another in the laundry basket - and expecting you to remember where you put them. Going back to the C++ example, the really fatal thing with how they do it is how a change in one line of code can completely change the semantics of a bunch of different code, and no human reviewer can be expected to catch bugs that might introduce and the compiler certainly won't. Now imagine multiple people working on the same code, at different times. Now imagine patches getting mixed up, reordered, one of them getting lost, merge conflicts - i.e. shit that happens all the time, and what happens if you're using C++ style atomics. Terrifying stuff.