From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>,
rust-for-linux <rust-for-linux@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg KH <gregkh@linuxfoundation.org>,
David Airlie <airlied@gmail.com>,
linux-kernel@vger.kernel.org, ksummit@lists.linux.dev
Subject: Re: Rust kernel policy
Date: Wed, 19 Feb 2025 11:03:28 -0500 [thread overview]
Message-ID: <a627845f73f2f7bedc7a820cfdf476be9993e30f.camel@HansenPartnership.com> (raw)
In-Reply-To: <CANiq72nnnOsGZDrPDm8iWxYn2FL=wJqx-P8aS63dFYez3_FEOg@mail.gmail.com>
On Wed, 2025-02-19 at 16:08 +0100, Miguel ol9 wrote:
> On Wed, Feb 19, 2025 at 3:05 PM James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> >
> > So here's a proposal to fix this: could we not annotate the C
> > headers with the API information in such a way that a much improved
> > rust bindgen can simply generate the whole cloth API binding from
> > the C code? We would also need an enhanced sparse like tool for C
> > that checked the annotations and made sure they got updated.
> > Something like this wouldn't solve every unintentional rust build
> > break, but it would fix quite a few of them. And more to the
> > point, it would allow non-rust developers to update the kernel API
> > with much less fear of breaking rust.
>
> This has come up a few times, and we indeed would like to have some
> annotations in the C headers so that we can generate more (and to
> keep the information local).
>
> For instance, it would be nice to have bindgen's `__opaque` near the
> C items, or being able to mark functions as `__safe`, or to have
> other `enum`s-related annotations, or even custom attributes, as well
> as "formatted-formally-enough" docs so that can be rendered properly
> on the Rust side, or even references/lifetimes with an eventual "Safe
> C"-like approach, and so on and so forth.
>
> However, even if we automate more and even reach a point where most C
> APIs are e.g. "safe" (which would be great),
I wouldn't say C API safety would be the main goal, although it might
be a nice add on feature.
> it wouldn't prevent breakage -- the C APIs would still need to be
> stable enough so that you don't break callers,
Just so we're on the same page, kernel API stability can't be the goal.
We can debate how valuable the current API instability is, but it's a
fact of life. The point of the proposal is not to stabilise the C API
but to allow the instability to propagate more easily to the rust side.
> including C ones. It would still be great to have that information
> formally expressed, though, of course, and it would help maintain the
> Rust sid
This very much depends on how the callers are coded, I think. When I
looked at Wedson's ideas on this, the C API contracts were encoded in
the headers, so mostly only the headers not the body of the code had to
change (so the headers needed updating when the C API contract
changed). If the enhanced bindgen produces new headers then code like
this will just update without breaking (I admit not all code will work
like that, but it's still a useful property).
> We have also discussed at times is documenting the C side more, e.g.
> the pre/post/invariants we use on the Rust side. That would be useful
> for the C side to know something is being relied upon from Rust (and
> other C callers) and for the Rust side to document why something is
> sound. Of course, it is a lot of work, and the more we can express as
> code instead of as documentation, the better.
So I do think this feeds into the documentation project as well. We've
already decided that the best way to document an API is in the code for
it, so adding annotations that can be checked is better than adding
docbook that not many people check; although hopefully we could still
generate documentation from the annotations.
Regards,
James
next prev parent reply other threads:[~2025-02-19 16:03 UTC|newest]
Thread overview: 183+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-09 20:56 Rust kernel policy Miguel Ojeda
2025-02-18 16:08 ` Christoph Hellwig
2025-02-18 16:35 ` Jarkko Sakkinen
2025-02-18 16:39 ` Jarkko Sakkinen
2025-02-18 18:08 ` Jarkko Sakkinen
2025-02-18 21:22 ` Boqun Feng
2025-02-19 6:20 ` Jarkko Sakkinen
2025-02-19 6:35 ` Dave Airlie
2025-02-19 11:37 ` Jarkko Sakkinen
2025-02-19 13:25 ` Geert Uytterhoeven
2025-02-19 13:40 ` Jarkko Sakkinen
2025-02-19 7:05 ` Boqun Feng
2025-02-19 11:32 ` Jarkko Sakkinen
2025-02-18 17:36 ` Jiri Kosina
2025-02-20 6:33 ` Christoph Hellwig
2025-02-20 18:40 ` Alexei Starovoitov
2025-02-18 18:46 ` Miguel Ojeda
2025-02-18 21:49 ` H. Peter Anvin
2025-02-18 22:38 ` Dave Airlie
2025-02-18 22:54 ` Miguel Ojeda
2025-02-19 0:58 ` H. Peter Anvin
2025-02-19 3:04 ` Boqun Feng
2025-02-19 5:07 ` NeilBrown
2025-02-19 5:39 ` Greg KH
2025-02-19 15:05 ` Laurent Pinchart
2025-02-20 20:49 ` Lyude Paul
2025-02-21 19:24 ` Laurent Pinchart
2025-02-20 7:03 ` Martin Uecker
2025-02-20 7:10 ` Greg KH
2025-02-20 8:57 ` Martin Uecker
2025-02-20 13:46 ` Dan Carpenter
2025-02-20 14:09 ` Martin Uecker
2025-02-20 14:38 ` H. Peter Anvin
2025-02-20 15:25 ` Dan Carpenter
2025-02-20 15:49 ` Willy Tarreau
2025-02-22 15:30 ` Kent Overstreet
2025-02-20 14:53 ` Greg KH
2025-02-20 15:40 ` Martin Uecker
2025-02-21 0:46 ` Miguel Ojeda
2025-02-21 9:48 ` Dan Carpenter
2025-02-21 16:28 ` Martin Uecker
2025-02-21 17:43 ` Steven Rostedt
2025-02-21 18:07 ` Linus Torvalds
2025-02-21 18:19 ` Steven Rostedt
2025-02-21 18:31 ` Martin Uecker
2025-02-21 19:30 ` Linus Torvalds
2025-02-21 19:59 ` Martin Uecker
2025-02-21 20:11 ` Linus Torvalds
2025-02-22 7:20 ` Martin Uecker
2025-02-21 22:24 ` Steven Rostedt
2025-02-21 23:04 ` Linus Torvalds
2025-02-22 17:53 ` Kent Overstreet
2025-02-22 18:44 ` Linus Torvalds
2025-02-23 16:42 ` David Laight
2025-02-22 18:42 ` Linus Torvalds
2025-02-22 9:45 ` Dan Carpenter
2025-02-22 10:25 ` Martin Uecker
2025-02-22 11:07 ` Greg KH
2025-02-21 18:23 ` Martin Uecker
2025-02-21 22:14 ` Steven Rostedt
2025-03-01 13:22 ` Askar Safin
2025-03-01 13:55 ` Martin Uecker
2025-03-02 6:50 ` Kees Cook
2025-02-21 18:11 ` Theodore Ts'o
2025-02-24 8:12 ` Dan Carpenter
2025-02-20 22:08 ` Paul E. McKenney
2025-02-22 23:42 ` Piotr Masłowski
2025-02-23 8:10 ` Martin Uecker
2025-02-23 23:31 ` comex
2025-02-24 9:08 ` Ventura Jack
2025-02-24 18:03 ` Martin Uecker
2025-02-20 12:28 ` Jan Engelhardt
2025-02-20 12:37 ` Greg KH
2025-02-20 13:23 ` H. Peter Anvin
2025-02-20 13:51 ` Willy Tarreau
2025-02-20 15:17 ` C aggregate passing (Rust kernel policy) Jan Engelhardt
2025-02-20 16:46 ` Linus Torvalds
2025-02-20 20:34 ` H. Peter Anvin
2025-02-21 8:31 ` HUANG Zhaobin
2025-02-21 18:34 ` David Laight
2025-02-21 19:12 ` Linus Torvalds
2025-02-21 20:07 ` comex
2025-02-21 21:45 ` David Laight
2025-02-22 6:32 ` Willy Tarreau
2025-02-22 6:37 ` Willy Tarreau
2025-02-22 8:41 ` David Laight
2025-02-22 9:11 ` Willy Tarreau
2025-02-21 20:06 ` Jan Engelhardt
2025-02-21 20:23 ` Laurent Pinchart
2025-02-21 20:24 ` Laurent Pinchart
2025-02-21 22:02 ` David Laight
2025-02-21 22:13 ` Bart Van Assche
2025-02-22 5:56 ` comex
2025-02-21 20:26 ` Linus Torvalds
2025-02-20 22:13 ` Rust kernel policy Paul E. McKenney
2025-02-21 5:19 ` Felipe Contreras
2025-02-21 5:36 ` Boqun Feng
2025-02-21 5:59 ` Felipe Contreras
2025-02-21 7:04 ` Dave Airlie
2025-02-24 20:27 ` Felipe Contreras
2025-02-24 20:37 ` Boqun Feng
2025-02-26 2:42 ` Felipe Contreras
2025-02-22 16:04 ` Kent Overstreet
2025-02-22 17:10 ` Ventura Jack
2025-02-22 17:34 ` Kent Overstreet
2025-02-23 2:08 ` Bart Van Assche
2025-02-19 5:53 ` Alexey Dobriyan
2025-02-19 5:59 ` Dave Airlie
2025-02-22 18:46 ` Kent Overstreet
2025-02-19 12:37 ` Miguel Ojeda
2025-02-20 11:26 ` Askar Safin
2025-02-20 12:33 ` vpotach
2025-02-19 18:52 ` Kees Cook
2025-02-19 19:08 ` Steven Rostedt
2025-02-19 19:17 ` Kees Cook
2025-02-19 20:27 ` Jason Gunthorpe
2025-02-19 20:46 ` Steven Rostedt
2025-02-19 20:52 ` Bart Van Assche
2025-02-19 21:07 ` Steven Rostedt
2025-02-20 16:05 ` Jason Gunthorpe
2025-02-20 8:13 ` Jarkko Sakkinen
2025-02-20 8:16 ` Jarkko Sakkinen
2025-02-20 11:57 ` Fiona Behrens
2025-02-20 14:07 ` Jarkko Sakkinen
2025-02-21 10:19 ` Jarkko Sakkinen
2025-02-22 12:10 ` Miguel Ojeda
2025-03-04 11:17 ` Fiona Behrens
2025-03-04 17:48 ` Jarkko Sakkinen
2025-02-20 9:55 ` Leon Romanovsky
2025-02-19 19:33 ` H. Peter Anvin
2025-02-20 6:32 ` Alexey Dobriyan
2025-02-20 6:53 ` Greg KH
2025-02-20 8:44 ` Alexey Dobriyan
2025-02-20 13:53 ` Willy Tarreau
2025-02-20 16:04 ` Jason Gunthorpe
2025-02-20 12:01 ` H. Peter Anvin
2025-02-20 12:13 ` H. Peter Anvin
2025-02-20 23:42 ` Miguel Ojeda
2025-02-22 15:21 ` Kent Overstreet
2025-02-20 6:42 ` Christoph Hellwig
2025-02-20 23:44 ` Miguel Ojeda
2025-02-21 15:24 ` Simona Vetter
2025-02-22 12:10 ` Miguel Ojeda
2025-02-26 13:17 ` Fiona Behrens
2025-02-21 0:39 ` Linus Torvalds
2025-02-21 12:16 ` Danilo Krummrich
2025-02-21 15:59 ` Steven Rostedt
2025-02-23 18:03 ` Laurent Pinchart
2025-02-23 18:31 ` Linus Torvalds
2025-02-26 16:05 ` Jason Gunthorpe
2025-02-26 19:32 ` Linus Torvalds
2025-02-19 8:05 ` Dan Carpenter
2025-02-19 14:14 ` James Bottomley
2025-02-19 14:30 ` Geert Uytterhoeven
2025-02-19 14:46 ` Martin K. Petersen
2025-02-19 14:51 ` Bartosz Golaszewski
2025-02-19 15:15 ` James Bottomley
2025-02-19 15:33 ` Willy Tarreau
2025-02-19 15:45 ` Laurent Pinchart
2025-02-19 15:46 ` James Bottomley
2025-02-19 15:56 ` Willy Tarreau
2025-02-19 16:07 ` Laurent Pinchart
2025-02-19 16:15 ` Willy Tarreau
2025-02-19 16:32 ` Laurent Pinchart
2025-02-19 16:34 ` Willy Tarreau
2025-02-19 16:33 ` Steven Rostedt
2025-02-19 16:47 ` Andrew Lunn
2025-02-19 18:22 ` Jarkko Sakkinen
2025-02-20 6:26 ` Alexey Dobriyan
2025-02-20 15:37 ` Steven Rostedt
2025-02-19 17:00 ` Martin K. Petersen
2025-02-19 15:13 ` Steven Rostedt
2025-02-19 14:05 ` James Bottomley
2025-02-19 15:08 ` Miguel Ojeda
2025-02-19 16:03 ` James Bottomley [this message]
2025-02-19 16:44 ` Miguel Ojeda
2025-02-19 17:06 ` Theodore Ts'o
2025-02-20 23:40 ` Miguel Ojeda
2025-02-22 15:03 ` Kent Overstreet
2025-02-20 16:03 ` James Bottomley
2025-02-20 23:47 ` Miguel Ojeda
2025-02-20 6:48 ` Christoph Hellwig
2025-02-20 12:56 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a627845f73f2f7bedc7a820cfdf476be9993e30f.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=airlied@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=ksummit@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=rust-for-linux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).