Re: [WIP 0/3] Memory model and atomic API in Rust

[Boqun Feng <boqun.feng@gmail.com>]

On Mon, Mar 25, 2024 at 05:14:41PM -0400, Kent Overstreet wrote:
> On Mon, Mar 25, 2024 at 12:44:34PM -0700, Linus Torvalds wrote:
> > On Mon, 25 Mar 2024 at 11:59, Kent Overstreet <kent.overstreet@linux.dev> wrote:
> > >
> > > To be fair, "volatile" dates from an era when we didn't have the haziest
> > > understanding of what a working memory model for C would look like or
> > > why we'd even want one.
> > 
> > I don't disagree, but I find it very depressing that now that we *do*
> > know about memory models etc, the C++ memory model basically doubled
> > down on the same "object" model.
> > 
> > > The way the kernel uses volatile in e.g. READ_ONCE() is fully in line
> > > with modern thinking, just done with the tools available at the time. A
> > > more modern version would be just
> > >
> > > __atomic_load_n(ptr, __ATOMIC_RELAXED)

Note that Rust does have something similiar:

	https://doc.rust-lang.org/std/ptr/fn.read_volatile.html

	pub unsafe fn read_volatile<T>(src: *const T) -> T

(and also write_volatile()). So they made a good design putting the
volatile on the accesses rather than the type. However, per the current
Rust memory model these two primitives will be UB when data races happen
:-(

I mean, sure, if I use read_volatile() on an enum (whose valid values
are only 0, 1, 2), and I get a value 3, and the compiler says "you have
a logic bug and I refuse to compile the program correctly", I'm OK. But
if I use read_volatile() to read something like a u32, and I know it's
racy so my program actually handle that, I don't know any sane compiler
would miss-compile, so I don't know why that has to be a UB.

> > 
> > Yes. Again, that's the *right* model in many ways, where you mark the
> > *access*, not the variable. You make it completely and utterly clear
> > that this is a very explicit access to memory.
> > 
> > But that's not what C++ actually did. They went down the same old
> > "volatile object" road, and instead of marking the access, they mark
> > the object, and the way you do the above is
> > 
> >     std::atomic_int value;
> > 
> > and then you just access 'value' and magic happens.
> > 
> > EXACTLY the same way that
> > 
> >    volatile int value;
> > 
> > works, in other words. With exactly the same downsides.
> 
> Yeah that's crap. Unfortunate too, because this does need to be a type
> system thing and we have all the tools to do it correctly now.
> 
> What we need is for loads and stores to be explict, and that absolutely
> can and should be a type system thing.
> 
> In Rust terminology, what we want is
> 
>   Volatile<T>
> 
> where T is any type that fits in a machine word, and the only operations
> it supports are get(), set(), xchg() and cmpxchG().
> 
> You DO NOT want it to be possible to transparantly use Volatile<T> in
> place of a regular T - in exactly the same way as an atomic_t can't be
> used in place of a regular integer.

Yes, this is useful. But no it's not that useful, how could you use that
to read another CPU's stack during some debug functions in a way you
know it's racy?

Regards,
Boqun