From: Gary Guo <gary@garyguo.net>
To: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
Marco Elver <elver@google.com>, Boqun Feng <boqun.feng@gmail.com>,
kasan-dev <kasan-dev@googlegroups.com>,
rust-for-linux <rust-for-linux@vger.kernel.org>
Subject: Re: Can the Kernel Concurrency Sanitizer Own Rust Code?
Date: Fri, 8 Oct 2021 00:59:58 +0100 [thread overview]
Message-ID: <20211008005958.0000125d@garyguo.net> (raw)
In-Reply-To: <20211007234247.GO880162@paulmck-ThinkPad-P17-Gen-1>
On Thu, 7 Oct 2021 16:42:47 -0700
"Paul E. McKenney" <paulmck@kernel.org> wrote:
> > I don't see why LTO is significant in the argument. Doing LTO or not
> > wouldn't change the number of bugs. It could make a bug more or less
> > visible, but buggy code remains buggy and bug-free code remains
> > bug-free.
> >
> > If I have expose a safe `invoke_ub` function in a translation unit
> > that internally causes UB using unsafe code, and have another
> > all-safe-code crate calling it, then the whole program has UB
> > regardless LTO is enabled or not.
>
> Here is the problem we face. The least buggy project I know of was a
> single-threaded safety-critical project that was subjected to
> stringent code-style constraints and heavy-duty formal verification.
> There was also a testing phase at the end of the validation process,
> but any failure detected by the test was considered to be a critical
> bug not only against the software under test, but also against the
> formal verification phase.
>
> The results were impressive, coming in at about 0.04 bugs per thousand
> lines of code (KLoC), that is, about one bug per 25,000 lines of code.
>
> But that is still way more than zero bugs. And I seriously doubt that
> Rust will be anywhere near this level.
>
> A more typical bug rate is about 1-3 bugs per KLoC.
>
> Suppose Rust geometrically splits the difference between the better
> end of typical experience (1 bug per KLoC) and that safety-critical
> project (again, 0.04 bugs per KLoC), that is to say 0.2 bugs per KLoC.
> (The arithmetic mean would give 0.52 bugs per KLoC, so I am being
> Rust-optimistic here.)
>
> In a project the size of the Linux kernel, that still works out to
> some thousands of bugs.
>
> So in the context of the Linux kernel, the propagation of bugs will
> still be important, even if the entire kernel were to be converted to
> Rust.
There is a distinction between what is considered safe in Rust and what
is considered safe in safety-critical systems. Miguel's LPC talk
(https://youtu.be/ORwYx5_zmZo?t=1749) summarizes this really well. A
large Rust program would no doubt contain bugs, but it is quite
possible that it's UB-free.
I should probably say that doing LTO or not wouldn't make a UB-free
program exhibit UB (assuming LLVM doesn't introduce any during LTO).
- Gary
next prev parent reply other threads:[~2021-10-08 0:00 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-07 13:01 Can the Kernel Concurrency Sanitizer Own Rust Code? Marco Elver
2021-10-07 14:15 ` Boqun Feng
2021-10-07 14:22 ` Marco Elver
2021-10-07 14:43 ` Boqun Feng
2021-10-07 17:44 ` Miguel Ojeda
2021-10-07 18:50 ` Paul E. McKenney
2021-10-07 21:42 ` Gary Guo
2021-10-07 22:30 ` Paul E. McKenney
2021-10-07 23:06 ` Gary Guo
2021-10-07 23:42 ` Paul E. McKenney
2021-10-07 23:59 ` Gary Guo [this message]
2021-10-08 0:27 ` comex
2021-10-08 17:40 ` Paul E. McKenney
2021-10-08 21:32 ` Miguel Ojeda
2021-10-09 0:08 ` Paul E. McKenney
2021-10-09 16:31 ` Miguel Ojeda
2021-10-09 23:59 ` Paul E. McKenney
2021-10-11 1:24 ` Miguel Ojeda
2021-10-11 19:01 ` Paul E. McKenney
2021-10-13 11:48 ` Miguel Ojeda
2021-10-13 16:07 ` Paul E. McKenney
2021-10-13 17:50 ` Wedson Almeida Filho
2021-10-14 3:35 ` Paul E. McKenney
2021-10-14 8:03 ` Wedson Almeida Filho
2021-10-14 19:43 ` Paul E. McKenney
2021-10-15 15:06 ` Wedson Almeida Filho
2021-10-15 23:29 ` Paul E. McKenney
2021-10-08 19:53 ` Miguel Ojeda
2021-10-08 23:57 ` Paul E. McKenney
2021-10-09 16:30 ` Miguel Ojeda
2021-10-09 23:48 ` Paul E. McKenney
2021-10-11 0:59 ` Miguel Ojeda
2021-10-11 18:52 ` Paul E. McKenney
2021-10-13 11:47 ` Miguel Ojeda
2021-10-13 23:29 ` Paul E. McKenney
2021-10-22 19:17 ` Miguel Ojeda
2021-10-22 20:34 ` Paul E. McKenney
2021-10-07 16:30 ` Paul E. McKenney
2021-10-07 16:35 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211008005958.0000125d@garyguo.net \
--to=gary@garyguo.net \
--cc=boqun.feng@gmail.com \
--cc=elver@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=paulmck@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).