Re: C aggregate passing (Rust kernel policy)

From: Ventura Jack
Date: Sat Feb 22 2025 - 10:06:11 EST

Next message: Andrey Konovalov: "Re: [PATCH v2 01/14] kasan: sw_tags: Use arithmetic shift for shadow computation"
Previous message: Jonathan Cameron: "Re: [PATCH v1 1/1] iio: accel: adxl367: fix setting odr for activity time update"
In reply to: Gary Guo: "Re: C aggregate passing (Rust kernel policy)"
Next in thread: Kent Overstreet: "Re: C aggregate passing (Rust kernel policy)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 22, 2025 at 7:15 AM Gary Guo <gary@xxxxxxxxxxx> wrote:
>
> On Sat, 22 Feb 2025 03:06:44 -0700
> Ventura Jack <venturajack85@xxxxxxxxx> wrote:
>
> > >Gcc used to initialize it all, but as of gcc-15 it apparently says
> > >"Oh, the standard allows this crazy behavior, so we'll do it by
> > default".
> > >
> > >Yeah. People love to talk about "safe C", but compiler people have
> > >actively tried to make C unsafer for decades. The C standards
> > >committee has been complicit. I've ranted about the crazy C alias
> > >rules before.
> >
> > Unsafe Rust actually has way stricter rules for aliasing than C. For
> > you and others who don't like C's aliasing, it may be best to avoid
> > unsafe Rust.
> >
>
> I think the frequently criticized C aliasing rules are *type-based
> aliasing*. Rust does not have type based aliasing restrictions.
>
> It does have mutability based aliasing rules, but that's easier to
> reason about, and we have mechanisms to disable them if needed at much
> finer granularity.
>
> Best,
> Gary

Are you sure that unsafe Rust has easier to reason about aliasing
rules? Last I checked, there are two different models related to
aliasing, tree borrows and stacked borrows, both at an experimental
research stage. And the rules for aliasing in unsafe Rust are not yet
fully defined. https://chadaustin.me/2024/10/intrusive-linked-list-in-rust/
has some commentary on the aliasing rules.

>From the blog post:
>The aliasing rules in Rust are not fully defined.

Other blog posts and videos have likewise described unsafe Rust as
being harder than C to reason about and get correct, explicitly
mentioning the aliasing rules of unsafe Rust as being one reason
unsafe Rust is harder than C.

One trade-off then being that unsafe Rust is not all of Rust, unlike C
that currently has no such UB safe-unsafe split. And so you only need
to understand the unsafe Rust aliasing rules when working with unsafe
Rust. And can ignore them when working with safe Rust.

Best, VJ.

Next message: Andrey Konovalov: "Re: [PATCH v2 01/14] kasan: sw_tags: Use arithmetic shift for shadow computation"
Previous message: Jonathan Cameron: "Re: [PATCH v1 1/1] iio: accel: adxl367: fix setting odr for activity time update"
In reply to: Gary Guo: "Re: C aggregate passing (Rust kernel policy)"
Next in thread: Kent Overstreet: "Re: C aggregate passing (Rust kernel policy)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]