From: Marcelo Moreira <marcelomoreira1905@gmail.com>
To: Benno Lossin <lossin@kernel.org>
Cc: aliceryhl@google.com, dakr@kernel.org, ojeda@kernel.org,
rust-for-linux@vger.kernel.org, skhan@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org,
~lkcamp/patches@lists.sr.ht
Subject: Re: [PATCH v7 3/3] rust: revocable: Document RevocableGuard invariants/safety and refine Deref safety
Date: Tue, 22 Jul 2025 18:23:39 -0300 [thread overview]
Message-ID: <CAPZ3m_jepxCD-dr+gyun_=hb-fHX_yxTunsd4JX98nt4XmnEQA@mail.gmail.com> (raw)
In-Reply-To: <DBIIZ28TA8SD.XY1W0S6G280F@kernel.org>
Em ter., 22 de jul. de 2025 às 07:51, Benno Lossin <lossin@kernel.org> escreveu:
>
> On Tue Jul 22, 2025 at 1:01 AM CEST, Marcelo Moreira wrote:
> > Em seg., 21 de jul. de 2025 às 11:21, Benno Lossin <lossin@kernel.org> escreveu:
> >> On Mon Jul 21, 2025 at 3:01 AM CEST, Marcelo Moreira wrote:
> >> > Refinements include:
> >> > - `RevocableGuard`'s invariants are updated to precisely state that
> >> > `data_ref` is valid as long as the RCU read-side lock is held.
> >> > - The `RevocableGuard::new` constructor is made `unsafe`, explicitly
> >> > requiring callers to guarantee the validity of the raw pointer and
> >> > RCU read-side lock lifetime.
> >> > - A new `SAFETY` comment is added to `Revocable::try_access` to
> >> > justify the `unsafe` call to `RevocableGuard::new`, detailing how
> >> > `Self`'s type invariants and the active RCU read-side lock ensure data
> >> > validity for reads.
> >> > - The `Deref` implementation's `SAFETY` comment for `RevocableGuard`
> >> > is refined.
> >> >
> >> > Signed-off-by: Marcelo Moreira <marcelomoreira1905@gmail.com>
> >> > ---
> >> > rust/kernel/revocable.rs | 25 ++++++++++++++++++-------
> >> > 1 file changed, 18 insertions(+), 7 deletions(-)
> >> >
> >> > diff --git a/rust/kernel/revocable.rs b/rust/kernel/revocable.rs
> >> > index 6d8e9237dbdf..0048de23ab44 100644
> >> > --- a/rust/kernel/revocable.rs
> >> > +++ b/rust/kernel/revocable.rs
> >> > @@ -106,9 +106,12 @@ pub fn new(data: impl PinInit<T>) -> impl PinInit<Self> {
> >> > pub fn try_access(&self) -> Option<RevocableGuard<'_, T>> {
> >> > let guard = rcu::read_lock();
> >> > if self.is_available.load(Ordering::Relaxed) {
> >> > - // Since `self.is_available` is true, data is initialised and has to remain valid
> >> > - // because the RCU read side lock prevents it from being dropped.
> >> > - Some(RevocableGuard::new(self.data.get(), guard))
> >> > + // SAFETY:
> >> > + // - `self.data` is valid for reads because of `Self`'s type invariants:
> >> > + // `self.is_available` is true.
> >> > + // - The RCU read-side lock is active via `guard`, preventing `self.data`
> >> > + // from being dropped and ensuring its validity for the guard's lifetime.
> >>
> >> This shouldn't be needed.
> >
> > hmm, about what exactly?
> >
> > Are you suggesting to:
> > 1. Simplify the content of the `SAFETY`, is it too verbose?
>
> It's not too verbose. The requirement of holding the RCU read-side lock
> is not a *safety requirement*. It's already guaranteed by the existence
> of the `rcu::Guard` instance, so we don't need to concern ourselves with
> it in the safety requirements.
>
> Essentially you're just stating a tautology in the safety comment like
> saying "2 + 2 = 4".
Thanks for showing me that Benno.
So we can keep it like this:
// SAFETY: `self.data` is valid for reads because of `Self`'s type invariants:
// `self.is_available` is true.
Sounds good?
--
Cheers,
Marcelo Moreira
next prev parent reply other threads:[~2025-07-22 21:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-21 1:01 [PATCH v7 0/3] rust: revocable: Documentation and safety refinements Marcelo Moreira
2025-07-21 1:01 ` [PATCH v7 1/3] rust: revocable: Clarify write invariant and update safety comments Marcelo Moreira
2025-07-21 1:01 ` [PATCH v7 2/3] rust: revocable: Refactor revocation mechanism to remove generic revoke_internal Marcelo Moreira
2025-07-21 1:01 ` [PATCH v7 3/3] rust: revocable: Document RevocableGuard invariants/safety and refine Deref safety Marcelo Moreira
2025-07-21 14:20 ` Benno Lossin
2025-07-21 23:01 ` Marcelo Moreira
2025-07-22 10:51 ` Benno Lossin
2025-07-22 21:23 ` Marcelo Moreira [this message]
2025-07-23 14:22 ` Benno Lossin
2025-07-23 23:49 ` Marcelo Moreira
2025-07-24 10:30 ` Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPZ3m_jepxCD-dr+gyun_=hb-fHX_yxTunsd4JX98nt4XmnEQA@mail.gmail.com' \
--to=marcelomoreira1905@gmail.com \
--cc=aliceryhl@google.com \
--cc=dakr@kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=lossin@kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=~lkcamp/patches@lists.sr.ht \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).