From: Danilo Krummrich <dakr@kernel.org>
To: Benno Lossin <benno.lossin@proton.me>
Cc: Tamir Duberstein <tamird@gmail.com>,
ojeda@kernel.org, alex.gaynor@gmail.com, boqun.feng@gmail.com,
gary@garyguo.net, bjorn3_gh@protonmail.com,
a.hindborg@kernel.org, aliceryhl@google.com, tmgross@umich.edu,
andrewjballance@gmail.com, rust-for-linux@vger.kernel.org
Subject: Re: [PATCH 1/2] rust: alloc: extend safety requirements of Vec::set_len()
Date: Mon, 17 Mar 2025 19:28:07 +0100 [thread overview]
Message-ID: <Z9hpt_al01uNCZz-@cassiopeiae> (raw)
In-Reply-To: <D8IPZQHSFFUP.KRO1145IG1RQ@proton.me>
On Mon, Mar 17, 2025 at 05:33:51PM +0000, Benno Lossin wrote:
> On Mon Mar 17, 2025 at 4:57 PM CET, Danilo Krummrich wrote:
> > On Mon, Mar 17, 2025 at 02:57:51PM +0000, Benno Lossin wrote:
> >> On Mon Mar 17, 2025 at 12:12 PM CET, Danilo Krummrich wrote:
> >> > On Mon, Mar 17, 2025 at 09:52:07AM +0000, Benno Lossin wrote:
> >> >> On Sun Mar 16, 2025 at 8:09 PM CET, Danilo Krummrich wrote:
> >> >> > On Sun, Mar 16, 2025 at 07:59:34PM +0100, Danilo Krummrich wrote:
> >> >> >> But let's define it then; what about:
> >> >> >>
> >> >> >> "[`Vec::set_len`] takes (or kepps) ownership of all elements within the range
> >> >> >> [0; `new_len`] and abandons ownership of all values outside of this range, if
> >> >> >> any."
> >> >> >>
> >> >> >> The caller may take ownership of the abandoned elements."
> >> >> >>
> >> >> >> I'd argue that giving up ownership, while offering someone else to take it means
> >> >> >> that it implies that otherwise we'll just end up forgetting about the value.
> >> >> >
> >> >> > Btw. I'd still prefer if we could enforce that the caller has to document what
> >> >> > should happen to the abandoned value. But I acknowledge that the safety comment
> >> >> > isn't the scope for it.
> >> >> >
> >> >> > It'd be great if e.g. clippy would give us a tool to do something analogous to
> >> >> > safety comments.
> >> >> >
> >> >> > It think it would be useful to enfoce some additional safety documentation. For
> >> >> > instance, I think the kernel would much benefit if we could enforce that
> >> >> > mem::forget() must be justified with a comment, since as mentioned ina previous
> >> >> > mail, it can cause fatal bugs, for instance when used on lock guards.
> >> >>
> >> >> I get where you're coming from, but this probably will very quickly get
> >> >> out of hand.
> >> >>
> >> >> For example, I can define `forget` safely:
> >> >>
> >> >> fn forget<T>(value: T) {
> >> >> struct Cycle<T> {
> >> >> this: RefCell<Option<Arc<Self>>>,
> >> >> value: T,
> >> >> }
> >> >> let cycle = Arc::new(Cycle { this: RefCell::new(None), value });
> >> >> *cycle.this.borrow_mut() = Some(cycle.clone());
> >> >> }
> >> >>
> >> >> How would you ensure that this kind of pattern doesn't get written
> >> >> accidentally (or with many indirections)?
> >> >
> >> > I don't think that the possibility of writing safe (but yet buggy) code is an
> >> > argument against having the possibility of enforcing that a caller must write a
> >> > comment for justification on certain things, such as mem::forget().
> >>
> >> My argument is that the problem of forgetting a value is not
> >> self-contained like `unsafe` code is. Even if we were to document all
> >> `forget` or `ManuallyDrop::new` invocations (which we definitely should)
> >> we wouldn't get the security that one can't accidentally forget a lock
> >> guard. I'm totally in favor of mandating an explaining comment above
> >> `forget` calls (but not as a `SAFETY` comment).
> >
> > Oh, I see where the misunderstanding might lie.
> >
> > Let's take a look at FileDescriptorReservation::fd_install(). My proposal is to
> > have something like:
> >
> > // SANITY: `fd_install` consumed file descriptor
> > core::mem::forget(self);
> > // SANITY: `fd_install` consumed file reference
> > core::mem::forget(file);
> >
> > Where we have e.g. clippy to complain if there is no "SANITY" (or whatever we
> > call it) comment for mem::forget().
> >
> > I'm not proposing a SAFETY comment.
>
> Ok, that's good :)
>
> As for having a dedicated `SANITY` comment, I'm not sold yet. I'll think
> a bit more.
>
> >> > But there's another reason I think having something like this could be
> >> > problematic: It might set the wrong incentive, as in "hey, I can just use a
> >> > "sanity requirement" in my function rather figuring out how to ensure it through
> >> > the type system, etc.".
> >>
> >> I don't understand your point here, can you explain it more?
> >
> > Does the explanation above make this concern clear for you?
>
> Do you mean having sanity requirements would lead to people putting less
> effort into designing a type system solution?
That'd be one concern, yes.
next prev parent reply other threads:[~2025-03-17 18:28 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-15 15:43 [PATCH 1/2] rust: alloc: extend safety requirements of Vec::set_len() Danilo Krummrich
2025-03-15 15:43 ` [PATCH 2/2] rust: alloc: add missing invariant in Vec::set_len() Danilo Krummrich
2025-03-15 15:52 ` Danilo Krummrich
2025-03-15 17:44 ` Benno Lossin
2025-04-07 12:10 ` Danilo Krummrich
2025-03-15 16:06 ` [PATCH 1/2] rust: alloc: extend safety requirements of Vec::set_len() Tamir Duberstein
2025-03-15 17:44 ` Benno Lossin
2025-03-15 18:36 ` Danilo Krummrich
2025-03-16 0:33 ` Tamir Duberstein
2025-03-16 9:38 ` Benno Lossin
2025-03-16 12:31 ` Danilo Krummrich
2025-03-16 12:42 ` Tamir Duberstein
2025-03-16 13:01 ` Danilo Krummrich
2025-03-16 13:13 ` Tamir Duberstein
2025-03-16 13:46 ` Danilo Krummrich
2025-03-16 17:40 ` Benno Lossin
2025-03-16 18:59 ` Danilo Krummrich
2025-03-16 19:09 ` Danilo Krummrich
2025-03-16 19:30 ` Tamir Duberstein
2025-03-16 20:54 ` Danilo Krummrich
2025-03-16 21:10 ` Tamir Duberstein
2025-03-16 21:17 ` Danilo Krummrich
2025-03-16 21:20 ` Tamir Duberstein
2025-03-16 21:52 ` Tamir Duberstein
2025-03-16 21:59 ` Danilo Krummrich
2025-03-17 9:52 ` Benno Lossin
2025-03-17 11:12 ` Danilo Krummrich
2025-03-17 14:57 ` Benno Lossin
2025-03-17 15:57 ` Danilo Krummrich
2025-03-17 16:03 ` Miguel Ojeda
2025-03-17 17:33 ` Benno Lossin
2025-03-17 18:28 ` Danilo Krummrich [this message]
2025-03-16 12:08 ` Danilo Krummrich
2025-03-17 10:36 ` Alice Ryhl
-- strict thread matches above, loose matches on Subject: below --
2025-03-17 9:46 Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9hpt_al01uNCZz-@cassiopeiae \
--to=dakr@kernel.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=andrewjballance@gmail.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=gary@garyguo.net \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.