From: Boqun Feng <boqun.feng@gmail.com>
To: Benno Lossin <benno.lossin@proton.me>
Cc: "Alice Ryhl" <alice@ryhl.io>, "Alice Ryhl" <aliceryhl@google.com>,
"Wedson Almeida Filho" <wedsonaf@gmail.com>,
rust-for-linux@vger.kernel.org, "Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@samsung.com>,
linux-kernel@vger.kernel.org,
"Wedson Almeida Filho" <walmeida@microsoft.com>
Subject: Re: [PATCH v2 2/2] rust: arc: remove `ArcBorrow` in favour of `WithRef`
Date: Mon, 25 Sep 2023 15:34:56 -0700 [thread overview]
Message-ID: <ZRILEIsKW6LsGdfb@boqun-archlinux> (raw)
In-Reply-To: <61ccfb87-54fd-3f1b-105c-253d0350cd56@proton.me>
On Mon, Sep 25, 2023 at 10:26:56PM +0000, Benno Lossin wrote:
> On 26.09.23 00:02, Boqun Feng wrote:
> > On Mon, Sep 25, 2023 at 11:58:46PM +0200, Alice Ryhl wrote:
> >> On 9/25/23 23:55, Boqun Feng wrote:
> >>> On Mon, Sep 25, 2023 at 09:03:52PM +0000, Benno Lossin wrote:
> >>>> On 25.09.23 20:51, Boqun Feng wrote:
> >>>>> On Mon, Sep 25, 2023 at 05:00:45PM +0000, Benno Lossin wrote:
> >>>>>> On 25.09.23 18:16, Boqun Feng wrote:
> >>>>>>> On Mon, Sep 25, 2023 at 03:07:44PM +0000, Benno Lossin wrote:
> >>>>>>>> ```rust
> >>>>>>>> struct MutatingDrop {
> >>>>>>>> value: i32,
> >>>>>>>> }
> >>>>>>>>
> >>>>>>>> impl Drop for MutatingDrop {
> >>>>>>>> fn drop(&mut self) {
> >>>>>>>> self.value = 0;
> >>>>>>>> }
> >>>>>>>> }
> >>>>>>>>
> >>>>>>>> let arc = Arc::new(MutatingDrop { value: 42 });
> >>>>>>>> let wr = arc.as_with_ref(); // this creates a shared `&` reference to the MutatingDrop
> >>>>>>>> let arc2: Arc<MutatingDrop> = wr.into(); // increments the reference count to 2
> >>>>>>>
> >>>>>>> More precisely, here we did a
> >>>>>>>
> >>>>>>> &WithRef<_> -> NonNull<WithRef<_>>
> >>>>>>>
> >>>>>>> conversion, and later on, we may use the `NonNull<WithRef<_>>` in
> >>>>>>> `drop` to get a `Box<WithRef<_>>`.
> >>>>>>
> >>>>>> Indeed.
> >>>>>>
> >>>>>
> >>>>> Can we workaround this issue by (ab)using the `UnsafeCell` inside
> >>>>> `WithRef<T>`?
> >>>>>
> >>>>> impl<T: ?Sized> From<&WithRef<T>> for Arc<T> {
> >>>>> fn from(b: &WithRef<T>) -> Self {
> >>>>> // SAFETY: The existence of the references proves that
> >>>>> // `b.refcount.get()` is a valid pointer to `WithRef<T>`.
> >>>>> let ptr = unsafe { NonNull::new_unchecked(b.refcount.get().cast::<WithRef<T>>()) };
> >>>>>
> >>>>> // SAFETY: see the SAFETY above `let ptr = ..` line.
> >>>>> ManuallyDrop::new(unsafe { Arc::from_inner(ptr) })
> >>>>> .deref()
> >>>>> .clone()
> >>>>> }
> >>>>> }
> >>>>>
> >>>>> This way, the raw pointer in the new Arc no longer derives from the
> >>>>> reference of `WithRef<T>`.
> >>>>
> >>>> No, the code above only obtains a pointer that has provenance valid
> >>>> for a `bindings::refcount_t` (or type with the same layout, such as
> >>>> `Opaque<bindings::refcount_t>`). But not the whole `WithRef<T>`, so accessing
> >>>> it by reading/writing will still be UB.
> >>>>
> >>>
> >>> Hmm... but we do the similar thing in `Arc::from_raw()`, right?
> >>>
> >>> pub unsafe fn from_raw(ptr: *const T) -> Self {
> >>> ..
> >>> }
> >>>
> >>> , what we have is a pointer to T, and we construct a pointer to
> >>> `ArcInner<T>/WithRef<T>`, in that function. Because the `sub` on pointer
> >>> gets away from provenance? If so, we can also do a sub(0) in the above
> >>> code.
> >>
> >> Not sure what you mean. Operations on raw pointers leave provenance
> >> unchanged.
> >
> > Let's look at the function from_raw(), the input is a pointer to T,
> > right? So you only have the provenance to T, but in that function, the
> > pointer is casted to a pointer to WithRef<T>/ArcInner<T>, that means you
> > have the provenance to the whole WithRef<T>/ArcInner<T>, right? My
> > question is: why isn't that a UB?
>
> The pointer was originally derived by a call to `into_raw`:
> ```
> pub fn into_raw(self) -> *const T {
> let ptr = self.ptr.as_ptr();
> core::mem::forget(self);
> // SAFETY: The pointer is valid.
> unsafe { core::ptr::addr_of!((*ptr).data) }
> }
> ```
> So in this function the origin (also the origin of the provenance)
> of the pointer is `ptr` which is of type `NonNull<WithRef<T>>`.
> Raw pointers do not lose this provenance information when you cast
> it and when using `addr_of`/`addr_of_mut`. So provenance is something
> that is not really represented in the type system for raw pointers.
Ah, I see, that's the thing I was missing. Now it makes much sense to
me, thank you both!
>
> When doing a round trip through a reference though, the provenance is
> newly assigned and thus would only be valid for a `T`:
> ```
> let raw = arc.into_raw();
> let reference = unsafe { &*raw };
> let raw: *const T = reference;
> let arc = unsafe { Arc::from_raw(raw) };
> ```
Agreed. This example demonstrates the key point: the provenances of raw
pointers are decided at derive time.
Regards,
Boqun
> Miri would complain about the above code.
>
> --
> Cheers,
> Benno
>
>
next prev parent reply other threads:[~2023-09-25 22:35 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-23 14:49 [PATCH v2 0/2] Remove `ArcBorrow` Wedson Almeida Filho
2023-09-23 14:49 ` [PATCH v2 1/2] rust: arc: rename `ArcInner` to `WithRef` Wedson Almeida Filho
2023-09-23 19:31 ` Martin Rodriguez Reboredo
2023-09-24 11:59 ` Benno Lossin
2023-09-24 13:41 ` Jianguo Bao
2023-09-25 6:21 ` Alice Ryhl
2023-09-23 14:49 ` [PATCH v2 2/2] rust: arc: remove `ArcBorrow` in favour of `WithRef` Wedson Almeida Filho
2023-09-23 19:32 ` Martin Rodriguez Reboredo
2023-09-24 11:59 ` Benno Lossin
2023-09-24 13:36 ` Jianguo Bao
2023-09-25 6:29 ` Alice Ryhl
2023-09-25 9:14 ` Benno Lossin
2023-09-25 14:49 ` Boqun Feng
2023-09-25 15:00 ` Alice Ryhl
2023-09-25 15:17 ` Boqun Feng
2023-09-25 15:30 ` Alice Ryhl
2023-09-25 16:02 ` Boqun Feng
2023-09-25 16:11 ` Benno Lossin
2023-09-25 15:07 ` Benno Lossin
2023-09-25 16:16 ` Boqun Feng
2023-09-25 17:00 ` Benno Lossin
2023-09-25 18:51 ` Boqun Feng
2023-09-25 21:03 ` Benno Lossin
2023-09-25 21:55 ` Boqun Feng
2023-09-25 21:58 ` Alice Ryhl
2023-09-25 22:02 ` Boqun Feng
2023-09-25 22:06 ` Boqun Feng
2023-09-25 22:26 ` Benno Lossin
2023-09-25 22:34 ` Boqun Feng [this message]
2023-09-25 23:24 ` Boqun Feng
2023-09-26 8:26 ` Gary Guo
2023-09-26 15:24 ` Boqun Feng
2023-09-26 15:41 ` Alice Ryhl
2023-09-26 16:35 ` Boqun Feng
2023-09-26 17:15 ` Benno Lossin
2023-09-26 17:43 ` Boqun Feng
2023-09-26 18:26 ` Benno Lossin
2023-09-26 21:31 ` Alice Ryhl
2023-09-26 18:20 ` Boqun Feng
2023-09-26 21:27 ` Alice Ryhl
2023-09-25 15:04 ` Alice Ryhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZRILEIsKW6LsGdfb@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=a.hindborg@samsung.com \
--cc=alex.gaynor@gmail.com \
--cc=alice@ryhl.io \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=walmeida@microsoft.com \
--cc=wedsonaf@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.