lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7d77b05f-393e-48d9-9f3f-31b80a64ae7a@ralfj.de>
Date: Thu, 27 Feb 2025 19:44:56 +0100
From: Ralf Jung <post@...fj.de>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
 Martin Uecker <uecker@...raz.at>
Cc: "Paul E. McKenney" <paulmck@...nel.org>, Alice Ryhl
 <aliceryhl@...gle.com>, Ventura Jack <venturajack85@...il.com>,
 Kent Overstreet <kent.overstreet@...ux.dev>, Gary Guo <gary@...yguo.net>,
 airlied@...il.com, boqun.feng@...il.com, david.laight.linux@...il.com,
 ej@...i.de, gregkh@...uxfoundation.org, hch@...radead.org, hpa@...or.com,
 ksummit@...ts.linux.dev, linux-kernel@...r.kernel.org,
 miguel.ojeda.sandonis@...il.com, rust-for-linux@...r.kernel.org
Subject: Re: C aggregate passing (Rust kernel policy)

Hi,

> So "safe rust" should generally not be impacted, and you can make the
> very true argument that safe rust can be optimized more aggressively
> and migth be faster than unsafe rust.
> 
> And I think that should be seen as a feature, and as a basic tenet of
> safe vs unsafe. A compiler *should* be able to do better when it
> understands the code fully.

That's not quite how it works in Rust. One basic tenet of unsafe is that unsafe 
does not impact program semantics at all. It would be very surprising to most 
Rust folks if adding or removing or changing the scope of an unsafe block could 
change what my program does (assuming the program still builds and passes the 
usual safety checks).

Now, is there an interesting design space for a language where the programmer 
somehow marks blocks of code where the semantics should be "more careful"? 
Absolutely, I think that is quite interesting. However, it's also not at all 
clear to me how that should actually be done, if you try to get down to it and 
write out the proper precise, ideally even formal, spec. Rust is not exploring 
that design space, at least not thus far. In fact, it is common in Rust to use 
`unsafe` to get better performance (e.g., by using a not-bounds-checked array 
access), and so it would be counter to the goals of those people if we then 
optimized their code less because it uses `unsafe`.

There's also the problem that quite a few optimizations rely on "universal 
properties" -- properties that are true everywhere in the program. If you allow 
even the smallest exception, that reasoning breaks down. Aliasing rules are an 
example of that: there's no point in saying "references are subject to strict 
aliasing requirements in safe code, but in unsafe blocks you are allowed to 
break that". That would be useless, then we might as well remove the aliasing 
requirements entirely (for the optimizer; we'd keep the borrow checker of 
course). The entire point of aliasing requirements is that when I optimize safe 
code with no unsafe code in sight, I can make assumptions about the code in the 
rest of the program. If I cannot make those assumptions any more, because some 
unsafe code somewhere might actually legally break the aliasing rules, then I 
cannot even optimize safe code any more. (I can still do the always-correct 
purely local aliasing analysis you mentioned, of course. But I can no longer use 
the Rust type system to provide any guidance, not even in entirely safe code.)

Kind regards,
Ralf

> 
>> There would certainly be opposition if this fundamentally
>> diverges from C++ because no compiler framework will seriously
>> consider implementing a completely different memory model
>> for C (or for Rust) than for C++.
> 
> Well, if the C++ peoiple end up working on some "safe C" model, I bet
> they'll face the same issues.
> 
>> I could also imagine that the problem here is that it is
>> actually very difficult for compilers to give the guarantess
>> you want, because they evolved from compilers
>> doing optimization for single threads and and one would
>> have to fix a lot of issues in the optimizers.  So the
>> actually problem here might be that nobody wants to pay
>> for fixing the compilers.
> 
> I actually suspect that most of the work has already been done in practice.
> 
> As mentioned, some time ago I checked the whole issue of
> rematerializing loads, and at least gcc doesn't rematerialize loads
> (and I just double-checked: bad_for_rematerialization_p() returns true
> for mem-ops)
> 
> I have this memory that people told me that clang similarly
> 
> And the C standards committee already made widening stores invalid due
> to threading issues.
> 
> Are there other issues? Sure. But remat of memory loads is at least
> one issue, and it's one that has been painful for the kernel - not
> because compilers do it, but because we *fear* compilers doing it so
> much.
> 
>             Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ