Re: [WIP 0/3] Memory model and atomic API in Rust

From: Kent Overstreet
Date: Mon Mar 25 2024 - 17:15:03 EST


On Mon, Mar 25, 2024 at 12:44:34PM -0700, Linus Torvalds wrote:
> On Mon, 25 Mar 2024 at 11:59, Kent Overstreet <kent.overstreet@xxxxxxxxx> wrote:
> >
> > To be fair, "volatile" dates from an era when we didn't have the haziest
> > understanding of what a working memory model for C would look like or
> > why we'd even want one.
>
> I don't disagree, but I find it very depressing that now that we *do*
> know about memory models etc, the C++ memory model basically doubled
> down on the same "object" model.
>
> > The way the kernel uses volatile in e.g. READ_ONCE() is fully in line
> > with modern thinking, just done with the tools available at the time. A
> > more modern version would be just
> >
> > __atomic_load_n(ptr, __ATOMIC_RELAXED)
>
> Yes. Again, that's the *right* model in many ways, where you mark the
> *access*, not the variable. You make it completely and utterly clear
> that this is a very explicit access to memory.
>
> But that's not what C++ actually did. They went down the same old
> "volatile object" road, and instead of marking the access, they mark
> the object, and the way you do the above is
>
> std::atomic_int value;
>
> and then you just access 'value' and magic happens.
>
> EXACTLY the same way that
>
> volatile int value;
>
> works, in other words. With exactly the same downsides.

Yeah that's crap. Unfortunate too, because this does need to be a type
system thing and we have all the tools to do it correctly now.

What we need is for loads and stores to be explict, and that absolutely
can and should be a type system thing.

In Rust terminology, what we want is

Volatile<T>

where T is any type that fits in a machine word, and the only operations
it supports are get(), set(), xchg() and cmpxchG().

You DO NOT want it to be possible to transparantly use Volatile<T> in
place of a regular T - in exactly the same way as an atomic_t can't be
used in place of a regular integer.