Re: [PATCH v2] rust: doc: Clarify safety invariants for Revocable type

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Benno Lossin" <lossin@kernel.org>
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: "Marcelo Moreira" <marcelomoreira1905@gmail.com>,
	<benno.lossin@proton.me>, <ojeda@kernel.org>,
	<rust-for-linux@vger.kernel.org>, <skhan@linuxfoundation.org>,
	<linux-kernel-mentees@lists.linuxfoundation.org>,
	<~lkcamp/patches@lists.sr.ht>
Subject: Re: [PATCH v2] rust: doc: Clarify safety invariants for Revocable type
Date: Mon, 19 May 2025 14:26:05 +0200	[thread overview]
Message-ID: <DA04WHRZBBS0.17WRMWDF0A335@kernel.org> (raw)
In-Reply-To: <aCsX-k0K_jqLvD4e@pollux>

On Mon May 19, 2025 at 1:37 PM CEST, Danilo Krummrich wrote:
> On Mon, May 19, 2025 at 01:10:32PM +0200, Benno Lossin wrote:
>> On Mon May 19, 2025 at 11:55 AM CEST, Danilo Krummrich wrote:
>> > On Mon, May 19, 2025 at 11:18:42AM +0200, Benno Lossin wrote:
>> > Why not? Please show me a case where `is_available` is false, but I can still
>> > technically access data (without violating a safety requirement).
>> 
>>     let r: Arc<Revocable<i32>> = ...;
>>     let guard = r.try_access().unwrap(); // nobody else is holding a reference, so this can't fail
>> 
>>     let r2 = r.clone();
>> 
>>     // I know we don't have threads, but I don't want to have to look up
>>     // how to use the workqueue or something else...
>>     thread::spawn(move || {
>>         r2.revoke();
>>     });
>> 
>>     for _ in 0..10_000_000 {
>>         // do some non-sleeping work that takes a while
>>     }
>> 
>>     // now the thread above has executed `self.is_available.swap(false, Ordering::Relaxed)`
>>     // in `revoke_internal` and is waiting for the `synchronize_rcu` call to return.
>>     // but we can still access `guard`:
>> 
>>     pr_info!("{}", &*guard);
>
> Which is perfectly correct, you're right. I think I was too focused on the
> optimization case. :-)

And I was assuming the example was obvious with just saying "But the
`is_available` atomic *can* be altered during the usage of `data`." :-)

>> > However, this invariant does not need to be fulfilled for access() and
>> 
>> Where is `access()` defined?
>
> https://gitlab.freedesktop.org/drm/nova/-/commit/46f91addfabbd4109fb64876a032ae4a4a924919

"Reviewed-by: Benno Lossin <benno.lossin@proton.me>" huh, I already
forgot about the patch... But that also shouldn't be difficult to
support with the right invariant.

>> > revoke_nosync(), because it would circumvent their purpose, i.e. cases where an
>> > abstraction can prove that there can't be a concurrent user of the data or a
>> > concurrent user revoking the data respectively.
>> 
>> Yes. How about something like "`data` is valid while `is_available` is
>> true. It also is valid if the RCU read-side lock is being held and it
>> was taken while `is_available` was true."?
>> 
>> That should also cover the "nobody else is accessing this" case.
>
> Sounds good to me!

I'm not happy with the sentence structure, so how about:

* `data` is valid for reads in two cases:
    * while `is_available` is true, or
    * while the RCU read-side lock is taken and it was acquired while `is_available` was `true`.
* `data` is valid for writes when `is_available` was atomically changed from `true` to `false`.

The last one is needed in order to call `drop_in_place`.

---
Cheers,
Benno

next prev parent reply	other threads:[~2025-05-19 12:26 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-03 14:53 [PATCH v2] rust: doc: Clarify safety invariants for Revocable type Marcelo Moreira
2025-05-09 10:10 ` Benno Lossin
2025-05-17  0:03   ` Marcelo Moreira
2025-05-17  8:19     ` Benno Lossin
2025-05-17  9:54   ` Danilo Krummrich
2025-05-17 19:09     ` Benno Lossin
2025-05-19  8:50       ` Danilo Krummrich
2025-05-19  9:18         ` Benno Lossin
2025-05-19  9:55           ` Danilo Krummrich
2025-05-19 11:10             ` Benno Lossin
2025-05-19 11:37               ` Danilo Krummrich
2025-05-19 12:26                 ` Benno Lossin [this message]
2025-05-23  0:13                   ` Marcelo Moreira
2025-05-23  8:42                     ` Benno Lossin
2025-05-23  8:55                       ` Danilo Krummrich
2025-05-23 11:53                         ` Benno Lossin
2025-05-26  2:10                           ` Marcelo Moreira
2025-05-23  7:19                   ` Danilo Krummrich
2025-05-23  8:31                     ` Benno Lossin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DA04WHRZBBS0.17WRMWDF0A335@kernel.org \
    --to=lossin@kernel.org \
    --cc=benno.lossin@proton.me \
    --cc=dakr@kernel.org \
    --cc=linux-kernel-mentees@lists.linuxfoundation.org \
    --cc=marcelomoreira1905@gmail.com \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=~lkcamp/patches@lists.sr.ht \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.