All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alice Ryhl <aliceryhl@google.com>
To: Gary Guo <gary@garyguo.net>
Cc: "Miguel Ojeda" <miguel.ojeda.sandonis@gmail.com>,
	"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
	"Trevor Gross" <tmgross@umich.edu>,
	"Alexandre Courbot" <acourbot@nvidia.com>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"kernel test robot" <lkp@intel.com>,
	llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
	"Huacai Chen" <chenhuacai@kernel.org>,
	"WANG Xuerui" <kernel@xen0n.name>
Subject: Re: [linux-next:master 9676/10599] ld.lld: error: undefined symbol: rust_build_error
Date: Fri, 12 Dec 2025 01:04:35 +0000	[thread overview]
Message-ID: <aTtqI7Mu7LYu0fpx@google.com> (raw)
In-Reply-To: <20251124144810.2fb0e99e.gary@garyguo.net>

On Mon, Nov 24, 2025 at 02:48:10PM +0000, Gary Guo wrote:
> On Mon, 24 Nov 2025 10:37:08 +0000
> Alice Ryhl <aliceryhl@google.com> wrote:
> 
> > On Fri, Nov 21, 2025 at 04:53:26PM +0100, Miguel Ojeda wrote:
> > > On Fri, Nov 21, 2025 at 3:44 PM Alice Ryhl <aliceryhl@google.com> wrote:  
> > > >
> > > > You say that this kind of thing would be a compiler bug, but I don't
> > > > think the compiler devs folks would agree with us on that at all. I
> > > > mean, sure, it's a bug in the sense that it's a missed optimization, but
> > > > it's not a correctness bug.  
> > >   
> > > > I'm not advocating for adding unsafe blocks to skip bounds checks.
> > > >
> > > > And, fine, there are probably a few cases where it works reliably and
> > > > has no real replacement. Such as the VTABLE_DEFAULT_ERROR check. But I
> > > > do not think bounds checks are a place where it's a good idea.  
> > > 
> > > There may be no guarantees, but it is a similar situation as for C
> > > compilers in the kernel.  
> > 
> > I don't think it is like that at all. We rely on non-guaranteed behavior
> > for data races because we have no choice and we had extensive discussion
> > about it with the compiler folks who are comfortable with us using that
> > particular exception.
> 
> This is not about LKMM but that BUILD_BUG_ON also relies on compiler
> optimizations and reference undefined symbols if compiler cannot
> optimize them out.
> 
> `build_assert` is just a nicer Rust way of the same trick.

But we're no longer using it in the same way as BUILD_BUG_ON.

> > > Compilers can of course change behavior and have bugs and so on, and
> > > thus avoiding to rely on it as much as possible is a good idea, but I
> > > think it is a good idea to get build asserts reliably working as much
> > > as possible for certain use cases. In particular, I don't see why
> > > simple (local-enough) bounds checks cannot be one of those (it may not
> > > be today, but it could).
> > > 
> > > Of course, the best would be to get the language to a point where it
> > > supports this sort of thing natively. But that is a longer road.
> > > 
> > > And, in some situations, there may be no good alternative (i.e. const
> > > eval / generics / macros may be too painful to apply), and thus people
> > > may end up adding `unsafe` instead, which isn't great.  
> > 
> > The difference is that someone adding unsafe to avoid a bounds check
> > screams to the reviewers that something sketchy is going on. In
> > comparison, drivers calling `Bounded::from_expr(_)` with a non-trivial
> > expression looks like entirely normal code even though it might be
> > relying on the precise and definitely subject-to-change details of when
> > LLVM is choosing to inline various functions.
> > 
> > If const eval / generics / macros are too painful, then perform a
> > runtime bounds check just like everyone who uses Rust outside of the
> > kernel is doing.
> 
> There're 200+ uses of BUILD_BUG_ON in include/. I see this case being
> similar to those usages.

I looked through a lot of the cases where BUILD_BUG_ON is used. All of
them seem to be checking that some constants are equal to something,
different from something, less than something, etc. It compares #defined
constants, and stuff like sizeof(struct) and such. But I could not find
even a single example where BUILD_BUG_ON used for bounds-checking a
runtime value, which is the use-case I think is problematic.

> > > In addition, I think upstream probably wants to know about this sort
> > > of this, i.e. sometimes the changes may be unintended (i.e. if we see
> > > it changing in a new nightly) and they probably like to hear about
> > > "obvious" optimizations not being applied, since they are potential
> > > easy wins for them (or, rather, avoiding regressions), as Gary
> > > mentions. That is also part of the value of building the kernel in
> > > compiler CIs etc.  
> > 
> > I do not at all think it's obvious that upstream would be happy about
> > this, considering it comes with the serious trade-off of us relying on
> > these optimizations happening.
> 
> If the exact use case does not involve a reference, it's exactly same
> as BUILD_BUG_ON, so would be a LLVM bug that equally affect
> clang-built-linux.

If there's no reference, function boundary, or non-constant value, then
I don't think it's problematic. The problem IMO is using build_error for
bounds checking runtime values.

Alice

  reply	other threads:[~2025-12-12  1:04 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-20 16:41 [linux-next:master 9676/10599] ld.lld: error: undefined symbol: rust_build_error kernel test robot
2025-11-21  6:13 ` Alexandre Courbot
2025-11-21  9:08   ` Alice Ryhl
2025-11-21 13:41     ` Alexandre Courbot
2025-11-21 14:10       ` Alice Ryhl
2025-11-21 14:21         ` Miguel Ojeda
2025-11-21 14:30           ` Gary Guo
2025-11-21 14:39             ` Alexandre Courbot
2025-11-21 14:44             ` Alice Ryhl
2025-11-21 15:53               ` Miguel Ojeda
2025-11-24 10:37                 ` Alice Ryhl
2025-11-24 12:09                   ` Alexandre Courbot
2025-11-24 14:48                   ` Gary Guo
2025-12-12  1:04                     ` Alice Ryhl [this message]
2025-12-13  1:50                       ` Nathan Chancellor
2025-12-13  2:51                         ` Miguel Ojeda
2025-11-21 15:27             ` Alexandre Courbot
2025-11-21 15:30               ` Miguel Ojeda
2025-11-22  2:12                 ` Alexandre Courbot
2025-11-21 14:19       ` Miguel Ojeda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aTtqI7Mu7LYu0fpx@google.com \
    --to=aliceryhl@google.com \
    --cc=acourbot@nvidia.com \
    --cc=bjorn3_gh@protonmail.com \
    --cc=chenhuacai@kernel.org \
    --cc=gary@garyguo.net \
    --cc=kernel@xen0n.name \
    --cc=lkp@intel.com \
    --cc=llvm@lists.linux.dev \
    --cc=miguel.ojeda.sandonis@gmail.com \
    --cc=oe-kbuild-all@lists.linux.dev \
    --cc=ojeda@kernel.org \
    --cc=tmgross@umich.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.