From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
To: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Gary Guo <gary@garyguo.net>, Marco Elver <elver@google.com>,
Boqun Feng <boqun.feng@gmail.com>,
kasan-dev <kasan-dev@googlegroups.com>,
rust-for-linux <rust-for-linux@vger.kernel.org>
Subject: Re: Can the Kernel Concurrency Sanitizer Own Rust Code?
Date: Fri, 8 Oct 2021 21:53:34 +0200 [thread overview]
Message-ID: <CANiq72nLXmN0SJOQ-aGD4P2dUTs_vXBXMDnr2eWP-+R7H2ecEw@mail.gmail.com> (raw)
In-Reply-To: <20211007234247.GO880162@paulmck-ThinkPad-P17-Gen-1>
On Fri, Oct 8, 2021 at 1:42 AM Paul E. McKenney <paulmck@kernel.org> wrote:
>
> OK, I now have this:
>
> Both the unsafe Rust code and the C code can interfere with Rust
> non-unsafe code, and furthermore safe code can violate unsafe
> code's assumptions as long as it is in the same module. However,
> please note that a Rust module is a syntactic construct vaguely
> resembling a C++ namespace, and has nothing to do with a kernel
> module or a translation unit.
>
> Is that better?
For someone new to Rust, I think the paragraph may be hard to make
sense of, and there are several ways to read it.
For instance, safe code "can" violate unsafe code's assumptions in the
same module, but then it just means the module is buggy/unsound.
But if we are talking about buggy/unsound modules, then even safe code
outside the module may be able to violate the module's assumptions
too.
Instead, it is easier to talk about what Rust aims to guarantee: that
if libraries containing unsafe code are sound, then outside safe code
cannot subvert them to introduce UB.
Thus it is a conditional promise. But it is a powerful one. The point
is not that libraries may be subverted if there is a bug in them, but
that they cannot be subverted if they are correct.
As an example, take `std::vector` from C++. Correct usage of
`std::vector` will not trigger UB (as long as `std::vector` is
non-buggy). Rust aims to guarantee something extra: that even
*incorrect* safe code using `Vec` will not be able to trigger UB (as
long as `Vec` and other abstractions are non-buggy).
As you see, the condition "as long as X is non-buggy" remains. But
that is OK -- it does not mean encapsulation is useless: it still
allows to effectively contain UB.
Put another way, C and C++ APIs are the trivial / reduced case for
what Rust aims to guarantee. For instance, we can think of C++
`std::vector` as a Rust type where every method is marked as `unsafe`.
As such, Rust would be able to provide its guarantee vacuously --
there are no safe APIs to call to begin with.
To be clear, this "incorrect" usage includes maliciously-written safe
code. So it even has some merits as an "extra layer of protection"
against Minnesota-style or "Underhanded C Contest"-style code (at
least regarding vulnerabilities that exploit UB).
Cheers,
Miguel
next prev parent reply other threads:[~2021-10-08 19:53 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-07 13:01 Can the Kernel Concurrency Sanitizer Own Rust Code? Marco Elver
2021-10-07 14:15 ` Boqun Feng
2021-10-07 14:22 ` Marco Elver
2021-10-07 14:43 ` Boqun Feng
2021-10-07 17:44 ` Miguel Ojeda
2021-10-07 18:50 ` Paul E. McKenney
2021-10-07 21:42 ` Gary Guo
2021-10-07 22:30 ` Paul E. McKenney
2021-10-07 23:06 ` Gary Guo
2021-10-07 23:42 ` Paul E. McKenney
2021-10-07 23:59 ` Gary Guo
2021-10-08 0:27 ` comex
2021-10-08 17:40 ` Paul E. McKenney
2021-10-08 21:32 ` Miguel Ojeda
2021-10-09 0:08 ` Paul E. McKenney
2021-10-09 16:31 ` Miguel Ojeda
2021-10-09 23:59 ` Paul E. McKenney
2021-10-11 1:24 ` Miguel Ojeda
2021-10-11 19:01 ` Paul E. McKenney
2021-10-13 11:48 ` Miguel Ojeda
2021-10-13 16:07 ` Paul E. McKenney
2021-10-13 17:50 ` Wedson Almeida Filho
2021-10-14 3:35 ` Paul E. McKenney
2021-10-14 8:03 ` Wedson Almeida Filho
2021-10-14 19:43 ` Paul E. McKenney
2021-10-15 15:06 ` Wedson Almeida Filho
2021-10-15 23:29 ` Paul E. McKenney
2021-10-08 19:53 ` Miguel Ojeda [this message]
2021-10-08 23:57 ` Paul E. McKenney
2021-10-09 16:30 ` Miguel Ojeda
2021-10-09 23:48 ` Paul E. McKenney
2021-10-11 0:59 ` Miguel Ojeda
2021-10-11 18:52 ` Paul E. McKenney
2021-10-13 11:47 ` Miguel Ojeda
2021-10-13 23:29 ` Paul E. McKenney
2021-10-22 19:17 ` Miguel Ojeda
2021-10-22 20:34 ` Paul E. McKenney
2021-10-07 16:30 ` Paul E. McKenney
2021-10-07 16:35 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANiq72nLXmN0SJOQ-aGD4P2dUTs_vXBXMDnr2eWP-+R7H2ecEw@mail.gmail.com \
--to=miguel.ojeda.sandonis@gmail.com \
--cc=boqun.feng@gmail.com \
--cc=elver@google.com \
--cc=gary@garyguo.net \
--cc=kasan-dev@googlegroups.com \
--cc=paulmck@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).