From: Gary Guo <gary@garyguo.net>
To: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
Marco Elver <elver@google.com>, Boqun Feng <boqun.feng@gmail.com>,
kasan-dev <kasan-dev@googlegroups.com>,
rust-for-linux <rust-for-linux@vger.kernel.org>
Subject: Re: Can the Kernel Concurrency Sanitizer Own Rust Code?
Date: Fri, 8 Oct 2021 00:06:01 +0100 [thread overview]
Message-ID: <20211008000601.00000ba1@garyguo.net> (raw)
In-Reply-To: <20211007223010.GN880162@paulmck-ThinkPad-P17-Gen-1>
On Thu, 7 Oct 2021 15:30:10 -0700
"Paul E. McKenney" <paulmck@kernel.org> wrote:
> For C/C++, I would have written "translation unit". But my guess is
> that "Rust module" would work better.
>
> Thoughts?
Module is not a translation unit in Rust, it is more like C++
namespaces. The translation unit equivalent in Rust is crate.
> And the definition of a module is constrained to be contained within a
> given translation unit, correct?
Correct.
> But what prevents unsafe Rust code in one translation unit from
> violating the assumptions of safe Rust code in another translation
> unit, Rust modules notwithstanding? Especially if that unsafe code
> contains a bug?
Unsafe code obviously can do all sorts of crazy things and hence
they're unsafe :)
However your article is talking about "safe code can violate unsafe
code's assumptions" and this would only apply if they are in the same
Rust module.
When one writes a safe abstraction using unsafe code they need to prove
that the usage is correct. Most properties used to construct such a
proof would be a local type invariant (like `ptr` being a valid,
non-null pointer in `File` example).
Sometimes the code may rely on invariants of a foreign type that it
depends on (e.g. If I have a `ptr: NonNull<bindings::file>` then I
would expect `ptr.as_ptr()` to be non-null, and `as_ptr` is indeed
implemented in Rust's libcore as safe code. But safe code of a
*downstream* crate cannot violate upstream unsafe code's assumption.
>
> Finally, are you arguing that LTO cannot under any circumstances
> inflict a bug in Rust unsafe code on Rust safe code in some other
> translation unit? Or just that if there are no bugs in Rust code
> (either safe or unsafe), that LTO cannot possibly introduce any?
I don't see why LTO is significant in the argument. Doing LTO or not
wouldn't change the number of bugs. It could make a bug more or less
visible, but buggy code remains buggy and bug-free code remains
bug-free.
If I have expose a safe `invoke_ub` function in a translation unit that
internally causes UB using unsafe code, and have another
all-safe-code crate calling it, then the whole program has UB
regardless LTO is enabled or not.
- Gary
next prev parent reply other threads:[~2021-10-07 23:06 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-07 13:01 Can the Kernel Concurrency Sanitizer Own Rust Code? Marco Elver
2021-10-07 14:15 ` Boqun Feng
2021-10-07 14:22 ` Marco Elver
2021-10-07 14:43 ` Boqun Feng
2021-10-07 17:44 ` Miguel Ojeda
2021-10-07 18:50 ` Paul E. McKenney
2021-10-07 21:42 ` Gary Guo
2021-10-07 22:30 ` Paul E. McKenney
2021-10-07 23:06 ` Gary Guo [this message]
2021-10-07 23:42 ` Paul E. McKenney
2021-10-07 23:59 ` Gary Guo
2021-10-08 0:27 ` comex
2021-10-08 17:40 ` Paul E. McKenney
2021-10-08 21:32 ` Miguel Ojeda
2021-10-09 0:08 ` Paul E. McKenney
2021-10-09 16:31 ` Miguel Ojeda
2021-10-09 23:59 ` Paul E. McKenney
2021-10-11 1:24 ` Miguel Ojeda
2021-10-11 19:01 ` Paul E. McKenney
2021-10-13 11:48 ` Miguel Ojeda
2021-10-13 16:07 ` Paul E. McKenney
2021-10-13 17:50 ` Wedson Almeida Filho
2021-10-14 3:35 ` Paul E. McKenney
2021-10-14 8:03 ` Wedson Almeida Filho
2021-10-14 19:43 ` Paul E. McKenney
2021-10-15 15:06 ` Wedson Almeida Filho
2021-10-15 23:29 ` Paul E. McKenney
2021-10-08 19:53 ` Miguel Ojeda
2021-10-08 23:57 ` Paul E. McKenney
2021-10-09 16:30 ` Miguel Ojeda
2021-10-09 23:48 ` Paul E. McKenney
2021-10-11 0:59 ` Miguel Ojeda
2021-10-11 18:52 ` Paul E. McKenney
2021-10-13 11:47 ` Miguel Ojeda
2021-10-13 23:29 ` Paul E. McKenney
2021-10-22 19:17 ` Miguel Ojeda
2021-10-22 20:34 ` Paul E. McKenney
2021-10-07 16:30 ` Paul E. McKenney
2021-10-07 16:35 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211008000601.00000ba1@garyguo.net \
--to=gary@garyguo.net \
--cc=boqun.feng@gmail.com \
--cc=elver@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=paulmck@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.