Conversation

Thinking about Rust in the kernel again, does Rust have some kind of generic version of the idea of unsafe/safe code, as an attribute? Often in kernel land you're allowed to call functions only in certain contexts (process, atomic, etc.) and locking has to follow an order.

171

Replying to

It can be represented this in the type system with ownership similar to managing resources, lock scopes, etc. Those functions can require a reference to the type of object representing the required state and then it's not possible to call them outside of the lifetime of it.

Replying to

That's not practical because it would mean *every* function has to take such a reference, since the default is "may sleep". The problem isn't functions requiring a special context, it's functions forbidding *all but* a special context.

Replying to

It's not able to represent the inverse of that. If there's any way to use a function in a type or memory unsafe way it has to be marked unsafe. Safe code doesn't have non-atomic data races, etc. Most of this is already covered by safe vs. unsafe. You have to make safe primitives.

Replying to

and

It's incorrect to use unsafe blocks to make safe functions where there's a way to use them in a way that causes undefined behavior, including via concurrency. Locking has to be properly turned into safe primitives. It has to be done that way or it can't be non-unsafe Rust code.

Replying to

You're confused about what I want. This isn't about memory safety. It's about execution state. You can't call nonatomic functions from atomic context not because they'll corrupt memory, but because they may deadlock.

Replying to

and

For example, safe code will often use mutexes to control access to shared resources, and you are not allowed to lock mutexes in atomic context since that operation may sleep. Obviously we can't mark every function that locks a mutex unsafe. It's a different concept.

Replying to

and

There is a hierarchy of execution contexts you are allowed to be in, that you traverse with locking and IRQ disable operations (plus some special cases). Functions can require a broader context, not a narrower one. That's the opposite of how memory safety / locking works.

Replying to

and

With memory safety you start out with *nothing* allowed, and you can only access objects you own/borrowed, and acquire ownership of or create more as you go. With execution context, you start out with *everything* allowed, and cut that down as you lock deeper.

Daniel Micay

@DanielMicay

Replying to

@marcan42

I do understand what you want which is a generic effects system. Rust used to have a non-generic form of a single class of effect: pure vs. non-pure functions. It was very primitive and was missing the type system tools needed to avoid ruining making APIs with closures/generics.

8:32 AM · May 16, 2022Twitter Web App

Likes

Who can reply?

People @marcan42 follows or mentioned can reply

Replying to

and

Since it doesn't have effects, the best you can do is trying to enforce rules via the ownership system which is often completely impractical. It's also not quite as capable at truly enforcing things as it seems because the chosen trade-off was that safe code can skip destructors.

Replying to

and

Safe code wasn't going to be allowed to create reference cycles but it required crippling Rc<T> and Arc<T> with type bounds preventing cycles. Could have developed something to make that less awful but it was decided it should just be safe with consequences that weren't foreseen.

Show replies