From: "Benno Lossin" <lossin@kernel.org>
To: "Boqun Feng" <boqun.feng@gmail.com>
Cc: linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org,
lkmm@lists.linux.dev, linux-arch@vger.kernel.org,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Will Deacon" <will@kernel.org>,
"Peter Zijlstra" <peterz@infradead.org>,
"Mark Rutland" <mark.rutland@arm.com>,
"Wedson Almeida Filho" <wedsonaf@gmail.com>,
"Viresh Kumar" <viresh.kumar@linaro.org>,
"Lyude Paul" <lyude@redhat.com>, "Ingo Molnar" <mingo@kernel.org>,
"Mitchell Levy" <levymitchell0@gmail.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Alan Stern" <stern@rowland.harvard.edu>
Subject: Re: [PATCH v6 4/9] rust: sync: atomic: Add generic atomics
Date: Fri, 11 Jul 2025 20:34:07 +0200 [thread overview]
Message-ID: <DB9FX5XAK4JJ.3GTCC6Z5EHARV@kernel.org> (raw)
In-Reply-To: <aHEWze8p40qeNBr_@Mac.home>
On Fri Jul 11, 2025 at 3:51 PM CEST, Boqun Feng wrote:
> On Fri, Jul 11, 2025 at 03:34:47PM +0200, Benno Lossin wrote:
>> On Fri Jul 11, 2025 at 3:22 PM CEST, Boqun Feng wrote:
>> > On Fri, Jul 11, 2025 at 10:03:07AM +0200, Benno Lossin wrote:
>> > [...]
>> >> > +
>> >> > + /// Returns a pointer to the underlying atomic variable.
>> >> > + ///
>> >> > + /// Extra safety requirement on using the return pointer: the operations done via the pointer
>> >> > + /// cannot cause data races defined by [`LKMM`].
>> >>
>> >> I don't think this is correct. I could create an atomic and then share
>> >> it with the C side via this function, since I have exclusive access, the
>> >> writes to this pointer don't need to be atomic.
>> >>
>> >
>> > that's why it says "the operations done via the pointer cannot cause
>> > data races .." instead of saying "it must be atomic".
>>
>> Ah right I misread... But then the safety requirement is redundant? Data
>> races are already UB...
>>
>> >> We also don't document additional postconditions like this... If you
>> >
>> > Please see how Rust std document their `as_ptr()`:
>> >
>> > https://doc.rust-lang.org/std/sync/atomic/struct.AtomicI32.html#method.as_ptr
>> >
>> > It mentions that "Doing non-atomic reads and writes on the resulting
>> > integer can be a data race." (although the document is a bit out of
>> > date, since non-atomic read and atomic read are no longer data race now,
>> > see [1])
>>
>> That's very different from the comment you wrote though. It's not an
>> additional safety requirement, but rather a note to users of the API
>> that they should be careful with the returned pointer.
>>
>> > I think we can use the similar document structure here: providing more
>> > safety requirement on the returning pointers, and...
>> >
>> >> really would have to do it like this (which you shouldn't given the
>> >> example above), you would have to make this function `unsafe`, otherwise
>> >> there is no way to ensure that people adhere to it (since it isn't part
>> >> of the safety docs).
>> >>
>> >
>> > ...since dereferencing pointers is always `unsafe`, users need to avoid
>> > data races anyway, hence this is just additional information that helps
>> > reasoning.
>>
>> I disagree.
>>
>> As mentioned above, data races are already forbidden for raw pointers.
>> We should indeed add a note that says that non-atomic operations might
>> result in data races. But that's very different from adding an
>> additional safety requirement for using the pointer.
>>
>> And I don't think that we can add additional safety requirements to
>> dereferencing a raw pointer without an additional `unsafe` block.
>>
>
> So all your disagreement is about the "extra safety requirement" part?
> How about I drop that:
>
> /// Returns a pointer to the underlying atomic `T`.
> pub const fn as_ptr(&self) -> *mut T {
> self.0.get()
> }
Yes that's what I had in mind.
> ? I tried to add something additional information:
>
> /// Note that non-atomic reads and writes via the returned pointer may
> /// cause data races if racing with atomic reads and writes per [LKMM].
>
> but that seems redundant, because as you said, data races are UB anyway.
Yeah... I don't think the stdlib docs are too useful on this function:
Doing non-atomic reads and writes on the resulting integer can be a data
race. This method is mostly useful for FFI, where the function signature
may use *mut i32 instead of &AtomicI32.
Returning an *mut pointer from a shared reference to this atomic is safe
because the atomic types work with interior mutability. All
modifications of an atomic change the value through a shared reference,
and can do so safely as long as they use atomic operations. Any use of
the returned raw pointer requires an unsafe block and still has to
uphold the same restriction: operations on it must be atomic.
You can mention the use of this function for FFI. People might then be
discouraged from using it for other things where it doesn't make sense.
---
Cheers,
Benno
next prev parent reply other threads:[~2025-07-11 18:34 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 6:00 [PATCH v6 0/9] LKMM generic atomics in Rust Boqun Feng
2025-07-10 6:00 ` [PATCH v6 1/9] rust: Introduce atomic API helpers Boqun Feng
2025-07-10 6:00 ` [PATCH v6 2/9] rust: sync: Add basic atomic operation mapping framework Boqun Feng
2025-07-10 11:04 ` Benno Lossin
2025-07-10 15:12 ` Boqun Feng
2025-07-10 15:46 ` Benno Lossin
2025-07-10 16:16 ` Boqun Feng
2025-07-10 19:21 ` Benno Lossin
2025-07-10 20:29 ` Boqun Feng
2025-07-11 8:15 ` Benno Lossin
2025-07-10 6:00 ` [PATCH v6 3/9] rust: sync: atomic: Add ordering annotation types Boqun Feng
2025-07-10 11:08 ` Benno Lossin
2025-07-10 12:00 ` Andreas Hindborg
2025-07-10 14:42 ` Boqun Feng
2025-07-10 15:05 ` Benno Lossin
2025-07-10 15:57 ` Boqun Feng
2025-07-10 19:19 ` Benno Lossin
2025-07-10 18:32 ` Miguel Ojeda
2025-07-10 19:06 ` Miguel Ojeda
2025-07-10 6:00 ` [PATCH v6 4/9] rust: sync: atomic: Add generic atomics Boqun Feng
2025-07-11 8:03 ` Benno Lossin
2025-07-11 13:22 ` Boqun Feng
2025-07-11 13:34 ` Benno Lossin
2025-07-11 13:51 ` Boqun Feng
2025-07-11 18:34 ` Benno Lossin [this message]
2025-07-11 21:25 ` Boqun Feng
2025-07-11 13:58 ` Boqun Feng
2025-07-11 18:35 ` Benno Lossin
2025-07-14 7:08 ` Boqun Feng
2025-07-13 19:51 ` Boqun Feng
2025-07-10 6:00 ` [PATCH v6 5/9] rust: sync: atomic: Add atomic {cmp,}xchg operations Boqun Feng
2025-07-11 8:42 ` Benno Lossin
2025-07-10 6:00 ` [PATCH v6 6/9] rust: sync: atomic: Add the framework of arithmetic operations Boqun Feng
2025-07-11 8:53 ` Benno Lossin
2025-07-11 14:39 ` Boqun Feng
2025-07-11 17:41 ` Boqun Feng
2025-07-11 19:07 ` Benno Lossin
2025-07-11 18:55 ` Benno Lossin
2025-07-11 19:51 ` Boqun Feng
2025-07-11 21:03 ` Benno Lossin
2025-07-11 21:22 ` Boqun Feng
2025-07-14 4:20 ` Boqun Feng
2025-07-10 6:00 ` [PATCH v6 7/9] rust: sync: atomic: Add Atomic<u{32,64}> Boqun Feng
2025-07-11 8:54 ` Benno Lossin
2025-07-10 6:00 ` [PATCH v6 8/9] rust: sync: Add memory barriers Boqun Feng
2025-07-11 8:57 ` Benno Lossin
2025-07-11 13:32 ` Boqun Feng
2025-07-11 18:57 ` Benno Lossin
2025-07-11 19:26 ` Boqun Feng
2025-07-11 21:04 ` Benno Lossin
2025-07-11 21:34 ` Boqun Feng
2025-07-11 18:20 ` Boqun Feng
2025-07-14 15:42 ` Ralf Jung
2025-07-15 15:21 ` Boqun Feng
2025-07-15 15:35 ` Ralf Jung
2025-07-15 15:56 ` Boqun Feng
2025-07-16 19:42 ` Ralf Jung
2025-07-10 6:00 ` [PATCH v6 9/9] rust: sync: atomic: Add Atomic<{usize,isize}> Boqun Feng
2025-07-11 9:00 ` Benno Lossin
2025-07-11 13:45 ` Miguel Ojeda
2025-07-11 14:07 ` Boqun Feng
2025-07-11 14:40 ` Miguel Ojeda
2025-07-11 15:46 ` Boqun Feng
2025-07-11 18:35 ` Miguel Ojeda
2025-07-11 19:05 ` Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DB9FX5XAK4JJ.3GTCC6Z5EHARV@kernel.org \
--to=lossin@kernel.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=levymitchell0@gmail.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkmm@lists.linux.dev \
--cc=lyude@redhat.com \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=ojeda@kernel.org \
--cc=paulmck@kernel.org \
--cc=peterz@infradead.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=tglx@linutronix.de \
--cc=tmgross@umich.edu \
--cc=torvalds@linux-foundation.org \
--cc=viresh.kumar@linaro.org \
--cc=wedsonaf@gmail.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).