Description
Proposal
Move the invalid_atomic_ordering lint from clippy into the compiler. The lint would be deny by default, and fire when using an invalid ordering for the given atomic operation.
For example, an incomplete set of the functionality it covers is shown below:
// Bad: `Release` cannot be used for `load`.
some_atomic.load(Release);
// Bad: `Acquire` cannot be used for `store`.
some_atomic.store(_, Acquire);
// Bad: `Relaxed` cannot be used as a fence's ordering.
core::sync::atomic::fence(Relaxed);
// Bad: `Release` cannot be used as the failure ordering
some_atomic.compare_exchange(_, _, SeqCst, Release);
// Bad: The failure ordering cannot be stronger than the success ordering
some_atomic.compare_exchange(_, _, Relaxed, SeqCst);Using the wrong atomic ordering causes a panic at runtime, and for a long time people have mentioned that it's unfortunate that using legal orderings is not enforced in the type system.
Regardless of whether or not that eventually happens (I think it sounds hard, especially for cases like compare_exchange), the current APIs will not go away, and so this lint that prevents misuse would be valuable.
The lint has no false positives, and so long as the orderings are specified directly in the call covers the whole set of stable[0] functions which take ordering arguments that I'm aware of.
[0]: (It doesn't cover the unstable cmpxchg16b intrinsic in core::arch::{x86, x86_64} but this could easily be supported in the future via the same code path that handles the compare_exchange and compare_exchange_weak functions).
Mentors or Reviewers
I have no idea. I'm just planning on winging it based on other similar lint uplifts, and hoping the review robot picks someone acceptable 😅. (Open to suggestions as that seems non-ideal)
Process
The main points of the Major Change Process is as follows:
- File an issue describing the proposal.
- A compiler team member or contributor who is knowledgeable in the area can second by writing
@rustbot second.- Finding a "second" suffices for internal changes. If however you are proposing a new public-facing feature, such as a
-C flag, then full team check-off is required. - Compiler team members can initiate a check-off via
@rfcbot fcp mergeon either the MCP or the PR.
- Finding a "second" suffices for internal changes. If however you are proposing a new public-facing feature, such as a
- Once an MCP is seconded, the Final Comment Period begins. If no objections are raised after 10 days, the MCP is considered approved.
You can read more about Major Change Proposals on forge.
Comments
This issue is not meant to be used for technical discussion. There is a Zulip stream for that. Use this issue to leave procedural comments, such as volunteering to review, indicating that you second the proposal (or third, etc), or raising a concern that you would like to be addressed.