Re: [PATCH v8 02/14] rust: hrtimer: introduce hrtimer support

[Andreas Hindborg <a.hindborg@kernel.org>]

"Boqun Feng" <boqun.feng@gmail.com> writes:

> On Fri, Feb 21, 2025 at 09:46:08AM -0500, Tamir Duberstein wrote:
>> On Fri, Feb 21, 2025 at 9:40 AM Boqun Feng <boqun.feng@gmail.com> wrote:
>> >
>> > Hmm... if you mean:
>> >
>> > trait HasHrTimer {
>> >     unsafe fn start(&self, expires: Ktime) {
>> >         ...
>> >     }
>> > }
>> >
>> > Then it'll be problematic because the pointer derived from `&self`
>> > doesn't have write provenance, therefore in a timer callback, the
>> > pointer cannot be used for write, which means for example you cannot
>> > convert the pointer back into a `Pin<Box<HasTimer>>`.
>> >
>> > To answer Tamir's question, pointers are heavily used here because we
>> > need to preserve the provenance.
>>
>> Wouldn't the natural implication be that &mut self is needed? Maybe
>
> For an `Arc<HasTimer>`, you cannot get `&mut self`.
>
>> you can help me understand why pointers can express a contract that
>> references can't?
>
> I assume you already know what a pointer provenance is?
>
> 	http://doc.rust-lang.org/std/ptr/index.html#provenance
>
> Passing a pointer (including offset operation on it) preserves the
> provenance (determined as derive time), however, deriving a pointer from
> a reference gives the pointer a provenance based on the reference type.
> For example, let's say we have an `Arc<i32>` and a clone:
>
> 	let arc = Arc::new(42);
> 	let clone = arc.clone();
>
> you can obviously do a into_raw() + from_raw() pair:
>
> 	let ptr = Arc::into_raw(arc);
> 	let arc = unsafe { Arc::from_raw(arc) };
>
> however, if you create a reference based on `Arc::into_raw()`, and then
> derive a pointer from that, you change the provenance,

In this case, the pointer will have the pointer of `Arc::into_raw()`
will have the provenance of the original reference. When you turn that
pointer back into a reference, won't the reference inherit the
provenance of the pointer, which is the same as the original reference?

As I read the docs, getting a reference to a `Timer` from a reference to
a `<MyType as HasHrTimer>` by converting `&MyType` to a `*const MyType`,
doing a `ptr.cast::<u8>().add(offset).cast::<HrTimer<T>>()` and
converting that pointer to a reference should be fine? The final pointer
before converting back to a reference will still have provenance of the
original reference. Converting to a reference at the end will shrink the
provenance, but it is still fine.

Going from a `&HrTimer<T>` to a `&T` is a problem, because that would
require offset outside spatial permission of pointer provenance, and it
would require increasing the size of the spatial permission.

Is this correctly understood?

> therefore the
> below code would generate UB:
>
> 	// cannot mutably borrow because of clone.
> 	let ptr = unsafe { &*Arc::into_raw(arc) } as *const i32;
>
> 	let arc = unsafe { Arc::from_raw(ptr) };
>
>
> (playground code snippet for this example)
>
> 	https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=15e051db46c3886b29ed02e579562278
>
> As you already know, the whole thing about pointers/references here is
> passing the value to the callback and the callback can "reconstruct" the
> data, in such a case, reborrowing in the middle of the chain into a
> reference is not necessary, and as the above shows, it can be
> problematic.

Thanks for bringing this up, I forgot about it.


Best regards,
Andreas Hindborg