From: Kent Overstreet <kent.overstreet@linux.dev>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alice Ryhl <aliceryhl@google.com>,
Ventura Jack <venturajack85@gmail.com>,
Gary Guo <gary@garyguo.net>,
airlied@gmail.com, boqun.feng@gmail.com,
david.laight.linux@gmail.com, ej@inai.de,
gregkh@linuxfoundation.org, hch@infradead.org, hpa@zytor.com,
ksummit@lists.linux.dev, linux-kernel@vger.kernel.org,
miguel.ojeda.sandonis@gmail.com, rust-for-linux@vger.kernel.org
Subject: Re: C aggregate passing (Rust kernel policy)
Date: Tue, 25 Feb 2025 15:55:06 -0500 [thread overview]
Message-ID: <4l6xl5vnpulcvssfestsgrzoazoveopzupb32z5bv6mk23gazo@qn63k7rgsckv> (raw)
In-Reply-To: <CAHk-=whGY2uYcXog8kmuAAAPJy4R84Jy9rEfXfoHBe-evmuYDQ@mail.gmail.com>
On Tue, Feb 25, 2025 at 12:25:13PM -0800, Linus Torvalds wrote:
> On Tue, 25 Feb 2025 at 11:48, Kent Overstreet <kent.overstreet@linux.dev> wrote:
> >
> > Well, the whole point of unsafe is for the parts where the compiler
> > can't in general check for UB, so there's no avoiding that.
>
> No, that's most definitely NOT the whole point of unsafe.
>
> The point of unsafe is to bypass some rules, and write *SOURCE CODE*
> that does intentionally questionable things.
"Intentionally questionable"?
No, no, no.
That's not a term that has any meaning here; code is either correct or
it's not. We use unsafe when we need to do things that can't be
expressed in the model the compiler checks against - i.e. the model
where we can prove for all inputs that UB is impossible.
That does _not_ mean that there is no specification for what is and
isn't allowed: it just means that there is no way to check for all
inputs, _at compile time_, whether code obeys the spec.
> So if you are implementing the equivalent of malloc/free in unsafe
> rust, you want to be able to do things like arbitrary pointer
> arithmetic, because you are going to do very special things with the
> heap layout, like hiding your allocation metadata based on the
> allocation pointer, and then you want to do all the very crazy random
> arithmetic on pointers that very much do *not* make sense in safe
> code.
Yes, and the borrow checker has to go out the window.
> So unsafe rust is supposed to let the source code bypass those normal
> "this is what you can do to a pointer" rules, and create random new
> pointers that you then access.
>
> But when you then access those pointers, unsafe Rust should *NOT* say
> "oh, I'm now going to change the order of your accesses, because I
> have decided - based on rules that have nothing to do with your source
> code, and because you told me to go unsafe - that your unsafe pointer
> A cannot alias with your unsafe pointer B".
Well, not without sane rules everyone can follow, which _we never had in
C_.
In C, there's simply no model for derived pointers - this is why e.g.
restrict is just laughable. Because it's never just one pointer that
doesn't alias, we're always doing pointer arithmetic and computing new
pointers, so you need to be able to talk about _which_ pointers can't
alias.
This is the work we've been talking about with stacked/tree borrows: now
we do have that model. We can do pointer arithmetic, compute a new
pointer from a previous pointer (e.g. to get to the malloc header), and
yes of _course_ that aliases with the previous pointer - and the
compiler can understand that, and there are rules (that compiler can
even check, I believe) for "I'm doing writes through mutable derived
pointer A', I can't do any through A while A' exist".
See?
The problem isn't that "pointer aliasing is fundamentally unsafe and
dangerous and therefore the compiler just has to stay away from it
completely" - the problem has just been the lack of a workable model.
Much like how we went from "multithreaded programming is crazy and
dangerous", to "memory barriers are something you're just expected to
know how to use correctly".
next prev parent reply other threads:[~2025-02-25 20:55 UTC|newest]
Thread overview: 196+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-22 10:06 Ventura Jack
2025-02-22 14:15 ` Gary Guo
2025-02-22 15:03 ` Ventura Jack
2025-02-22 18:54 ` Kent Overstreet
2025-02-22 19:18 ` Linus Torvalds
2025-02-22 20:00 ` Kent Overstreet
2025-02-22 20:54 ` H. Peter Anvin
2025-02-22 21:22 ` Kent Overstreet
2025-02-22 21:46 ` Linus Torvalds
2025-02-22 22:34 ` Kent Overstreet
2025-02-22 23:56 ` Jan Engelhardt
2025-02-22 22:12 ` David Laight
2025-02-22 22:46 ` Kent Overstreet
2025-02-22 23:50 ` H. Peter Anvin
2025-02-23 0:06 ` Kent Overstreet
2025-02-22 21:22 ` Linus Torvalds
2025-02-23 15:30 ` Ventura Jack
2025-02-23 16:28 ` David Laight
2025-02-24 0:27 ` Gary Guo
2025-02-24 9:57 ` Ventura Jack
2025-02-24 10:31 ` Benno Lossin
2025-02-24 12:21 ` Ventura Jack
2025-02-24 12:47 ` Benno Lossin
2025-02-24 16:57 ` Ventura Jack
2025-02-24 22:03 ` Benno Lossin
2025-02-24 23:04 ` Ventura Jack
2025-02-25 22:38 ` Benno Lossin
2025-02-25 22:47 ` Miguel Ojeda
2025-02-25 23:03 ` Benno Lossin
2025-02-24 12:58 ` Theodore Ts'o
2025-02-24 14:47 ` Miguel Ojeda
2025-02-24 14:54 ` Miguel Ojeda
2025-02-24 16:42 ` Philip Herron
2025-02-25 15:55 ` Ventura Jack
2025-02-25 17:30 ` Arthur Cohen
2025-02-26 11:38 ` Ralf Jung
2025-02-24 15:43 ` Miguel Ojeda
2025-02-24 17:24 ` Kent Overstreet
2025-02-25 16:12 ` Alice Ryhl
2025-02-25 17:21 ` Ventura Jack
2025-02-25 17:36 ` Alice Ryhl
2025-02-25 18:16 ` H. Peter Anvin
2025-02-25 20:21 ` Kent Overstreet
2025-02-25 20:37 ` H. Peter Anvin
2025-02-26 13:03 ` Ventura Jack
2025-02-26 13:53 ` Miguel Ojeda
2025-02-26 14:07 ` Ralf Jung
2025-02-26 14:26 ` James Bottomley
2025-02-26 14:37 ` Ralf Jung
2025-02-26 14:39 ` Greg KH
2025-02-26 14:45 ` James Bottomley
2025-02-26 16:00 ` Steven Rostedt
2025-02-26 16:42 ` James Bottomley
2025-02-26 16:47 ` Kent Overstreet
2025-02-26 16:57 ` Steven Rostedt
2025-02-26 17:41 ` Kent Overstreet
2025-02-26 17:47 ` Steven Rostedt
2025-02-26 22:07 ` Josh Poimboeuf
2025-03-02 12:19 ` David Laight
2025-02-26 17:11 ` Miguel Ojeda
2025-02-26 17:42 ` Kent Overstreet
2025-02-26 12:36 ` Ventura Jack
2025-02-26 13:52 ` Miguel Ojeda
2025-02-26 15:21 ` Ventura Jack
2025-02-26 16:06 ` Ralf Jung
2025-02-26 17:49 ` Miguel Ojeda
2025-02-26 18:36 ` Ventura Jack
2025-02-26 14:14 ` Ralf Jung
2025-02-26 15:40 ` Ventura Jack
2025-02-26 16:10 ` Ralf Jung
2025-02-26 16:50 ` Ventura Jack
2025-02-26 21:39 ` Ralf Jung
2025-02-27 15:11 ` Ventura Jack
2025-02-27 15:32 ` Ralf Jung
2025-02-25 18:54 ` Linus Torvalds
2025-02-25 19:47 ` Kent Overstreet
2025-02-25 20:25 ` Linus Torvalds
2025-02-25 20:55 ` Kent Overstreet [this message]
2025-02-25 21:24 ` Linus Torvalds
2025-02-25 23:34 ` Kent Overstreet
2025-02-26 11:57 ` Gary Guo
2025-02-27 14:43 ` Ventura Jack
2025-02-26 14:26 ` Ventura Jack
2025-02-25 22:45 ` Miguel Ojeda
2025-02-26 0:05 ` Miguel Ojeda
2025-02-25 22:42 ` Miguel Ojeda
2025-02-26 14:01 ` Ralf Jung
2025-02-26 13:54 ` Ralf Jung
2025-02-26 17:59 ` Linus Torvalds
2025-02-26 19:01 ` Paul E. McKenney
2025-02-26 20:00 ` Martin Uecker
2025-02-26 21:14 ` Linus Torvalds
2025-02-26 21:21 ` Linus Torvalds
2025-02-26 22:54 ` David Laight
2025-02-27 0:35 ` Paul E. McKenney
2025-02-26 21:26 ` Steven Rostedt
2025-02-26 21:37 ` Steven Rostedt
2025-02-26 21:42 ` Linus Torvalds
2025-02-26 21:56 ` Steven Rostedt
2025-02-26 22:13 ` Steven Rostedt
2025-02-26 22:22 ` Linus Torvalds
2025-02-26 22:35 ` Steven Rostedt
2025-02-26 23:18 ` Linus Torvalds
2025-02-26 23:28 ` Steven Rostedt
2025-02-27 0:04 ` Linus Torvalds
2025-02-27 20:47 ` David Laight
2025-02-27 21:33 ` Steven Rostedt
2025-02-28 21:29 ` Paul E. McKenney
2025-02-27 21:41 ` Paul E. McKenney
2025-02-27 22:20 ` David Laight
2025-02-27 22:40 ` Paul E. McKenney
2025-02-28 7:44 ` Ralf Jung
2025-02-28 15:41 ` Kent Overstreet
2025-02-28 15:46 ` Boqun Feng
2025-02-28 16:04 ` Kent Overstreet
2025-02-28 16:13 ` Boqun Feng
2025-02-28 16:21 ` Kent Overstreet
2025-02-28 16:40 ` Boqun Feng
2025-03-04 18:12 ` Ralf Jung
2025-02-26 22:27 ` Kent Overstreet
2025-02-26 23:16 ` Linus Torvalds
2025-02-27 0:17 ` Kent Overstreet
2025-02-27 0:26 ` comex
2025-02-27 18:33 ` Ralf Jung
2025-02-27 19:15 ` Linus Torvalds
2025-02-27 19:55 ` Kent Overstreet
2025-02-27 20:28 ` Linus Torvalds
2025-02-28 7:53 ` Ralf Jung
2025-03-06 19:16 ` Ventura Jack
2025-02-27 4:18 ` Martin Uecker
2025-02-27 5:52 ` Linus Torvalds
2025-02-27 6:56 ` Martin Uecker
2025-02-27 14:29 ` Steven Rostedt
2025-02-27 17:35 ` Paul E. McKenney
2025-02-27 18:13 ` Kent Overstreet
2025-02-27 19:10 ` Paul E. McKenney
2025-02-27 18:00 ` Ventura Jack
2025-02-27 18:44 ` Ralf Jung
2025-02-27 14:21 ` Ventura Jack
2025-02-27 15:27 ` H. Peter Anvin
2025-02-28 8:08 ` Ralf Jung
2025-02-28 8:32 ` Martin Uecker
2025-02-26 20:25 ` Kent Overstreet
2025-02-26 20:34 ` Andy Lutomirski
2025-02-26 22:45 ` David Laight
2025-02-22 19:41 ` Miguel Ojeda
2025-02-22 20:49 ` Kent Overstreet
2025-02-26 11:34 ` Ralf Jung
2025-02-26 14:57 ` Ventura Jack
2025-02-26 16:32 ` Ralf Jung
2025-02-26 18:09 ` Ventura Jack
2025-02-26 22:28 ` Ralf Jung
2025-02-26 23:08 ` David Laight
2025-02-27 13:55 ` Ralf Jung
2025-02-27 17:33 ` Ventura Jack
2025-02-27 17:58 ` Ralf Jung
2025-02-27 19:06 ` Ventura Jack
2025-02-27 19:45 ` Ralf Jung
2025-02-27 20:22 ` Kent Overstreet
2025-02-27 22:18 ` David Laight
2025-02-27 23:18 ` Kent Overstreet
2025-02-28 7:38 ` Ralf Jung
2025-02-28 20:48 ` Ventura Jack
2025-02-28 20:41 ` Ventura Jack
2025-02-28 22:13 ` Geoffrey Thomas
2025-03-01 14:19 ` Ventura Jack
2025-03-04 18:24 ` Ralf Jung
2025-03-06 18:49 ` Ventura Jack
2025-02-27 17:58 ` Miguel Ojeda
2025-02-27 19:25 ` Ventura Jack
2025-02-26 19:07 ` Martin Uecker
2025-02-26 19:23 ` Ralf Jung
2025-02-26 20:22 ` Martin Uecker
[not found] <CAFJgqgRZ1w0ONj2wbcczx2=boXYHoLOd=-ke7tHGBAcifSfPUw@mail.gmail.com>
2025-02-25 15:42 ` H. Peter Anvin
2025-02-25 16:45 ` Ventura Jack
[not found] <CANiq72m-R0tOakf=j7BZ78jDHdy=9-fvZbAT8j91Je2Bxy0sFg@mail.gmail.com>
2025-02-18 16:08 ` Rust kernel policy Christoph Hellwig
2025-02-18 18:46 ` Miguel Ojeda
2025-02-18 21:49 ` H. Peter Anvin
2025-02-18 22:54 ` Miguel Ojeda
2025-02-19 0:58 ` H. Peter Anvin
2025-02-19 3:04 ` Boqun Feng
2025-02-19 5:39 ` Greg KH
2025-02-20 12:28 ` Jan Engelhardt
2025-02-20 12:37 ` Greg KH
2025-02-20 13:23 ` H. Peter Anvin
2025-02-20 15:17 ` C aggregate passing (Rust kernel policy) Jan Engelhardt
2025-02-20 16:46 ` Linus Torvalds
2025-02-20 20:34 ` H. Peter Anvin
2025-02-21 8:31 ` HUANG Zhaobin
2025-02-21 18:34 ` David Laight
2025-02-21 19:12 ` Linus Torvalds
2025-02-21 20:07 ` comex
2025-02-21 21:45 ` David Laight
2025-02-22 6:32 ` Willy Tarreau
2025-02-22 6:37 ` Willy Tarreau
2025-02-22 8:41 ` David Laight
2025-02-22 9:11 ` Willy Tarreau
2025-02-21 20:06 ` Jan Engelhardt
2025-02-21 20:23 ` Laurent Pinchart
2025-02-21 20:24 ` Laurent Pinchart
2025-02-21 22:02 ` David Laight
2025-02-21 22:13 ` Bart Van Assche
2025-02-22 5:56 ` comex
2025-02-21 20:26 ` Linus Torvalds
2025-02-21 22:19 ` henrychurchill
2025-02-21 22:52 ` henrychurchill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4l6xl5vnpulcvssfestsgrzoazoveopzupb32z5bv6mk23gazo@qn63k7rgsckv \
--to=kent.overstreet@linux.dev \
--cc=airlied@gmail.com \
--cc=aliceryhl@google.com \
--cc=boqun.feng@gmail.com \
--cc=david.laight.linux@gmail.com \
--cc=ej@inai.de \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=ksummit@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=rust-for-linux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=venturajack85@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox