Re: [PATCH v8 02/14] rust: hrtimer: introduce hrtimer support

[Boqun Feng <boqun.feng@gmail.com>]

On Fri, Feb 21, 2025 at 08:08:09PM -0500, Tamir Duberstein wrote:
> On Fri, Feb 21, 2025 at 5:37 PM Boqun Feng <boqun.feng@gmail.com> wrote:
> >
> > On Fri, Feb 21, 2025 at 02:46:07PM -0500, Tamir Duberstein wrote:
> > > On Fri, Feb 21, 2025 at 10:19 AM Boqun Feng <boqun.feng@gmail.com> wrote:
> > > >
> > > > On Fri, Feb 21, 2025 at 09:46:08AM -0500, Tamir Duberstein wrote:
> > > > > On Fri, Feb 21, 2025 at 9:40 AM Boqun Feng <boqun.feng@gmail.com> wrote:
> > > > > >
> > > > > > Hmm... if you mean:
> > > > > >
> > > > > > trait HasHrTimer {
> > > > > >     unsafe fn start(&self, expires: Ktime) {
> > > > > >         ...
> > > > > >     }
> > > > > > }
> > > > > >
> > > > > > Then it'll be problematic because the pointer derived from `&self`
> > > > > > doesn't have write provenance, therefore in a timer callback, the
> > > > > > pointer cannot be used for write, which means for example you cannot
> > > > > > convert the pointer back into a `Pin<Box<HasTimer>>`.
> > > > > >
> > > > > > To answer Tamir's question, pointers are heavily used here because we
> > > > > > need to preserve the provenance.
> > > > >
> > > > > Wouldn't the natural implication be that &mut self is needed? Maybe
> > > >
> > > > For an `Arc<HasTimer>`, you cannot get `&mut self`.
> > > >
> > > > > you can help me understand why pointers can express a contract that
> > > > > references can't?
> > > >
> > > > I assume you already know what a pointer provenance is?
> > > >
> > > >         http://doc.rust-lang.org/std/ptr/index.html#provenance
> > > >
> > > > Passing a pointer (including offset operation on it) preserves the
> > > > provenance (determined as derive time), however, deriving a pointer from
> > > > a reference gives the pointer a provenance based on the reference type.
> > > > For example, let's say we have an `Arc<i32>` and a clone:
> > > >
> > > >         let arc = Arc::new(42);
> > > >         let clone = arc.clone();
> > > >
> > > > you can obviously do a into_raw() + from_raw() pair:
> > > >
> > > >         let ptr = Arc::into_raw(arc);
> > > >         let arc = unsafe { Arc::from_raw(arc) };
> > > >
> > > > however, if you create a reference based on `Arc::into_raw()`, and then
> > > > derive a pointer from that, you change the provenance, therefore the
> > > > below code would generate UB:
> > > >
> > > >         // cannot mutably borrow because of clone.
> > > >         let ptr = unsafe { &*Arc::into_raw(arc) } as *const i32;
> > > >
> > > >         let arc = unsafe { Arc::from_raw(ptr) };
> > > >
> > > >
> > > > (playground code snippet for this example)
> > > >
> > > >         https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=15e051db46c3886b29ed02e579562278
> > > >
> > > > As you already know, the whole thing about pointers/references here is
> > > > passing the value to the callback and the callback can "reconstruct" the
> > > > data, in such a case, reborrowing in the middle of the chain into a
> > > > reference is not necessary, and as the above shows, it can be
> > > > problematic.
> > > >
> > > > Hope this could be helpful.
> > > >
> > > > Regards,
> > > > Boqun
> > >
> > > Thanks for the explanation. I think where I'm still confused is that
> > > provenance is to pointers as the type system is to references. In
> > > other words, it's not clear to me how using pointers solves the
> > > problem of wanting to write through an Arc. Is the idea that the
> > > pointer inside the Arc has write provenance, and that by doing pointer
> > > offsets instead of going through references we get to break rules
> > > about mutability?
> >
> > Sort of, but we don't actually break any rule here, because pointer are
> > supposed to be unsafe to dereference ;-)
> >
> > Regards,
> > Boqun
> 
> Doesn't this mean that any holder of Arc<HasHrTimer> can obtain a
> pointer to the timer, and interact with it concurrently with other
> holders? Isn't this a problem?

If so, do you have a case in mind? I.e. could you show two concurrent
user of `Arc<HasHrTimer>` end up racing with each other? Note that
hrtimer function on C side usually provides some locking mechanism
therefore concurrently calling won't cause a problem.

Regards,
Boqun