Re: [PATCH v2] rust: doc: Clarify safety invariants for Revocable type

rust-for-linux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Benno Lossin" <lossin@kernel.org>
To: "Danilo Krummrich" <dakr@kernel.org>
Cc: "Marcelo Moreira" <marcelomoreira1905@gmail.com>,
	<benno.lossin@proton.me>, <ojeda@kernel.org>,
	<rust-for-linux@vger.kernel.org>, <skhan@linuxfoundation.org>,
	<linux-kernel-mentees@lists.linuxfoundation.org>,
	<~lkcamp/patches@lists.sr.ht>
Subject: Re: [PATCH v2] rust: doc: Clarify safety invariants for Revocable type
Date: Mon, 19 May 2025 14:26:05 +0200	[thread overview]
Message-ID: <DA04WHRZBBS0.17WRMWDF0A335@kernel.org> (raw)
In-Reply-To: <aCsX-k0K_jqLvD4e@pollux>

On Mon May 19, 2025 at 1:37 PM CEST, Danilo Krummrich wrote:
> On Mon, May 19, 2025 at 01:10:32PM +0200, Benno Lossin wrote:
>> On Mon May 19, 2025 at 11:55 AM CEST, Danilo Krummrich wrote:
>> > On Mon, May 19, 2025 at 11:18:42AM +0200, Benno Lossin wrote:
>> > Why not? Please show me a case where `is_available` is false, but I can still
>> > technically access data (without violating a safety requirement).
>> 
>>     let r: Arc<Revocable<i32>> = ...;
>>     let guard = r.try_access().unwrap(); // nobody else is holding a reference, so this can't fail
>> 
>>     let r2 = r.clone();
>> 
>>     // I know we don't have threads, but I don't want to have to look up
>>     // how to use the workqueue or something else...
>>     thread::spawn(move || {
>>         r2.revoke();
>>     });
>> 
>>     for _ in 0..10_000_000 {
>>         // do some non-sleeping work that takes a while
>>     }
>> 
>>     // now the thread above has executed `self.is_available.swap(false, Ordering::Relaxed)`
>>     // in `revoke_internal` and is waiting for the `synchronize_rcu` call to return.
>>     // but we can still access `guard`:
>> 
>>     pr_info!("{}", &*guard);
>
> Which is perfectly correct, you're right. I think I was too focused on the
> optimization case. :-)

And I was assuming the example was obvious with just saying "But the
`is_available` atomic *can* be altered during the usage of `data`." :-)

>> > However, this invariant does not need to be fulfilled for access() and
>> 
>> Where is `access()` defined?
>
> https://gitlab.freedesktop.org/drm/nova/-/commit/46f91addfabbd4109fb64876a032ae4a4a924919

"Reviewed-by: Benno Lossin <benno.lossin@proton.me>" huh, I already
forgot about the patch... But that also shouldn't be difficult to
support with the right invariant.

>> > revoke_nosync(), because it would circumvent their purpose, i.e. cases where an
>> > abstraction can prove that there can't be a concurrent user of the data or a
>> > concurrent user revoking the data respectively.
>> 
>> Yes. How about something like "`data` is valid while `is_available` is
>> true. It also is valid if the RCU read-side lock is being held and it
>> was taken while `is_available` was true."?
>> 
>> That should also cover the "nobody else is accessing this" case.
>
> Sounds good to me!

I'm not happy with the sentence structure, so how about:

* `data` is valid for reads in two cases:
    * while `is_available` is true, or
    * while the RCU read-side lock is taken and it was acquired while `is_available` was `true`.
* `data` is valid for writes when `is_available` was atomically changed from `true` to `false`.

The last one is needed in order to call `drop_in_place`.

---
Cheers,
Benno

next prev parent reply	other threads:[~2025-05-19 12:26 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-03 14:53 [PATCH v2] rust: doc: Clarify safety invariants for Revocable type Marcelo Moreira
2025-05-09 10:10 ` Benno Lossin
2025-05-17  0:03   ` Marcelo Moreira
2025-05-17  8:19     ` Benno Lossin
2025-05-17  9:54   ` Danilo Krummrich
2025-05-17 19:09     ` Benno Lossin
2025-05-19  8:50       ` Danilo Krummrich
2025-05-19  9:18         ` Benno Lossin
2025-05-19  9:55           ` Danilo Krummrich
2025-05-19 11:10             ` Benno Lossin
2025-05-19 11:37               ` Danilo Krummrich
2025-05-19 12:26                 ` Benno Lossin [this message]
2025-05-23  0:13                   ` Marcelo Moreira
2025-05-23  8:42                     ` Benno Lossin
2025-05-23  8:55                       ` Danilo Krummrich
2025-05-23 11:53                         ` Benno Lossin
2025-05-26  2:10                           ` Marcelo Moreira
2025-05-23  7:19                   ` Danilo Krummrich
2025-05-23  8:31                     ` Benno Lossin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DA04WHRZBBS0.17WRMWDF0A335@kernel.org \
    --to=lossin@kernel.org \
    --cc=benno.lossin@proton.me \
    --cc=dakr@kernel.org \
    --cc=linux-kernel-mentees@lists.linuxfoundation.org \
    --cc=marcelomoreira1905@gmail.com \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=~lkcamp/patches@lists.sr.ht \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).