|
|
Subscribe / Log in / New account

Stabilizing per-VMA locking

Stabilizing per-VMA locking

Posted Jul 14, 2023 6:26 UTC (Fri) by mb (subscriber, #50428)
Parent article: Stabilizing per-VMA locking

> Whether, say, a VMA abstraction written in Rust could truly ensure that accesses use proper
> locking while maintaining performance has not yet been proven in the kernel context, though.

Well, I think that such performance critical paths would either use safe code or they would be marked unsafe {} and use some lockless performance tricks.
The unsafe-block by itself would probably help to raise some eyebrows when doing such fundamental locking changes.

to post comments

Stabilizing per-VMA locking

Posted Jul 14, 2023 7:06 UTC (Fri) by sima (subscriber, #160698) [Link] (2 responses)

I'm not sure rust would have helped here a lot. Rust is really good at enforcing ownership models and pretty flexible at that. But for that to work you need to understand your ownership model clearly, otherwise you can't encode it in the type system. And you need to encode it all yourself for custom data structure protection schemes like this one.

I think in this case here it was more an issue of not clearly understanding the ownership model of vma structs, and not so much a missed case that the compiler could have spotted for you. Where rust might help is that it allows you to roll out the ownership model first (in the type system) without changing the locking, and then once you're fairly confident that you got it right, you flip the switch (and watch things blow up if you missed something).

Stabilizing per-VMA locking

Posted Jul 14, 2023 14:05 UTC (Fri) by mb (subscriber, #50428) [Link]

>But for that to work you need to understand your ownership model clearly,
>otherwise you can't encode it in the type system.

If you don't understand the ownership model, you can't write correct C code either. The resulting code may be correct by luck, at best.

>I think in this case here it was more an issue of not clearly understanding the
>ownership model of vma structs

Exactly.
Because it was not enforced and not even encouraged by the language to think about it.

>not so much a missed case that the compiler could have spotted for you.

I'm not talking about that kind of thing.
I'm talking about Rust encouraging you to think about ownership. This is many levels above a compiler run.
Programming Rust puts your brain into a completely different mode of thinking. And that's what makes the real difference.

Stabilizing per-VMA locking

Posted Jul 20, 2023 14:02 UTC (Thu) by khim (subscriber, #9252) [Link]

>But for that to work you need to understand your ownership model clearly, otherwise you can't encode it in the type system.

And if you couldn't do that then your program can not be compiled and thus wouldn't have any bugs.

The question is not whether Rust may prevent such bugs. It absolutely could do that, it's designed for that and it works well.

The question is whether price is too high and if code which would satisfy Rust compiler would also satisfy performance demands of kernel developers, too.

That is still an open question, that's true.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds