| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Mar 2024 17:14:41 -0400 From: Kent Overstreet <kent.overstreet@...ux.dev> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Philipp Stanner <pstanner@...hat.com>, Boqun Feng <boqun.feng@...il.com>, rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org, llvm@...ts.linux.dev, Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, Wedson Almeida Filho <wedsonaf@...il.com>, Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...sung.com>, Alice Ryhl <aliceryhl@...gle.com>, Alan Stern <stern@...land.harvard.edu>, Andrea Parri <parri.andrea@...il.com>, Will Deacon <will@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Nicholas Piggin <npiggin@...il.com>, David Howells <dhowells@...hat.com>, Jade Alglave <j.alglave@....ac.uk>, Luc Maranget <luc.maranget@...ia.fr>, "Paul E. McKenney" <paulmck@...nel.org>, Akira Yokosawa <akiyks@...il.com>, Daniel Lustig <dlustig@...dia.com>, Joel Fernandes <joel@...lfernandes.org>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, kent.overstreet@...il.com, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, elver@...gle.com, Mark Rutland <mark.rutland@....com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, Catalin Marinas <catalin.marinas@....com>, linux-arm-kernel@...ts.infradead.org, linux-fsdevel@...r.kernel.org Subject: Re: [WIP 0/3] Memory model and atomic API in Rust On Mon, Mar 25, 2024 at 12:44:34PM -0700, Linus Torvalds wrote: > On Mon, 25 Mar 2024 at 11:59, Kent Overstreet <kent.overstreet@...ux.dev> wrote: > > > > To be fair, "volatile" dates from an era when we didn't have the haziest > > understanding of what a working memory model for C would look like or > > why we'd even want one. > > I don't disagree, but I find it very depressing that now that we *do* > know about memory models etc, the C++ memory model basically doubled > down on the same "object" model. > > > The way the kernel uses volatile in e.g. READ_ONCE() is fully in line > > with modern thinking, just done with the tools available at the time. A > > more modern version would be just > > > > __atomic_load_n(ptr, __ATOMIC_RELAXED) > > Yes. Again, that's the *right* model in many ways, where you mark the > *access*, not the variable. You make it completely and utterly clear > that this is a very explicit access to memory. > > But that's not what C++ actually did. They went down the same old > "volatile object" road, and instead of marking the access, they mark > the object, and the way you do the above is > > std::atomic_int value; > > and then you just access 'value' and magic happens. > > EXACTLY the same way that > > volatile int value; > > works, in other words. With exactly the same downsides. Yeah that's crap. Unfortunate too, because this does need to be a type system thing and we have all the tools to do it correctly now. What we need is for loads and stores to be explict, and that absolutely can and should be a type system thing. In Rust terminology, what we want is Volatile<T> where T is any type that fits in a machine word, and the only operations it supports are get(), set(), xchg() and cmpxchG(). You DO NOT want it to be possible to transparantly use Volatile<T> in place of a regular T - in exactly the same way as an atomic_t can't be used in place of a regular integer.
Powered by blists - more mailing lists