| Message ID | 20230517095905.3548100-1-aliceryhl@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1035895vqo;
Wed, 17 May 2023 03:52:38 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ4BM1/umhOZgQLX/3iwMFzUa+3MyYTvzx1CJHpyeID8NxdWczoVFmAFvF+ET81Fv/25sDMq
X-Received: by 2002:a05:6a21:789c:b0:100:607:b986 with SMTP id
bf28-20020a056a21789c00b001000607b986mr44287858pzc.56.1684320757943;
Wed, 17 May 2023 03:52:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684320757; cv=none;
d=google.com; s=arc-20160816;
b=cwnxvN1u/zzB7zLlyWR6+ckv0rq9kSn2NWpupPvfcLg8MwFz1wbET0FGj/63euCJc9
Raqja1/jMiuf9vtvoJKo+fhxC1Imc00Mr1/5swCirw3I4gzHEM8XV/YUMNeVKXpBzXKf
K4GpCYMKsx07jBrEws6shXqDSexWW8VAsignUaR5dVQ0+KkR5HVNBq7OXhlQ48PDif5b
5gOY+3Hd5zQeWMr0MFm4z3CMVqO2ZHVgj3prunZxwyZHxR8XU84Vk55ACrVy5MCWiZpG
bAtYErnDv17K4CYTDmz9A9iBZWj6NFZyxAhJzyAio0rYKzEtQeXOGY4omXd9Xv+Jk7uk
jD/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
:dkim-signature;
bh=oVJvngviayRWrsi8hPEk5VyWaF+LdxzTgL6t46JKF4M=;
b=yXBBvQLZ38tcZIH4HCNpZBtpCXDC56JP39HxGJ47Nn/dmDGXxZA1dX5K6pc1kWNLy/
8xHO7MnbZu7eRAWxvbTOigg2LLHNAWPxLeXfNAT37XSnsaG0CqZTvB6qQuDgVBvB8W/K
QUZhoxAto6IY4SQ1xRRBOAwVO0S+WCl3A1pN2TQdWxiXYM8meYGTmzPNJfdEiNCZG6nS
bHWGmj1sDyJ3gefwfKQDb+sxFK/ln54AHAI/mPeaeQ1MAG2Zw4ixLfruYvPUkgNiVmLz
iYt97kh/oCkqjto57GBqbT0QfVsMb4QKwLx5EKPUCBdRBuWkcNIU/GdBzdgku8rgz1YD
eXpg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=KecI38Q9;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
o25-20020a639219000000b0052c842e5185si20914304pgd.96.2023.05.17.03.52.25;
Wed, 17 May 2023 03:52:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20221208 header.b=KecI38Q9;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230169AbjEQJ71 (ORCPT <rfc822;pacteraone@gmail.com> + 99 others);
Wed, 17 May 2023 05:59:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34796 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230184AbjEQJ7V (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 17 May 2023 05:59:21 -0400
Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com
[IPv6:2a00:1450:4864:20::649])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 639A95FE2
for <linux-kernel@vger.kernel.org>;
Wed, 17 May 2023 02:59:15 -0700 (PDT)
Received: by mail-ej1-x649.google.com with SMTP id
a640c23a62f3a-94a34d3e5ebso61580766b.3
for <linux-kernel@vger.kernel.org>;
Wed, 17 May 2023 02:59:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20221208; t=1684317554; x=1686909554;
h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
:date:message-id:reply-to;
bh=oVJvngviayRWrsi8hPEk5VyWaF+LdxzTgL6t46JKF4M=;
b=KecI38Q9xTWAE0PprFQml7YSBfXofANn7rQwnOlqGZQhMFXccrFjTplXYrzs4eN+zL
EOs4w1CsvnWy4Sl7/g2Q04dfjnQcFZ0PU3eNVE3of+GxwjTtqvjXaMMaCLB45mXBvxQ8
XQyUxZ+6WAI4I+ZwpHt8lMyNKBe30GTIDb3KwJZOIP8cWvdLWbRNUfSab3fBbxm/wQU6
4GBbokznler4dGVzWDXLxxPibCJKbrZkNleLTOX149a8i79MvxPSG9vVwxARsKwBi6x8
VL6QSfteq/nEsNQCxnnU6qdc7q9PZquW7l+93/XCP0DeU/rYfLLxKVvpu0Psb7JsdBk5
NELg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1684317554; x=1686909554;
h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=oVJvngviayRWrsi8hPEk5VyWaF+LdxzTgL6t46JKF4M=;
b=L0qmQS9hUmgfJj5rut/zWavK+t7gaB/4jB0FjQy5miJAQXrwaDRaVsDVbk7FuRgPk4
os3NYXWESmeX0hYkNt5bJxvWym1jkFK8cZguJyMkKaWx2TBzZalzqAjfBM+Jrpsq4SIv
It9tj2cXE9HlJikeh9w5BDGdtGIl6Efy4SvnoNF+dSvqt0P4MXxydfVVsU5CaT3GZXMl
l/N2hcDHvstkEs19UqRKAfNHrzZ3fqB+SCVTKvGgBbDh4ApHFVZoXhbnBNZMeje2Oo0S
TNjJ6Yjli5pydyg/2vMRoeSazpAd5ogN5zRFnCPB8csOzYBSC+NwlI8SDS/9QvNV43rJ
5Qng==
X-Gm-Message-State: AC+VfDzQikbXiAeFR4QfO4k/ccYRcn9HljX9XYbV7MicaMKP8fWqAWLa
kf6ObeDAZlNsXUMQe9rRGjtgQQjjXmQ4pYk=
X-Received: from aliceryhl.c.googlers.com
([fda3:e722:ac3:cc00:31:98fb:c0a8:6c8])
(user=aliceryhl job=sendgmr) by 2002:a17:906:9bc2:b0:94f:23d8:839 with SMTP
id de2-20020a1709069bc200b0094f23d80839mr13337271ejc.10.1684317553900; Wed,
17 May 2023 02:59:13 -0700 (PDT)
Date: Wed, 17 May 2023 09:59:04 +0000
Mime-Version: 1.0
X-Mailer: git-send-email 2.40.1.606.ga4b1b128d6-goog
Message-ID: <20230517095905.3548100-1-aliceryhl@google.com>
Subject: [PATCH v1 1/2] rust: specify when `ARef` is thread safe
From: Alice Ryhl <aliceryhl@google.com>
To: Miguel Ojeda <ojeda@kernel.org>,
Wedson Almeida Filho <wedsonaf@gmail.com>,
Alex Gaynor <alex.gaynor@gmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>, Gary Guo <gary@garyguo.net>, "
=?utf-8?q?Bj=C3=B6rn_Roy_Baron?= " <bjorn3_gh@protonmail.com>,
Benno Lossin <benno.lossin@proton.me>, Alice Ryhl <aliceryhl@google.com>,
Ingo Molnar <mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>,
Will Deacon <will@kernel.org>, Mark Rutland <mark.rutland@arm.com>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org,
patches@lists.linux.dev
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED,
USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1766138322900208335?=
X-GMAIL-MSGID: =?utf-8?q?1766138322900208335?=
|
| Series |
[v1,1/2] rust: specify when `ARef` is thread safe
|
|
Commit Message
Alice Ryhl
May 17, 2023, 9:59 a.m. UTC
An `ARef` behaves just like the `Arc` when it comes to thread safety, so
we can reuse the thread safety comments from `Arc` here.
This is necessary because without this change, the Rust compiler will
assume that things are not thread safe even though they are.
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
---
rust/kernel/types.rs | 11 +++++++++++
1 file changed, 11 insertions(+)
base-commit: ac9a78681b921877518763ba0e89202254349d1b
Comments
On Wed, May 17, 2023 at 09:59:04AM +0000, Alice Ryhl wrote: > An `ARef` behaves just like the `Arc` when it comes to thread safety, so > we can reuse the thread safety comments from `Arc` here. > > This is necessary because without this change, the Rust compiler will > assume that things are not thread safe even though they are. > > Signed-off-by: Alice Ryhl <aliceryhl@google.com> > --- > rust/kernel/types.rs | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs > index 29db59d6119a..9c8d94c04deb 100644 > --- a/rust/kernel/types.rs > +++ b/rust/kernel/types.rs > @@ -321,6 +321,17 @@ pub struct ARef<T: AlwaysRefCounted> { > _p: PhantomData<T>, > } > > +// SAFETY: It is safe to send `ARef<T>` to another thread when the underlying `T` is `Sync` because > +// it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, it needs > +// `T` to be `Send` because any thread that has an `ARef<T>` may ultimately access `T` directly, for Does the "ultimately access `T` directly" here imply mutably or exclusively? If so, it makes sense to me to call it out. I'm trying to make sure we can agree on some "common terminologies" ;-) Regards, Boqun > +// example, when the reference count reaches zero and `T` is dropped. > +unsafe impl<T: AlwaysRefCounted + Sync + Send> Send for ARef<T> {} > + > +// SAFETY: It is safe to send `&ARef<T>` to another thread when the underlying `T` is `Sync` for the > +// same reason as above. `T` needs to be `Send` as well because a thread can clone an `&ARef<T>` > +// into an `ARef<T>`, which may lead to `T` being accessed by the same reasoning as above. > +unsafe impl<T: AlwaysRefCounted + Sync + Send> Sync for ARef<T> {} > + > impl<T: AlwaysRefCounted> ARef<T> { > /// Creates a new instance of [`ARef`]. > /// > > base-commit: ac9a78681b921877518763ba0e89202254349d1b > -- > 2.40.1.606.ga4b1b128d6-goog >
On 5/18/23 23:24, Boqun Feng wrote: > On Wed, May 17, 2023 at 09:59:04AM +0000, Alice Ryhl wrote: >> +// SAFETY: It is safe to send `ARef<T>` to another thread when the underlying `T` is `Sync` because >> +// it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, it needs >> +// `T` to be `Send` because any thread that has an `ARef<T>` may ultimately access `T` directly, for > > Does the "ultimately access `T` directly" here imply mutably or > exclusively? If so, it makes sense to me to call it out. I'm trying to > make sure we can agree on some "common terminologies" ;) It means "access using a mutable reference". I agree that "directly" is a bit unclear - I copied it from the safety comment on Arc. Alice
Alice Ryhl <aliceryhl@google.com> writes: > An `ARef` behaves just like the `Arc` when it comes to thread safety, so > we can reuse the thread safety comments from `Arc` here. > > This is necessary because without this change, the Rust compiler will > assume that things are not thread safe even though they are. > > Signed-off-by: Alice Ryhl <aliceryhl@google.com> > --- > rust/kernel/types.rs | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs > index 29db59d6119a..9c8d94c04deb 100644 > --- a/rust/kernel/types.rs > +++ b/rust/kernel/types.rs > @@ -321,6 +321,17 @@ pub struct ARef<T: AlwaysRefCounted> { > _p: PhantomData<T>, > } > > +// SAFETY: It is safe to send `ARef<T>` to another thread when the underlying `T` is `Sync` because > +// it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, it needs > +// `T` to be `Send` because any thread that has an `ARef<T>` may ultimately access `T` directly, for > +// example, when the reference count reaches zero and `T` is dropped. > +unsafe impl<T: AlwaysRefCounted + Sync + Send> Send for ARef<T> {} > + > +// SAFETY: It is safe to send `&ARef<T>` to another thread when the underlying `T` is `Sync` for the > +// same reason as above. `T` needs to be `Send` as well because a thread can clone an `&ARef<T>` > +// into an `ARef<T>`, which may lead to `T` being accessed by the same reasoning as above. > +unsafe impl<T: AlwaysRefCounted + Sync + Send> Sync for ARef<T> {} Nit: I would prefer repeating the safety comment details, in case the two drift apart in the future. BR Andreas > + > impl<T: AlwaysRefCounted> ARef<T> { > /// Creates a new instance of [`ARef`]. > /// > > base-commit: ac9a78681b921877518763ba0e89202254349d1b
diff --git a/rust/kernel/types.rs b/rust/kernel/types.rs index 29db59d6119a..9c8d94c04deb 100644 --- a/rust/kernel/types.rs +++ b/rust/kernel/types.rs @@ -321,6 +321,17 @@ pub struct ARef<T: AlwaysRefCounted> { _p: PhantomData<T>, } +// SAFETY: It is safe to send `ARef<T>` to another thread when the underlying `T` is `Sync` because +// it effectively means sharing `&T` (which is safe because `T` is `Sync`); additionally, it needs +// `T` to be `Send` because any thread that has an `ARef<T>` may ultimately access `T` directly, for +// example, when the reference count reaches zero and `T` is dropped. +unsafe impl<T: AlwaysRefCounted + Sync + Send> Send for ARef<T> {} + +// SAFETY: It is safe to send `&ARef<T>` to another thread when the underlying `T` is `Sync` for the +// same reason as above. `T` needs to be `Send` as well because a thread can clone an `&ARef<T>` +// into an `ARef<T>`, which may lead to `T` being accessed by the same reasoning as above. +unsafe impl<T: AlwaysRefCounted + Sync + Send> Sync for ARef<T> {} + impl<T: AlwaysRefCounted> ARef<T> { /// Creates a new instance of [`ARef`]. ///