Received: by 2002:ab2:6991:0:b0:1f2:fff1:ace7 with SMTP id v17csp154269lqo; Wed, 27 Mar 2024 09:16:59 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXunUPbDvYhv7+/e8JshIepvGKhhA4Gso+RLN44cDayeI2Xq6qbamNAdhMMe6h2npwedJcY9EQcr0jmmbscA/18Xf9H20zgpv/zmvRbNQ== X-Google-Smtp-Source: AGHT+IFMiztCcw8fH7FtEGPWU5w2CHBYZRkzcp5yaL/7SV3ke0FIvKqcyoYd8kThrK4PDTo77Qt0 X-Received: by 2002:a05:6a00:4648:b0:6ea:acbe:5186 with SMTP id kp8-20020a056a00464800b006eaacbe5186mr344175pfb.18.1711556219235; Wed, 27 Mar 2024 09:16:59 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711556219; cv=pass; d=google.com; s=arc-20160816; b=LspEFTNZiJD72SRdAzsV6OQ9BoOQanN3vJ5kxlKdTevnsWbIAoxohUCWKlOVWzzUV7 mO7luwhltqDuJcZmdmAZtYguyCmPgUcv4RujrM1GlKx7BVmmstdn/8gZtGcs+dmDEEL+ /uaK4MZAaJgoV359TuoN4+28T9H9At9IHff4zrnNT/41ZQnhzYn9Za0lzELMZBige0gw wDDDDv60gEC3MkgTQPPpF1zI77uATszVJhhufo5Sh+xVvGDC3DlH0J9CyrFrIEi0/4lD /eFxB4Wuxzi3ps0FP/Ohsa+5V58nhbEdEY5uEUA5kyY+Qj6BndbuS/KmyqUY3pN8+U+Q 4LEQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=OSCcPL9ReYBC3ieN7sRSJkCjHUDGGaoDNVjenjFddiw=; fh=Mb0yRiOwh2CgRSX0s01XgVm44bUxjvWlvEKn6xuZj9A=; b=gT1UYWtqHStupmjkdvK+JOOZMARQ5/2Uo73MMgZktS+xfNgn9/5TEgEiuKVPle8x0/ Oi4HRzaHW6LFQxilOml4lNrqEGJklhov2tp7VLr+4OqqLEUkGOfn46ZbL0dVfxQD61s5 LXe0FMSqbIv2Ce3dhL8Z4DN/JPpiqrHGvWDgwrQuTaC5ezLEWIQJMOJoOgZO7bTmvfl6 nPskP+iuPswK0EKLImfU9uzWOqfEpuQ1/n1oQX5o9QlmqyzdUuFglnxB7UAD7JVrQDxv HwqakNVu8hhtrsTIYTvZ5PMOrAwR+7Q2c03/Ifs3Gr/iN6gPC3OVzcG6GHKgsUobyi7R iJBA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IO2SVDZj; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-121617-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-121617-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id h7-20020aa79f47000000b006e742e4e0fdsi1535963pfr.65.2024.03.27.09.16.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Mar 2024 09:16:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-121617-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IO2SVDZj; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-121617-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-121617-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B1D4C29E6A1 for ; Wed, 27 Mar 2024 16:16:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9940C129E9A; Wed, 27 Mar 2024 16:16:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IO2SVDZj" Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F030E42A91; Wed, 27 Mar 2024 16:16:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711556189; cv=none; b=Enf+hE9SyppGxdoU5Sn7sgcIPyDrBnDoiEE4dO4RUVrVw5ZTLybAtVQDmOhW3mVwBa1hj6rZfwzcw87RzoQgeklrmTurnStQSJ242PYPcxsahz21ma23vbtKWjC1VzdRbbXgQurbQGt1NuPN4S94K9n72oK0Eq2GCPjHFVKULCE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711556189; c=relaxed/simple; bh=kfVdwdCf7B9X7O5+oO8Vigvx4JOZ1iSnjiYAU8Orp7A=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Message-Id:References:To; b=pwqYQHSTqQ6DO2bcHJWmOJqr5jJ9+wNTAqAs5pdIO6ubGs/23T2pbtY2laZzbs9ML5YOvxjgtSoGDwgebgZRBWKjuLQbAssAaUzqMGY6k8n17wc9ND9Tso9HOJmA5tm1tHdCL1R+vqUMo9TjagU9NFEzybgKLJy5pbzY6g39+yE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IO2SVDZj; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-29e0229d6b5so21801a91.3; Wed, 27 Mar 2024 09:16:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711556186; x=1712160986; darn=vger.kernel.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=OSCcPL9ReYBC3ieN7sRSJkCjHUDGGaoDNVjenjFddiw=; b=IO2SVDZjHjZPW2836N0zwP40dW7kQoErJc3ls12qCB3GBLL/+cruxnGBWIqWI55W+/ rTAeZE/xIG/NdLRCfK923/dVb4ywqgrX36Nf41UNDY4mYqaWpJXe9kQkbcOGN2XMYmqo 33n80Vko3quEny4XazHjxUtQwDeFUJI9S3MyQNR1EAB28D/cFgAW9MeqU8kXxKHa5uYF vefr5H27YGxpRGTYk4Ps13181tXpfpahUTy7rnWVlwqZqcgw7U9nEm2BYllgo3SIvzN0 gBg3/Z8Ux/0GYKeEaX/9v9nBs0+OIqbt6JPoOyTJUXlXMBkouO7sSnpj6QAS4J2PiquO Xi6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711556186; x=1712160986; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OSCcPL9ReYBC3ieN7sRSJkCjHUDGGaoDNVjenjFddiw=; b=t6TWzwP3nMhkl9lWbplncD69DNy6Z9TIfmtUWuM/Knj0TsaXMYJeu37kXUc5UAZZD+ Q0CfvL9ASMuVsg5yxkCJeXEbBYEBAesjQHvVWV1XMpBtrljOX4pnHo1lrhUKhOCwOrI4 F+ZP6PS3ZVlRE3bGHEAzsrOn8+jh8t7yogmNyTZluE/SGE+uvbhLek8CDG+Guikrf7yn /YGkLCrtfEela3Qw9u8wcDaQ2pGmX2VXLgv9eXpMxBOSk9fbhewKPmAf0blVbWQYh+nJ HeYzW6PJEDEs/xg7nXICdfa82I4+mT/KzNAfn0R+8TWQ4yVIUR7ZAo8QAjUXHLn2lpVS YMRg== X-Forwarded-Encrypted: i=1; AJvYcCWtrL4rJRo2yOOVLMBANZSBx+7aw8MQceJGU4uUHHGlaogTXXasEn9nQNEjgrQ1aXH8T4t9a99X/yad+USad44ml+2LTMnphYL/8SaRdY+/MyXhA+ie1xmPBHros/x3YdUR0DebC+OpNYuHpUn0m9gkdMDNMYNg8zFbi5GZ4SpvBkVWNCPRuTqr1sOcmUZmmLsXPkhNxQlln0XDJyww7762UuWyVFIZSA== X-Gm-Message-State: AOJu0YyifwLiRD4W03sQ3W17YXXXjUlkxxDQQpGK6mC+TMFLvYOKOVqp 1UuHQER9BFEkBZ7HK22Q9ZJ/D5K4w9hsBLOt0//dv74xniapJuHV X-Received: by 2002:a17:90b:4a44:b0:29c:7845:cba with SMTP id lb4-20020a17090b4a4400b0029c78450cbamr100758pjb.36.1711556186202; Wed, 27 Mar 2024 09:16:26 -0700 (PDT) Received: from smtpclient.apple ([2601:647:4d7e:dba0:5840:a196:2bf3:3600]) by smtp.gmail.com with ESMTPSA id sl13-20020a17090b2e0d00b0029951d04dc4sm1903536pjb.54.2024.03.27.09.16.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Mar 2024 09:16:25 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\)) Subject: Re: [WIP 0/3] Memory model and atomic API in Rust From: comex In-Reply-To: Date: Wed, 27 Mar 2024 09:16:09 -0700 Cc: "Dr. David Alan Gilbert" , Kent Overstreet , Philipp Stanner , Boqun Feng , rust-for-linux , linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, llvm@lists.linux.dev, Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Gary Guo , =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , Alice Ryhl , Alan Stern , Andrea Parri , Will Deacon , Peter Zijlstra , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes , Nathan Chancellor , Nick Desaulniers , kent.overstreet@gmail.com, Greg Kroah-Hartman , Marco Elver , Mark Rutland , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Catalin Marinas , linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: <160DB953-1588-418E-A490-381009CD8DE0@gmail.com> References: <20240322233838.868874-1-boqun.feng@gmail.com> To: Linus Torvalds X-Mailer: Apple Mail (2.3774.500.171.1.1) On Mar 25, 2024, at 8:49=E2=80=AFPM, Linus Torvalds = wrote: > But you should _start_ the design of your language memory model around > the unsafe "raw atomic access operations" model. >=20 > Then you can use those strictly more powerful operations, and you > create an object model *around* it. To some extent Rust does this already, unlike C++. C++ allows atomics to be implemented using locks. Partly for this = reason, `std::atomic` is documented as not necessarily having the same representation as `T` [1]. C++ also has strict aliasing, so even if = those types do have the same representation, you still can't cast `T *` to `std::atomic *`. But Rust atomics are lower-level. First, they are guaranteed lock-free = [2]. Second, they are documented as having "the same in-memory representation = as the underlying" type [3]. (They also usually have the same alignment, = except on x86 where u64 is only 4-byte aligned but AtomicU64 of course needs to be = 8-byte aligned.) Meanwhile, Rust intentionally lacks strict aliasing. Combined, this means it's perfectly legal in Rust to cast e.g. `&mut = u32` to `&AtomicU32` and perform atomic accesses on it. Or the same with = u64/AtomicU64 if you know the pointer is validly aligned. This is by design; the = Atomic types' methods are considered the official way to perform atomic = operations on arbitrary memory, making it unnecessary to also stabilize 'lower-level' intrinsics. That said, there *are* currently some holes in Rust's atomics model, = based on the fact that it's mostly inherited from C++. =46rom the documentation: > Since C++ does not support mixing atomic and non-atomic accesses, or > non-synchronized different-sized accesses to the same data, Rust does = not > support those operations either. Note that both of those restrictions = only > apply if the accesses are non-synchronized. https://doc.rust-lang.org/std/sync/atomic/index.html There are some open issues around this: - "How can we allow read-read races between atomic and non-atomic = accesses?" https://github.com/rust-lang/unsafe-code-guidelines/issues/483 > [..] I do think we should allow such code. However, then we have to = change > the way we document our atomics [..] - "What about: mixed-size atomic accesses" https://github.com/rust-lang/unsafe-code-guidelines/issues/345" > Apparently the x86 manual says you "should" not do this [..] It is = unclear > what "should" means (or what anything else here really means, = operationally > speaking...) [1] https://eel.is/c++draft/atomics#types.generic.general-3 [2] https://doc.rust-lang.org/std/sync/atomic/index.html#portability [3] = https://doc.rust-lang.org/nightly/std/sync/atomic/struct.AtomicU64.html