[WIP 0/3] Memory model and atomic API in Rust
Kent Overstreet
kent.overstreet at linux.dev
Wed Mar 27 14:49:41 PDT 2024
On Wed, Mar 27, 2024 at 02:21:03PM -0700, Boqun Feng wrote:
> On Wed, Mar 27, 2024 at 03:41:16PM -0400, Kent Overstreet wrote:
> > On Wed, Mar 27, 2024 at 12:07:26PM -0700, Linus Torvalds wrote:
> > > On Wed, 27 Mar 2024 at 11:51, Kent Overstreet <kent.overstreet at linux.dev> wrote:
> > > >
> > > > On Wed, Mar 27, 2024 at 09:16:09AM -0700, comex wrote:
> > > > > Meanwhile, Rust intentionally lacks strict aliasing.
> > > >
> > > > I wasn't aware of this. Given that unrestricted pointers are a real
> > > > impediment to compiler optimization, I thought that with Rust we were
> > > > finally starting to nail down a concrete enough memory model to tackle
> > > > this safely. But I guess not?
> > >
> > > Strict aliasing is a *horrible* mistake.
> > >
> > > It's not even *remotely* "tackle this safely". It's the exact
> > > opposite. It's completely broken.
> > >
> > > Anybody who thinks strict aliasing is a good idea either
> > >
> > > (a) doesn't understand what it means
> > >
> > > (b) has been brainwashed by incompetent compiler people.
> > >
> > > it's a horrendous crock that was introduced by people who thought it
> > > was too complicated to write out "restrict" keywords, and that thought
> > > that "let's break old working programs and make it harder to write new
> > > programs" was a good idea.
> >
> > Strict aliasing is crap in C and C++ because we started out with
> > unrestricetd pointers, and it just doesn't work in C and C++ with the
> > realities of the kind of code we have to write, and we never got any
> > kind of a model that would have made it workable. Never mind trying to
> > graft that onto existing codebases...
> >
> > (Restrict was crap too... no scoping, nothing but a single f*cking
> > keyword? Who ever thought _that_ was going to work?)
> >
> > _But_: the lack of any aliasing guarantees means that writing through
> > any pointer can invalidate practically anything, and this is a real
>
> I don't know whether I'm 100% correct on this, but Rust has references,
> so things like "you have a unique reference to a part of memory, no one
> would touch it in the meanwhile" are represented by `&mut`, to get a
> `&mut` from a raw pointer, you need unsafe, where programmers can
> provide the reasoning of the safety of the accesses. More like "pointers
> can alias anyone but references cannot" to me.
That's not really a workable rule because in practice every data
structure has unsafe Rust underneath. Strict aliasing would mean that
unsafe Rust very much has to follow the aliasing rules too.
More information about the linux-arm-kernel
mailing list