Received: by 2002:ab2:7041:0:b0:1f4:bcc8:f211 with SMTP id x1csp199888lql;
        Fri, 12 Apr 2024 07:56:53 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCX014C5BP8RiigXZP6VQn6BYRW0wKWLn6tpDhF/k0Nk43TDYG17Eqxm7nzG3Fo8q9xDo5ckhagnTs8c3BAkUzA8QYtmllDVQtmHoj1rQA==
X-Google-Smtp-Source: AGHT+IFYkzRNpXu62oOy6CIuhumbuIu8Y6wfjOF76mSb+zEncip7ewdG7KQhCTUyp64pczaA4OWQ
X-Received: by 2002:a05:6a20:5619:b0:1a9:83f5:2265 with SMTP id ir25-20020a056a20561900b001a983f52265mr2372977pzc.55.1712933812939;
        Fri, 12 Apr 2024 07:56:52 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712933812; cv=pass;
        d=google.com; s=arc-20160816;
        b=pHGCN03MxrvMo3MrKttRHqZZXXiKHE0SoHbY47w2iVJpS9zEFYaguJCNq/SPvUzAfW
         YdmkDpnaEpDIphCjF6oin5KGP7S4e3vNSdVhRoe+mHrGde0Hjo9Io96yubaqcJ8Uo9f0
         wPDGKEtIzGRBXH6Kb7ljdoPpUfrb9PtfbvUhW1zS8uwFVjFiWJqsb38fqWsMtVba/Yfb
         Y2UBRdmMhwHw4J/6NE3QJrcDzcQOfrjLotAhjqa4DVpmmfPAMpAcV9ctRn64Q44NMTjd
         w4rj7VvpGO29uRTZWEKuTmHXcXkxOa32ntCbs73T9sEZ+gsRwRmWsDXgM2Kr0aqj1lNv
         lKQg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=6QFhwob2H+YmXGrRuSyJw5ag+KZ6vVeg830c04nwrNg=;
        fh=aipuGjhnPODHEXt25RSvqimU0qUyvzKCa4gYkdeVBbE=;
        b=wdloT9/mCFnt/Rq1VGSvMqEUg4w7fN2ZLWfPpzUHd3/Xp2YDexYEOv4lCVHQmWl1rh
         n2f6mnb5V++w4B2opo9qxYzBiLE9vlVLhuMvug8fWzAlIvW5mRzzCHFotm5vAswSNvNR
         gc25MKdOtxIv8DLMAB2okAEUO/pj7nZoCfDVTGkRTFwMciphkIvpRJLCq3h6YdQprJkR
         9r/yTddlqsZZDnyTW/FmR7OZFtrT4wOYfCsrHxrS8esAKq15j6rejf1dvU21qDTV8xZw
         WtSBy8VPBaL94aYXrCguDkw/yRE2REXSPhd5FvF/qAguG44mDcj90Ewc9qXmxfjX760n
         Xm/Q==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=CaaXOpS1;
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-kernel+bounces-142862-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-142862-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel+bounces-142862-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id w7-20020a17090a1b8700b002a52fb5d19fsi3439246pjc.186.2024.04.12.07.56.52
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Apr 2024 07:56:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-142862-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=CaaXOpS1;
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-kernel+bounces-142862-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-142862-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id D89C3B25A26
	for <linux.lists.archive@gmail.com>; Fri, 12 Apr 2024 14:42:27 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id DB472142E8B;
	Fri, 12 Apr 2024 14:42:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CaaXOpS1"
Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 955F81422CD;
	Fri, 12 Apr 2024 14:42:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.178
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712932940; cv=none; b=EvzLaYdzbbQ3PHWKU6XdxT5Ns1C1TheRxEBEb/5DT7H36RqUHSghAPfbJlU9EHf338rKDBil/TxUVTvdu6K+w0Oc69DewbY8Wpws7li/T3ROw+NElM3t3kxAJWbOhHwS+DLc+KqkfLOF7DPnxA8ryrKuo3BKPaXQaZA61B5k0Tk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712932940; c=relaxed/simple;
	bh=Vx9AcN4PoALM5/qtOiCZ6N7gbWAJhqxvNWL/3pXbHDQ=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=BHsg2jLtYK3MevF4xIMq/eERY82hfIzMD/uN7PzBGArHLZxhbIczOyF80AlItlJUHA4g8ifol6pPMm5C/8AC7pHsTwn3WEw8UrQ3mgGiqYzXk71GH9zjVMuWWOiLVHaqfKnabCdL1aNp3dT0u3mej7zRyRMfuyKT9gIRLwgWG0U=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CaaXOpS1; arc=none smtp.client-ip=209.85.215.178
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-5dbcfa0eb5dso743415a12.3;
        Fri, 12 Apr 2024 07:42:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1712932938; x=1713537738; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6QFhwob2H+YmXGrRuSyJw5ag+KZ6vVeg830c04nwrNg=;
        b=CaaXOpS13Ccuz7QZIsx9i19yM84GIdG0To3bsPxJH6uToHI4HSfVtLKK0KZXFbrvnD
         w8TCaVpZtcllS5EHipk3QyUqLhyGO+BIRdNjWqlQ+aHQJIose6+7m5K0mP/UBLemFkEK
         To9l1NOajPXy8i+OoPl3kUMwvH/Uc27Wr3SNyRL2TpWDh9u8HfGlTk97yZnMKoEXbem6
         v6TXOXdIlmciBVlhkoUsffWVgBXqIxClmNgw7o5KHHiqdFXtSliF4BbQEU5wihpujsar
         ssNyMxeyHu2Krl2acGpNU6Fpodu5Eu07IP+av+9vLumB3rtKQ3d1eiOyQyO99KxO9Upl
         SLbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712932938; x=1713537738;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=6QFhwob2H+YmXGrRuSyJw5ag+KZ6vVeg830c04nwrNg=;
        b=nXE6KVBUhkMpaJqLL/wj3WmoyE6wDudpqaIkmq8UUiUpRi1/9BsleYBIt3+dSbsyAs
         nJ/0Gt9HDjxFTfrCSUMphf9jAK9PgMaIo4GK1DMxqinFh+/clfcIdvjUrkzM9K+I7W4g
         JfY26b87P1ZFd/y6j/NKn83nDT6SpFLktT/knnuqD3qUjA2oH/A8MnDWYBWDZXT3BRuH
         nmXFye72AR4QSCHPwqMpqFOGwT1+qiTdd8mCWAR6iuDCd8oYRiveZ+5h8VFZeGFd39kn
         9HWBJ5MlL33v7Q7vb9uFHLKwcxRKEGZfXJ3+uhaUAkqnDDU7zBXg4cJBK2WF2H9ReW5c
         jlVg==
X-Forwarded-Encrypted: i=1; AJvYcCVAhV9dQVQHH2JQvpGXZArB9qpW7z7A8h4Sp5Y8a2xAAQqBBv3tKJMeFSZBcUt1W+6LamWjErUm/2JfurIFizrJwdtBvUGQBqzJ4wpxhHDroKJapQ6/QOiIUFRXvysLlZ1MhkcWNXv15EMthUQ=
X-Gm-Message-State: AOJu0Yxx/iOFcNbzs6+iyRswCeqeJvseQvLQZfuDs1KrosNdyzECQ6N9
	izekgh2dFsLhHT3zhExIOKsVjJHOSBbXqXxXrO5Ng1MTTMn8Tu3aLo6I/+38/fcOGOGY6ir6WNL
	zso3sOEt3SDsL7ZbiEygypXITGco=
X-Received: by 2002:a17:90a:8c0e:b0:2a5:d313:4d3f with SMTP id
 a14-20020a17090a8c0e00b002a5d3134d3fmr2963704pjo.34.1712932937744; Fri, 12
 Apr 2024 07:42:17 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240411230801.1504496-1-boqun.feng@gmail.com>
 <20240411230801.1504496-3-boqun.feng@gmail.com> <CANiq72nSSAVkynVaAq7bQKoL6N8K2JUXp8AOVvu7vN+siAhk-Q@mail.gmail.com>
 <Zhk4Uqc4LImR2n_r@Boquns-Mac-mini.home>
In-Reply-To: <Zhk4Uqc4LImR2n_r@Boquns-Mac-mini.home>
From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Date: Fri, 12 Apr 2024 16:41:26 +0200
Message-ID: <CANiq72ka4UvJzb4dN12fpA1WirgDHXcvPurvc7B9t+iPUfWnew@mail.gmail.com>
Subject: Re: [PATCH 2/2] rust: time: Use wrapping_sub() for Ktime::sub()
To: Boqun Feng <boqun.feng@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>, Miguel Ojeda <ojeda@kernel.org>, 
	John Stultz <jstultz@google.com>, Stephen Boyd <sboyd@kernel.org>, 
	Alex Gaynor <alex.gaynor@gmail.com>, Wedson Almeida Filho <wedsonaf@gmail.com>, Gary Guo <gary@garyguo.net>, 
	bjorn3_gh@protonmail.com, Benno Lossin <benno.lossin@proton.me>, 
	Andreas Hindborg <a.hindborg@samsung.com>, Alice Ryhl <aliceryhl@google.com>, 
	rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, 
	Vegard Nossum <vegard.nossum@oracle.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 12, 2024 at 3:34=E2=80=AFPM Boqun Feng <boqun.feng@gmail.com> w=
rote:
>
> That works for me, although I would prefer `Ktime::sub()` is wrapping
> sub and we have another function doing a safe version of sub.

Why? It goes against the "normal" case in integers. It is also not
what `ktime_sub()` does, which is the "normal" case here, vs.
`_unsafe()` and `_safe()` ones.

> Exactly, ktime_add_safe() doesn't panic if overflow happens, right?
> I think that's pretty clear on how time subsystem wants to handle
> overflow (saturating it, or zeroing it instead of panicing).

There are three variants in C (for addition) that I can see:

  - No suffix: not supposed to wrap.
  - `_unsafe()`: wraps.
  - `_safe()`: saturates.

The first one, in normal C, would be UB. In kernel C, it wraps but may
be detected by UBSAN (this is what Kees is re-introducing very
recently with 557f8c582a9b ("ubsan: Reintroduce signed overflow
sanitizer")).

So, in Rust terms, the three options above would map to:

  - Raw operators.
  - `wrapping_`.
  - `saturating_`.

Because the raw operators are what we use for arithmetic that is "not
supposed to wrap" too. That is, they wrap, but may be checked by the
Kconfig option. Of course, it may be worth having an intermediate
option that does not actually go for a full-blown Rust-panic for that,
but the point is that the current "not supposed to wrap" methods are
the raw operators.

All three, in fact, are "safe" in Rust terms, since none can actually
trigger UB (in kernel C at least -- it would be different in normal C:
the first one would map to an unsafe Rust method, i.e. `unchecked_`).

Instead, in the C side, `_unsafe()` seems to be used to mean instead
"you should be checking for overflow if needed, because it will never
be reported by UBSAN unlike the raw one". Again, this is based on my
reading of that commit and the docs on `_unsafe()`. It may be wrong,
or maybe the subtraction is supposed to be different. It should
probably be clarified in the C side anyway.

And, relatedly, I see that when the `union` was removed in commit
2456e8553544 ("ktime: Get rid of the union"), `ktime_add_unsafe()`
stopped returning a `ktime_t` even when both inputs are `ktime_t`s
themselves:

    static_assert(_Generic(ktime_add(a, b), ktime_t: true, default:
false)); // OK
    static_assert(_Generic(ktime_add_unsafe(a, b), ktime_t: true,
default: false)); // Bad

It returns an `u64` now, which could surprise users, and probably
should be fixed. The only user just puts the result into a `ktime_t`,
so there is no actual issue today.

> I must defer this to Thomas.

Yeah, the question on the C API was meant for Thomas et al.

> Maybe, however neither of this function probably shouldn't have the
> panic-on-overflow behavior. So I agree that overflow checking is not a
> bad thing, but when to check and how to handle overflow should be
> controlled by the users, and making the default behavior
> panic-on-overflow doesn't look reasonable to me.

Yes, it should be controlled by callers, but the point above is that,
from the looks of it, these interfaces are not meant to overflow to
begin with.

Cheers,
Miguel