Safety in an unsafe world

In practice that's not the main concern: usually, in such cases, you have fixed (and not large) number of cases that you need to support. Much bigger issues is the fact that with some allocations you just simply couldn't support some cases (but would happily support others) and, even more importantly, the set of operations that you want to handle differently (or, maybe, not handle at all) is the most fluid part of the whole story.

I may need/want special case because Intel decided that saturated operations should be provided for bytes and 16bit words, but not for doublewords or quadwords, or you may special-case some algorithm because it doesn't work with too small precision of fp16 or, in kernel, you may support some operations with a filesystem in one context (because they are needed to support swap file), but not in the other context (because these would require swappin)… and bam:

fn foo001(alloc: & impl Derived) { ... } // etc.
fn foo999(alloc: & impl Derived) {

Suddenly internal details and limitations of my very lowest level functions are plastered all over the whole stack between foo001 and food999.

It's like hated Java checked exceptions, only in reverse! And yes, the whole point of the excercise, the whole issue that I complain about is that same need to plaster all these tiny details in all intermediate steps! I know that impl is a generic in a disguise, thank you very much, my point is that I could't keep internal details of that type hidden from the intermediate layers (without certain tricks, at least).

I couldn't just simply doing small alterations somewhere down below and see if that would be enough to connect on the top, even the tiny, minor changes require massive code rewrites.

How can you sat that “traits are not viral” if any simple tiny change in low-level have to propagate through the whole stack from the bottom to the very top?

Type erasure would defeat the point of the whole exercise: you couldn't have dyn Trait half-implemented. You could have impl Trait half-implemented by calling __this_code_shouldnt_be_used__ function (that would cause link-time error), but because link-time error is happening too late to be supported well by IDEs you need another thing that would stop you… const check works fine.

You just create trait MyCleverType, add hundreds of functions to it (everything you can switch on at the very bottom, essentially), give them the default implementation that calls __this_code_shouldnt_be_used__ and a constant that notifies the user about actual availability of function, then add some macros on top of that… and voila: you have very-very rough and limited approximation of what literally all modern languages (C++, Go, Java, Python, whatever) have “out of the box”.

Oh, absolutely. Here I agree 100%. You couldn't really support open-ended, unbounded, set of limitations and complicated rules which would determine which combinations are allowed and which are disallowed. Usually it's properties that lead to 2-3-4 choices and not more… but then you also have combinations of these properties – and that either leads to traits which have hundreds of possibilities or, alternatively, you end up with hundreds of traits that are attached to all your types and your code is filling with annotations that are entirely irrelevant on that level of abstraction.

Or, as I have said: you just [ab]use traits and const expressions to provide something that all other modern language give you without any heroic efforts. Sure, only C++ and Zig give you the ability to do compile-time checks, most language make reflection a runtime event and I'm glad that Rust at least gives you enough kludges to create similar system, but still… I couldn't look on all that and just wonder: why? Just, really, why do I have to have all that complexity to combat system that was supposed to “simplify” things?

P.S. I understand perfectly why Rust designers have started with assumption that everything in the world is total and fully additive: dealing with such world of types is easy. But I just hate that when they faced reality and have found out that this imaginary unicorn-style world just simply doesn't work even for standard library… they just added some few opt-out features that made it possible to solve issues they had… and then ignored the fact that the ability to avoid couple of allocations in some cases is not the worst case of non-totality that one may face in software design. Our programs are full of non-total implementations of things and the language that doesn't handle that would just simple be unusable… thankfully, today, after some pushing, Rust have gotten enough kludges to handle that limitation of it's design in not entirely insane fashion… but still I'm not sure if that was good thing to fight for or not: on the other hand the fact that you need to just throught so many hoops to implement non-total things means that people are at least thinking about how they could approach the problem by simply using total functions and not leaving landmines in their design everywhere… on the other hand this made so many things so complicated… ugh.

I think we have the different meanings of what “chance” means here. My take on that “chance” is very similar to mb's take on this (we differ about feasibility of compile-time detection of the problem, but the core idea is the same): for me “chance” only have a meaning if the code that I actually have for the full program may deadlock.

I don't particularly care about what happens to the code that “shizophrenic monkey” would achieve if it would start randomly shuffling code while ignoring the purpose of the code and would only follow the type traits written in the function declarations as a guidance (I call that “shizophrenic monkey” because normal monkey would just randomly shuffle code without looking on trait declarations and wouldn't be able to produce anything compileable… we need pretty advanced money that would look on the traits in function definitions – yet would ignore semantic of the code).

If code, according to the traits visible in declarations, may deadlock, but compiler wouldn't allow me to actually cause a deadlock… I'm happy. I have an idea about what I'm doing, I have an idea about what I'm calling, I don't need these breadcrumbs to understand what I'm doing. I only need to ensure that compiler (or, in case of mb, runtime checker) would catch me if I would do a mistake that may lead to the problems for the actual user of my program. Spare me that lecture about “potential deadlocks“: if something in my code ensures that they would never become an “actual deadlocks”… then I don't particularly care about who or what would prevent it. Even if they work correctly by accident – I'm still happy.

I only start to care when something in my code start leading to the harmful, deadlockable program, not when there some “code smells” in my code.

I'm sick and tired of code written with “best practices” in mind without any regard to whether these “best practices” are solving any real problems or not.

In fact in my life I have spent more time ripping out “best practices” code that is solving imaginary problems that may never happen in real life then I spent time writing code that solves real problems.

Because almost every time I try to use something in non-trivial way… I find out that it's impossible – but not because something in real world prevents my design from being workable, but simply because someone added crazy arbitrary “best practices” constraints.

Sometimes I rip them out, sometimes I give up and built the usual Babylonian tower with 100 layers that redo things that are already done on the other layers because “best practice” isolates me from results of that work… but it's always the same: people try to “protect me from myself”… and they successfully protect me from my desire to do job quickly and efficiently.

Can we, please stop protecting me from myself? Catch my mistakes, if you can, I would be glad, don't stop me from doing things simply because “you know better”. No, you “don't know better”, otherwise you would have been able to explain how and why my code would break.

Gold standard is something that is perceived to work and also something that is used in a project that produced code used by billions of people with hundred of billions devices.

People, naturally, are very reluctant to switch to something more intrusive unless it can be shown that it's really needed.

Attempt to bring Rust in kernel wouldn't have been possible if not for showing (with fuzzers) how many Rust-preventable bugs are there in kernel. It was adopted not because someone wanted to adopt it but because kernel needed some answer to the endless stream of security holes discovered semi-automatically. Time will tell if Rust will help to mitigate them, but pain was acute enough to try.

Similarly lockdep would stop being “gold standard” not because someone would continue to scream about “impossible preconditions”, but if it would be shown that it's not efficient and produces product of unacceptable quality – or if something that's equally easy to use may produce better results.

That's very tall bar, because deadlocks are usually not a security issue, just a nuisance, thus they have to happen often enough in real use but not often enough in the run with lockdep on a developer workstation for lockdep to stop being “gold standard”.

That's a very tall order thus approach that proposes to replace lockdep with something better have to ensure it would be easier to use. And mechanism used by netstack3… nope, doesn't look like it's easier to use, to me.

If you would propose C++-style approach without extra annotations and associated churn (only possible in Rust with the use of const AFAIK) then it may be argued that it would be comparable to lockdep and more robust. You sometimes need to do manual rearranging of locks in the “lock registry” or build and run code in special mode that would rearrange their priorities for you, but you have to run code in a special mode with lockdep, too. This leaves us with pretty simple and mechanical additions of ctx: impl Context in a few places vs the need to run code with decent enough coverage… I would prefer to add ctx: impl Context, mb would prefer to organize coverage… we may agree to disagree, but at least we are comparing different sorts of banana fruits.

Trait-based enforcement is entirely different beast, more like baobab, than banana fruit, it imposes much more on the developer without any clear benefits, that's why I'm surprised it was picked.

The running hypotheses is that the reason that was done because someone had no idea const checking happens after monomorphisation (like in C++) and/or just mechanically adopted scheme that would have worked great in C++ or Zig, but it insanely unwieldy in Rust.

I did. In the very first message, in fact. Strange that you are discussing everything except actual code. Maybe that was a mistake because discussion quickly degenerated to the questions about how to assign priorities… but apparently traits-based checking doesn't work without some well-defined lock ordering, too, thus it's not an advantage of that method.

Sure, one may need/want to play with some macros to make it more understandable, but I'm not sure Fuschia code wasn't written in 20 minutes, either.

On the contrary: it's so trivial that doesn't even need much explanation. You have generic TakenLockPriority type that includes priority of last taken lock in it's type and reference to all previously taken locks. When you take a lock you specify priority of that process and get new TakenLockPriority that contains phantom, zero-sized reference to previous TakenLockPriority and that priority inside.

And since constructor for a lock has two priorities it just compares them like this to detect rules violations:

        const {
            if PREVIOUS_PRIORITY >= PRIORITY {
                panic!("Improper use of lock is detetected")
            }
        }

And that's it! Like: literally, that's the whole scheme! Just try to play with priorities on Godbolt (again, link was in the very first message).

Maybe you haven't realized that panic! in the code above produced compiler-time error and not runtime error? That's how Rust works. There were talks about adding actual static_assert, but that haven't happened so far. Instead of that you can use assert! or panic! in a const context to generate compile-time error.

And now you say that I haven't shown you any code. Have you looked on the presented code or not? And as for “can't explain it to me clearly”… That's not fair. I wrote the code because it I prefer to discuss things that way: code doesn't lie, while “clear explanations” might. But if you need an explanation then it can be summed in just three sentences:

1. You pass zero-sized context everywhere that contains zero-sized unique references to all taken locks and their priorities.
2. You pass that zero-sized context to the locking functions and that locking functions compares priorities of two locks: last takes and new one. And generates the compiler-time assertion in the way that Rust supports.
3. Three? There is no step three™.

That's it, what can be easier to explain and understand?

Yes, my solution is also kinda-sorta viral, because you would have that zero-sized ctx: impl LockOrdering everywhere, but because that's one trait implemented for one (albeit genetic) type… essentially you are just marking functions that deal with locks, which is mandatory for any compile-time scheme – and even if you make a mistake and they don't take any locks… this doesn't affect anyone!

Even better: all that compiler checking, of course, takes time – but you may easily turn TakenLockPriority into () and totally disable that compile-time checking during development, most of the time. Just run the full thingie on CI and it would tell you whether there are violations or not.