From: "Benno Lossin" <lossin@kernel.org>
To: "Danilo Krummrich" <dakr@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>
Cc: "Marcelo Moreira" <marcelomoreira1905@gmail.com>,
<ojeda@kernel.org>, <rust-for-linux@vger.kernel.org>,
<skhan@linuxfoundation.org>,
<linux-kernel-mentees@lists.linuxfoundation.org>,
<~lkcamp/patches@lists.sr.ht>
Subject: Re: [PATCH v4 2/3] rust: revocable: simplify RevocableGuard for internal safety
Date: Sat, 14 Jun 2025 19:00:07 +0200 [thread overview]
Message-ID: <DAMF0H159M8X.2NWDQM5KQH4N0@kernel.org> (raw)
In-Reply-To: <aEwxgUjYiNaJuzc_@pollux>
On Fri Jun 13, 2025 at 4:11 PM CEST, Danilo Krummrich wrote:
> On Thu, Jun 12, 2025 at 09:28:26AM +0000, Alice Ryhl wrote:
>> I don't think this change is valid. Consider this code:
>>
>> fn takes_guard(arg: RevocableGuard<'_, i32>) {
>> drop(arg);
>> // rcu guard is dropped, so `arg.data` may become dangling now
>> }
>>
>> This violates the requirement that references that appear in function
>> arguments are valid for the entire function call, see:
>> https://perso.crans.org/vanille/treebor/protectors.html
>>
>> Or the LLVM perspective: When Rust sees a reference in a function
>> argument, it adds the LLVM attribute dereferencable to it, which implies
>> that the pointer must be valid for *the entire function call*. If the
>> memory becomes dangling after the rcu guard is dropped, then this is
>> violated and the compiler could perform optimizations that are not
>> correct.
>
> Interesting, I wasn't aware of that. I wonder, why can't the compiler catch this
> and throw an error?
Because the compiler doesn't know that the reference's validity is tied
to the rcu guard existing.
---
Cheers,
Benno
next prev parent reply other threads:[~2025-06-14 17:00 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-02 23:26 [PATCH v4 0/3] rust: revocable: documentation and refactorings Marcelo Moreira
2025-06-02 23:26 ` [PATCH v4 1/3] rust: revocable: update write invariant and fix safety comments Marcelo Moreira
2025-06-12 9:02 ` Benno Lossin
2025-06-12 19:22 ` Marcelo Moreira
2025-06-14 18:05 ` Benno Lossin
2025-06-14 23:11 ` Marcelo Moreira
2025-06-15 8:38 ` Miguel Ojeda
2025-06-16 0:36 ` Marcelo Moreira
2025-06-16 7:15 ` Benno Lossin
2025-06-17 2:49 ` Marcelo Moreira
2025-06-17 7:18 ` Benno Lossin
2025-06-26 16:59 ` Marcelo Moreira
2025-06-13 14:08 ` Danilo Krummrich
2025-06-02 23:26 ` [PATCH v4 2/3] rust: revocable: simplify RevocableGuard for internal safety Marcelo Moreira
2025-06-12 9:04 ` Benno Lossin
2025-06-12 9:28 ` Alice Ryhl
2025-06-12 9:52 ` Benno Lossin
2025-06-12 18:52 ` Marcelo Moreira
2025-06-14 18:04 ` Benno Lossin
2025-06-13 14:11 ` Danilo Krummrich
2025-06-14 17:00 ` Benno Lossin [this message]
2025-06-02 23:26 ` [PATCH v4 3/3] rust: revocable: split revoke_internal into revoke and revoke_nosync Marcelo Moreira
2025-06-12 9:06 ` Benno Lossin
2025-06-12 19:29 ` Marcelo Moreira
2025-06-13 14:09 ` Danilo Krummrich
2025-06-16 10:26 ` [PATCH v4 0/3] rust: revocable: documentation and refactorings Danilo Krummrich
2025-06-16 19:33 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DAMF0H159M8X.2NWDQM5KQH4N0@kernel.org \
--to=lossin@kernel.org \
--cc=aliceryhl@google.com \
--cc=dakr@kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=marcelomoreira1905@gmail.com \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=~lkcamp/patches@lists.sr.ht \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.