Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp3374439lqp; Tue, 26 Mar 2024 07:35:42 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUWN59UuDFz+pG6t2Vrh7cWFArsPHYwkUwhtJ2JMqLxfqPVbfW6bC2P2qTaQBU69UTi24VeAhdWaMN47jP+D2MXt06f1IgtlSZjBrFt3A== X-Google-Smtp-Source: AGHT+IGhJ66sUMkH3VZKHI/M35L906lMhjxESOX7G/ILcWnSSaKULzFxUlPAg+Q4dt3BjEyWk14s X-Received: by 2002:a05:620a:13d0:b0:789:ec76:d350 with SMTP id g16-20020a05620a13d000b00789ec76d350mr2864491qkl.33.1711463742455; Tue, 26 Mar 2024 07:35:42 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711463742; cv=pass; d=google.com; s=arc-20160816; b=YNeMlyy5k/wr9vF3kZ7cC1YhES/PqOr5IFgmiXIR6ou4627ZkeXLoz+xNyRx5vQhaV zi3Uz6LCpe6O1UqaN9oXULBusRH62GmtikUDWD5OzIK5C2GSgNcanEfcGADKYm9YnMRj ilFWafI6n2NMhVqoHHbVyvvbhUt1z4YNp5yin5KTbk2i0EODcFZxH1bFvDwlA858tzir ugL6kXjY2pjg8J/Znvnx4aNFgZooTDTYfCroeObuyNxukaBjPkhtK7iwvf7JBsoqhuue utJWpfm62cpZdQXevHIGkOE4hOFYCdM2sw+tzNgdwFzlR+ghrOaGIa8CJoO4sxMuYaSW JuqQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date:dkim-signature; bh=2SVrI5jZNwjEti7fw19FvDvELk09Rp4DU6fIvhzRuqc=; fh=viOGMbF9TBa5UDdifilfsulvNDMr22UZPA75r55Xcr0=; b=HglJYs5ao/phu5qFqu9p2HQP6T3404HmZFZRe2M58DfO14fQglOMgT7agY6+2FOId+ dfqI4Ff4PTAF6wgGCTqguGOxdeSJ3Xwq/mPRn1FQWR9VGtX/5uQCcAoBVBjXteanZxgT wyBmMPgGqJDRVyKt9PN+ovXor5kHe+55YJyWa9ejNmzYKJAd2lCZnedNHOSjBvx8LR3S 8hhosA8fujPwSn5HUE84kDNplrM3kZXkgbVNJB68kB+9EPq7U3YVR70ivHNAiGDnGchT EvN9j6+EQnQXvllxbffUIPShCz0N49t3jdA4vgKyzED9F4hTLUUOuPK/roZfk1I20mWW hSXg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=fail header.i=@treblig.org header.s=bytemarkmx header.b=DeikNxfH; arc=pass (i=1 spf=pass spfdomain=treblig.org dkim=pass dkdomain=treblig.org dmarc=pass fromdomain=treblig.org); spf=pass (google.com: domain of linux-kernel+bounces-119186-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-119186-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=treblig.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id f26-20020a05620a20da00b00789f691a17bsi7466704qka.12.2024.03.26.07.35.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Mar 2024 07:35:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-119186-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=fail header.i=@treblig.org header.s=bytemarkmx header.b=DeikNxfH; arc=pass (i=1 spf=pass spfdomain=treblig.org dkim=pass dkdomain=treblig.org dmarc=pass fromdomain=treblig.org); spf=pass (google.com: domain of linux-kernel+bounces-119186-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-119186-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=treblig.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 24E5D1C626E3 for ; Tue, 26 Mar 2024 14:35:42 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B1B2013C3EB; Tue, 26 Mar 2024 14:35:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=treblig.org header.i=@treblig.org header.b="DeikNxfH" Received: from mx.treblig.org (mx.treblig.org [46.235.229.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8B8180C12; Tue, 26 Mar 2024 14:35:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.235.229.95 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711463728; cv=none; b=aaD5Z8BgM3g97IsHi3P16od05bB90Ip9N3IjpBkoYzulv+Q2NCtHgtRYEue2Hww7yG5CzLjHzonREIZXebCC2TNCVlix0gNBO0N5DvF9J2+kezIVu3AnZfBZY85SlKkQtYRARNZzsZUs0vn533OdF8NWq7ySWFob+oSgQSFRJ14= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711463728; c=relaxed/simple; bh=G4VayLkDEdgGiDy8YMVdGzeBmWHF8revmHJsqsrO5+0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=kEDv20bmLDybonU8p/kRc+Fzj1tVqrlrhmNyPlh8EjOu1wS5lPZGHONwwvWt4VOrmf0vrUVXi1N2XvresZwMRuWR4y86FE2g1/CRtju9De320p4CbVMsbSBPdA5kc3PP6T76PZnzrZ7gH1NL/Ls9R8yP9ls8dhIKF1MUXSC5Qts= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=treblig.org; spf=pass smtp.mailfrom=treblig.org; dkim=pass (2048-bit key) header.d=treblig.org header.i=@treblig.org header.b=DeikNxfH; arc=none smtp.client-ip=46.235.229.95 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=treblig.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=treblig.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=treblig.org ; s=bytemarkmx; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID :Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=2SVrI5jZNwjEti7fw19FvDvELk09Rp4DU6fIvhzRuqc=; b=DeikNxfHevZv6bG0ypUdd4QEVo I334M9MJfjVTwzjB5W/+c8j7w0EXJWHbvBnR4M20jaWqZAGybfZZCFgT41Ffgi4rE6fDMgxy4pov2 LTAXZCe3z1bBvFXmG4S3F2nIl28mm8ITnduc1F7kNlDOjYFAc0kgEVsbXraPezLVrZilvOqjMhGAP +Ofb+xNOnl+1AF6+UgXzjpQ8YWdVRntupIBjCQkRFTFjLjifbKiCi2OXspZoPcxQ3whohfO+C+D1h IFiRwDWQshQKeJ9vRvWYkBSkfLy563bks+Lvx1ePOQI7jtOHk1VpPB+LDkTqHgVyWEM4X3xievIHh 3DIV/WNA==; Received: from dg by mx.treblig.org with local (Exim 4.96) (envelope-from ) id 1rp7tX-00Ew6P-2G; Tue, 26 Mar 2024 14:35:19 +0000 Date: Tue, 26 Mar 2024 14:35:19 +0000 From: "Dr. David Alan Gilbert" To: Linus Torvalds Cc: Kent Overstreet , Philipp Stanner , Boqun Feng , rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, llvm@lists.linux.dev, Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Benno Lossin , Andreas Hindborg , Alice Ryhl , Alan Stern , Andrea Parri , Will Deacon , Peter Zijlstra , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes , Nathan Chancellor , Nick Desaulniers , kent.overstreet@gmail.com, Greg Kroah-Hartman , elver@google.com, Mark Rutland , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Catalin Marinas , linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org Subject: Re: [WIP 0/3] Memory model and atomic API in Rust Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: X-Chocolate: 70 percent or better cocoa solids preferably X-Operating-System: Linux/6.1.0-17-amd64 (x86_64) X-Uptime: 14:11:37 up 83 days, 17:01, 1 user, load average: 0.15, 0.06, 0.01 User-Agent: Mutt/2.2.12 (2023-09-09) * Linus Torvalds (torvalds@linux-foundation.org) wrote: > On Mon, 25 Mar 2024 at 17:05, Dr. David Alan Gilbert wrote: > > > > Isn't one of the aims of the Rust/C++ idea that you can't forget to access > > a shared piece of data atomically? > > If that is an aim, it's a really *bad* one. > > Really. > > It very much should never have been an aim, and I hope it wasn't. I > think, and hope, that the source of the C++ and Rust bad decisions is > cluelessness, not active malice. Oh that hit a nerve :-) > Take Rust - one big point of Rust is the whole "safe" thing, but it's > very much not a straightjacket like Pascal was. There's a "safe" part > to Rust, but equally importantly, there's also the "unsafe" part to > Rust. > > The safe part is the one that most programmers are supposed to use. > It's the one that allows you to not have to worry too much about > things. It's the part that makes it much harder to screw up. > > But the *unsafe* part is what makes Rust powerful. It's the part that > works behind the curtain. It's the part that may be needed to make the > safe parts *work*. > > And yes, an application programmer might never actually need to use > it, and in fact in many projects the rule might be that unsafe Rust is > simply never even an option - but that doesn't mean that the unsafe > parts don't exist. > > Because those unsafe parts are needed to make it all work in reality. > > And you should never EVER base your whole design around the "safe" > part. Then you get a language that is a straight-jacket. > > So I'd very strongly argue that the core atomics should be done the > "unsafe" way - allow people to specify exactly when they want exactly > what access. Allow people to mix and match and have overlapping > partial aliases, because if you implement things like locking, you > *need* those partially aliasing accesses, and you need to make > overlapping atomics where sometimes you access only one part of the > field. > > And yes, that will be unsafe, and it might even be unportable, but > it's exactly the kind of thing you need in order to avoid having to > use assembly language to do your locking. > > And by all means, you should relegate that to the "unsafe corner" of > the language. And maybe don't talk about the unsafe sharp edges in the > first chapter of the book about the language. > > But you should _start_ the design of your language memory model around > the unsafe "raw atomic access operations" model. > > Then you can use those strictly more powerful operations, and you > create an object model *around* it. > > So you create safe objects like just an atomic counter. In *that* > corner of the language, you have the "safe atomics" - they aren't the > fundamental implementation, but they are the safe wrappers *around* > the more powerful (but unsafe) core. > > With that "atomic counter" you cannot forget to do atomic accesses, > because that safe corner of the world doesn't _have_ anything but the > safe atomic accesses for every time you use the object. > > See? Having the capability to do powerful and maybe unsafe things does > not force people to expose and use all that power. You can - and > should - wrap the powerful model with safer and simpler interfaces. I'd agree it's important to get the primitives right; but I'd argue that from a design point of view it's probably better to keep both in mind from early on; you need to create a safe interface which people can actually use most of the time, otherwise you're not getting any benefit; so yes get the bases right, but just keep a feel for how they'll get encapsulated so most of the more boring code can be safe. > This isn't something specific to atomics. Not even remotely. This is > quite fundamental. You often literally _cannot_ do interesting things > using only safe interfaces. You want safe memory allocations - but to > actually write the allocator itself, you want to have all those unsafe > escape methods - all those raw pointers with arbitrary arithmetic etc. > > And if you don't have unsafe escapes, you end up doing what so many > languages did: the libraries are written in something more powerful > like C, because C literally can do things that other languages > *cannot* do. Yeh that's fine, I'm not at all arguing against that; but it doesn't mean you shouldn't keep an eye on how the safe side should look; even in the kernel. Get it right and those unsafe escapes shouldn't be needed too commonly; get it wrong and you'll either have painful abstractions or end up with unsafes shotgunned all over the place. > Don't let people fool you with talk about Turing machines and similar > smoke-and-mirror garbage. It's a bedtime story for first-year CS > students. It's not true. My infinitely long tape is still on back order. Dave > things. If your language doesn't have those unsafe escapes, your > language is inherently weaker, and inherently worse for it. > > Linus > -- -----Open up your eyes, open up your mind, open up your code ------- / Dr. David Alan Gilbert | Running GNU/Linux | Happy \ \ dave @ treblig.org | | In Hex / \ _________________________|_____ http://www.treblig.org |_______/