From: Danilo Krummrich <dakr@kernel.org>
To: Benno Lossin <benno.lossin@proton.me>
Cc: Tamir Duberstein <tamird@gmail.com>,
ojeda@kernel.org, alex.gaynor@gmail.com, boqun.feng@gmail.com,
gary@garyguo.net, bjorn3_gh@protonmail.com,
a.hindborg@kernel.org, aliceryhl@google.com, tmgross@umich.edu,
andrewjballance@gmail.com, rust-for-linux@vger.kernel.org
Subject: Re: [PATCH 1/2] rust: alloc: extend safety requirements of Vec::set_len()
Date: Mon, 17 Mar 2025 19:28:07 +0100 [thread overview]
Message-ID: <Z9hpt_al01uNCZz-@cassiopeiae> (raw)
In-Reply-To: <D8IPZQHSFFUP.KRO1145IG1RQ@proton.me>
On Mon, Mar 17, 2025 at 05:33:51PM +0000, Benno Lossin wrote:
> On Mon Mar 17, 2025 at 4:57 PM CET, Danilo Krummrich wrote:
> > On Mon, Mar 17, 2025 at 02:57:51PM +0000, Benno Lossin wrote:
> >> On Mon Mar 17, 2025 at 12:12 PM CET, Danilo Krummrich wrote:
> >> > On Mon, Mar 17, 2025 at 09:52:07AM +0000, Benno Lossin wrote:
> >> >> On Sun Mar 16, 2025 at 8:09 PM CET, Danilo Krummrich wrote:
> >> >> > On Sun, Mar 16, 2025 at 07:59:34PM +0100, Danilo Krummrich wrote:
> >> >> >> But let's define it then; what about:
> >> >> >>
> >> >> >> "[`Vec::set_len`] takes (or kepps) ownership of all elements within the range
> >> >> >> [0; `new_len`] and abandons ownership of all values outside of this range, if
> >> >> >> any."
> >> >> >>
> >> >> >> The caller may take ownership of the abandoned elements."
> >> >> >>
> >> >> >> I'd argue that giving up ownership, while offering someone else to take it means
> >> >> >> that it implies that otherwise we'll just end up forgetting about the value.
> >> >> >
> >> >> > Btw. I'd still prefer if we could enforce that the caller has to document what
> >> >> > should happen to the abandoned value. But I acknowledge that the safety comment
> >> >> > isn't the scope for it.
> >> >> >
> >> >> > It'd be great if e.g. clippy would give us a tool to do something analogous to
> >> >> > safety comments.
> >> >> >
> >> >> > It think it would be useful to enfoce some additional safety documentation. For
> >> >> > instance, I think the kernel would much benefit if we could enforce that
> >> >> > mem::forget() must be justified with a comment, since as mentioned ina previous
> >> >> > mail, it can cause fatal bugs, for instance when used on lock guards.
> >> >>
> >> >> I get where you're coming from, but this probably will very quickly get
> >> >> out of hand.
> >> >>
> >> >> For example, I can define `forget` safely:
> >> >>
> >> >> fn forget<T>(value: T) {
> >> >> struct Cycle<T> {
> >> >> this: RefCell<Option<Arc<Self>>>,
> >> >> value: T,
> >> >> }
> >> >> let cycle = Arc::new(Cycle { this: RefCell::new(None), value });
> >> >> *cycle.this.borrow_mut() = Some(cycle.clone());
> >> >> }
> >> >>
> >> >> How would you ensure that this kind of pattern doesn't get written
> >> >> accidentally (or with many indirections)?
> >> >
> >> > I don't think that the possibility of writing safe (but yet buggy) code is an
> >> > argument against having the possibility of enforcing that a caller must write a
> >> > comment for justification on certain things, such as mem::forget().
> >>
> >> My argument is that the problem of forgetting a value is not
> >> self-contained like `unsafe` code is. Even if we were to document all
> >> `forget` or `ManuallyDrop::new` invocations (which we definitely should)
> >> we wouldn't get the security that one can't accidentally forget a lock
> >> guard. I'm totally in favor of mandating an explaining comment above
> >> `forget` calls (but not as a `SAFETY` comment).
> >
> > Oh, I see where the misunderstanding might lie.
> >
> > Let's take a look at FileDescriptorReservation::fd_install(). My proposal is to
> > have something like:
> >
> > // SANITY: `fd_install` consumed file descriptor
> > core::mem::forget(self);
> > // SANITY: `fd_install` consumed file reference
> > core::mem::forget(file);
> >
> > Where we have e.g. clippy to complain if there is no "SANITY" (or whatever we
> > call it) comment for mem::forget().
> >
> > I'm not proposing a SAFETY comment.
>
> Ok, that's good :)
>
> As for having a dedicated `SANITY` comment, I'm not sold yet. I'll think
> a bit more.
>
> >> > But there's another reason I think having something like this could be
> >> > problematic: It might set the wrong incentive, as in "hey, I can just use a
> >> > "sanity requirement" in my function rather figuring out how to ensure it through
> >> > the type system, etc.".
> >>
> >> I don't understand your point here, can you explain it more?
> >
> > Does the explanation above make this concern clear for you?
>
> Do you mean having sanity requirements would lead to people putting less
> effort into designing a type system solution?
That'd be one concern, yes.
next prev parent reply other threads:[~2025-03-17 18:28 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-15 15:43 [PATCH 1/2] rust: alloc: extend safety requirements of Vec::set_len() Danilo Krummrich
2025-03-15 15:43 ` [PATCH 2/2] rust: alloc: add missing invariant in Vec::set_len() Danilo Krummrich
2025-03-15 15:52 ` Danilo Krummrich
2025-03-15 17:44 ` Benno Lossin
2025-04-07 12:10 ` Danilo Krummrich
2025-03-15 16:06 ` [PATCH 1/2] rust: alloc: extend safety requirements of Vec::set_len() Tamir Duberstein
2025-03-15 17:44 ` Benno Lossin
2025-03-15 18:36 ` Danilo Krummrich
2025-03-16 0:33 ` Tamir Duberstein
2025-03-16 9:38 ` Benno Lossin
2025-03-16 12:31 ` Danilo Krummrich
2025-03-16 12:42 ` Tamir Duberstein
2025-03-16 13:01 ` Danilo Krummrich
2025-03-16 13:13 ` Tamir Duberstein
2025-03-16 13:46 ` Danilo Krummrich
2025-03-16 17:40 ` Benno Lossin
2025-03-16 18:59 ` Danilo Krummrich
2025-03-16 19:09 ` Danilo Krummrich
2025-03-16 19:30 ` Tamir Duberstein
2025-03-16 20:54 ` Danilo Krummrich
2025-03-16 21:10 ` Tamir Duberstein
2025-03-16 21:17 ` Danilo Krummrich
2025-03-16 21:20 ` Tamir Duberstein
2025-03-16 21:52 ` Tamir Duberstein
2025-03-16 21:59 ` Danilo Krummrich
2025-03-17 9:52 ` Benno Lossin
2025-03-17 11:12 ` Danilo Krummrich
2025-03-17 14:57 ` Benno Lossin
2025-03-17 15:57 ` Danilo Krummrich
2025-03-17 16:03 ` Miguel Ojeda
2025-03-17 17:33 ` Benno Lossin
2025-03-17 18:28 ` Danilo Krummrich [this message]
2025-03-16 12:08 ` Danilo Krummrich
2025-03-17 10:36 ` Alice Ryhl
-- strict thread matches above, loose matches on Subject: below --
2025-03-17 9:46 Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9hpt_al01uNCZz-@cassiopeiae \
--to=dakr@kernel.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=andrewjballance@gmail.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=gary@garyguo.net \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).