From: "Paul E. McKenney" <paulmck@kernel.org>
To: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc: Gary Guo <gary@garyguo.net>, Marco Elver <elver@google.com>,
Boqun Feng <boqun.feng@gmail.com>,
kasan-dev <kasan-dev@googlegroups.com>,
rust-for-linux <rust-for-linux@vger.kernel.org>
Subject: Re: Can the Kernel Concurrency Sanitizer Own Rust Code?
Date: Fri, 8 Oct 2021 17:08:38 -0700 [thread overview]
Message-ID: <20211009000838.GV880162@paulmck-ThinkPad-P17-Gen-1> (raw)
In-Reply-To: <CANiq72mOWV2SiF24E=NMB-zc2mK_UFH=CvDFxN+vdtyjy-Wm0A@mail.gmail.com>
On Fri, Oct 08, 2021 at 11:32:34PM +0200, Miguel Ojeda wrote:
> On Fri, Oct 8, 2021 at 7:40 PM Paul E. McKenney <paulmck@kernel.org> wrote:
> >
> > Just in case there is lingering confusion, my purpose in providing an
> > example from the field of safety-critical systems was nothing more or
> > less than to derive an extreme lower bound for the expected bug rate in
>
> Yes, safety-critical systems usually have lower rate of bugs, but they
> can actually be very buggy as long as they comply with requirements...
> :P
If it complies with requirements, is it really a bug? And while we are
at it, I need to make an insignificant change to those requirements. ;-)
> > production software. Believe me, there is no way that I am advocating
> > use of Rust as it currently exists for use in safety-critical systems!
> > Not that this will necessarily prevent such use, mind you! ;-)
>
> Well, people are already working on bringing Rust to safety-critical domains! :)
Hey, they have been using C for quite some time! In at least some cases,
with the assistance of formal verification tooling that takes the C code
as input (cbmc, for example).
> In any case, for example, DO-178 describes the software development
> process, but does not require a particular language to be used even if
> a particular project following that standard may do so.
And how many of those boxes are ticked by the usual open-source processes?
Nicholas Mc Guire talks about this from time to time.
One challenge for use of Rust in my previous work with similar standards
would be repeatability. It would be necessary to carefully identify and
archive the Rust compiler.
> > From what I have seen, people prevent unsafe Rust code from introducing
> > UB by adding things, for example assertions and proofs of correctness.
> > Each and every one of those added things have a non-zero probability
> > of themselves containing bugs or mistakes. Therefore, a Rust program
> > containing a sufficiently large quantity of unsafe code will with high
> > probability invoke UB.
> >
> > Hopefully, a much lower UB-invocation probability than a similar quantity
> > of C code, but nevertheless, a decidedly non-zero probability.
> >
> > So what am I missing here?
>
> Rust does not guarantee UB-freedom in an absolute way -- after all,
> there is unsafe code in the standard library, we have unsafe code in
> the kernel abstractions, the compiler may have bugs, the hardware may
> misbehave, there may be a single-event upset, etc.
>
> However, the key is to understand Rust as a way to minimize unsafe
> code, and therefore minimize the chances of UB happening.
>
> Let's take an example: we need to dereference a pointer 10 times in a
> driver. And 10 more times in another driver. We may do it writing
> `unsafe` many times in every driver, and checking that every single
> usage does not trigger UB. This is fine, and we can write Rust code
> like that, but is not buying us much. And, as you say, if we keep
> accumulating those dereferences, the probability of a mistake grows
> and grows.
The real fun in device drivers is the MMIO references, along with the
IOMMU, the occasional cache-incoherent device, and so on.
> Instead, we could write an abstraction that provides a safe way to do
> the same thing. Then we can focus our efforts in checking the
> abstraction, and reuse it everywhere, in all drivers.
>
> That abstraction does not guarantee there is no UB -- after all, it
> may have a bug, or someone else may corrupt our memory, or the
> hardware may have a bug, etc. However, that abstraction is promising
> that, as long as there is no other UB subverting it, then it will not
> allow safe code to create UB.
>
> Therefore, as a driver writer, as long as I keep writing only safe
> code, I do not have to care about introducing UB. As a reviewer, if
> the driver does not contain unsafe code, I don't need to worry about
> any UB either. If UB is actually introduced, then the bug is in the
> abstractions, not the safe driver.
>
> Thus we are reducing the amount of places where we risk using a
> potentially-UB operation.
So Rust is an attempt to let the compiler writers have their UB while
inflicting at least somewhat less inconvenience on those of us poor
fools using the resulting compilers? If so, I predict that the compiler
writers will work hard to exploit additional UB until such time as Rust
is at least as unsound as the C language currently is.
Sorry, but you did leave yourself wide open for that one!!! ;-)
Thanx, Paul
next prev parent reply other threads:[~2021-10-09 0:08 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-07 13:01 Can the Kernel Concurrency Sanitizer Own Rust Code? Marco Elver
2021-10-07 14:15 ` Boqun Feng
2021-10-07 14:22 ` Marco Elver
2021-10-07 14:43 ` Boqun Feng
2021-10-07 17:44 ` Miguel Ojeda
2021-10-07 18:50 ` Paul E. McKenney
2021-10-07 21:42 ` Gary Guo
2021-10-07 22:30 ` Paul E. McKenney
2021-10-07 23:06 ` Gary Guo
2021-10-07 23:42 ` Paul E. McKenney
2021-10-07 23:59 ` Gary Guo
2021-10-08 0:27 ` comex
2021-10-08 17:40 ` Paul E. McKenney
2021-10-08 21:32 ` Miguel Ojeda
2021-10-09 0:08 ` Paul E. McKenney [this message]
2021-10-09 16:31 ` Miguel Ojeda
2021-10-09 23:59 ` Paul E. McKenney
2021-10-11 1:24 ` Miguel Ojeda
2021-10-11 19:01 ` Paul E. McKenney
2021-10-13 11:48 ` Miguel Ojeda
2021-10-13 16:07 ` Paul E. McKenney
2021-10-13 17:50 ` Wedson Almeida Filho
2021-10-14 3:35 ` Paul E. McKenney
2021-10-14 8:03 ` Wedson Almeida Filho
2021-10-14 19:43 ` Paul E. McKenney
2021-10-15 15:06 ` Wedson Almeida Filho
2021-10-15 23:29 ` Paul E. McKenney
2021-10-08 19:53 ` Miguel Ojeda
2021-10-08 23:57 ` Paul E. McKenney
2021-10-09 16:30 ` Miguel Ojeda
2021-10-09 23:48 ` Paul E. McKenney
2021-10-11 0:59 ` Miguel Ojeda
2021-10-11 18:52 ` Paul E. McKenney
2021-10-13 11:47 ` Miguel Ojeda
2021-10-13 23:29 ` Paul E. McKenney
2021-10-22 19:17 ` Miguel Ojeda
2021-10-22 20:34 ` Paul E. McKenney
2021-10-07 16:30 ` Paul E. McKenney
2021-10-07 16:35 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211009000838.GV880162@paulmck-ThinkPad-P17-Gen-1 \
--to=paulmck@kernel.org \
--cc=boqun.feng@gmail.com \
--cc=elver@google.com \
--cc=gary@garyguo.net \
--cc=kasan-dev@googlegroups.com \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=rust-for-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).