Conversation

Thinking about Rust in the kernel again, does Rust have some kind of generic version of the idea of unsafe/safe code, as an attribute? Often in kernel land you're allowed to call functions only in certain contexts (process, atomic, etc.) and locking has to follow an order.

171

Replying to

It can be represented this in the type system with ownership similar to managing resources, lock scopes, etc. Those functions can require a reference to the type of object representing the required state and then it's not possible to call them outside of the lifetime of it.

Replying to

That's not practical because it would mean *every* function has to take such a reference, since the default is "may sleep". The problem isn't functions requiring a special context, it's functions forbidding *all but* a special context.

Daniel Micay

@DanielMicay

Replying to

@marcan42

It's not able to represent the inverse of that. If there's any way to use a function in a type or memory unsafe way it has to be marked unsafe. Safe code doesn't have non-atomic data races, etc. Most of this is already covered by safe vs. unsafe. You have to make safe primitives.

8:11 AM · May 16, 2022Twitter Web App

Who can reply?

People @marcan42 follows or mentioned can reply

Replying to

and

It's incorrect to use unsafe blocks to make safe functions where there's a way to use them in a way that causes undefined behavior, including via concurrency. Locking has to be properly turned into safe primitives. It has to be done that way or it can't be non-unsafe Rust code.

Replying to

You're confused about what I want. This isn't about memory safety. It's about execution state. You can't call nonatomic functions from atomic context not because they'll corrupt memory, but because they may deadlock.

Show replies