atomics: allow atomic and non-atomic reads to race #128778
Conversation
|
rustbot has assigned @Mark-Simulacrum. Use |
rustbot
added
S-waiting-on-review
RalfJung
force-pushed
the
atomic-read-read-races
branch
from
4c2bc31
to
24c19b8
Compare
|
The Miri subtree was changed cc @rust-lang/miri |
RalfJung
force-pushed
the
atomic-read-read-races
branch
2 times, most recently
from
e5b0694
to
eae3ecc
Compare
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
atomic-read-read-races
branch
4 times, most recently
from
4382807
to
e219737
Compare
library/core/src/sync/atomic.rs
Outdated
| //! Undefined Behavior unless both accesses are atomic. Here, accesses are *conflicting* if they | ||
| //! affect overlapping regions of memory and at least one of them is a write. They are | ||
| //! *non-synchronized* if neither of them *happens-before* the other, according to the | ||
| //! happens-before order of the memory model. |
There was a problem hiding this comment.
Previously in this documentation we used the term "non-synchronized" for accesses which are not happens-before ordered. I wonder if "unordered" would be a better term?
The C++ memory model does not define a term for this, they just spell out "not happens-before ordered".
There was a problem hiding this comment.
"unordered" sounds better to me, but 🤷🏻
There was a problem hiding this comment.
@rust-lang/opsem @rust-lang/lang any opinion on this -- should we rename "non-synchronized" to "unordered"?
RalfJung
force-pushed
the
atomic-read-read-races
branch
from
e219737
to
5eeb272
Compare
RalfJung
added
the
I-lang-nominated
|
Nominating for t-lang to get their take on this, and to ask them who should be included in the FCP -- just t-opsem, or also t-lang? |
RalfJung
added
T-lang
RalfJung
force-pushed
the
atomic-read-read-races
branch
from
9a0aa41
to
3af35af
Compare
|
@rfcbot fcp merge We discussed this in triage today. This sounded right to us. We'll do this via FCP with T-opsem. |
|
Team member @traviscross has proposed to merge this. The next step is review by the rest of the tagged team members:
No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns. |
rfcbot
added
proposed-final-comment-period
|
I find the argument that it should always be ok to make a non-atomic read into an atomic read persuasive, so it sounds good from an intent perspective. So as long as the experts agree with how we're formally saying that, sounds good. @rfcbot reviewed (I wonder if it's possible to write a codegen test that would have a reasonable chance of noticing LLVM deciding to turn such a read-race into |
|
LLVM doesn't have a notion of "atomic object", their entire memory model is access-based, so I can't imagine they'd ever make this UB. I also don't think LLVM turns any obvious data races into |
rfcbot
added
final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
|
@rfcbot reviewed |
RalfJung
force-pushed
the
atomic-read-read-races
branch
from
6877b1d
to
2d592a9
Compare
|
@Mark-Simulacrum is this ready to land from your side, assuming FCP will pass uneventful? |
|
☔ The latest upstream changes (presumably #130483) made this pull request unmergeable. Please resolve the merge conflicts. |
|
Yeah, r=me |
rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
- UnsafeCell: mention the term "data race", and reference the data race definition - atomic: failing RMWs are just reads, reorder and reword docs
RalfJung
force-pushed
the
atomic-read-read-races
branch
from
2d592a9
to
96be76b
Compare
|
@bors r=Mark-Simulacrum |
bors
added
S-waiting-on-bors
…iaskrgr Rollup of 5 pull requests Successful merges: - rust-lang#128778 (atomics: allow atomic and non-atomic reads to race) - rust-lang#130918 (simplify LLVM submodule handling) - rust-lang#130960 (Only add an automatic SONAME for Rust dylibs) - rust-lang#130973 (compiletest: rename "runtest/crash.rs" to "runtest/crashes.rs" to be in line with the test directory) - rust-lang#130976 (remove couple redundant clones) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#128778 - RalfJung:atomic-read-read-races, r=Mark-Simulacrum atomics: allow atomic and non-atomic reads to race We currently define our atomics in terms of C++ `atomic_ref`. That has the unfortunate side-effect of making it UB for an atomic and a non-atomic read to race (concretely, [this code](https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=d1a743774e60923db33def7fe314d754) has UB). There's really no good reason for this, all the academic models of the C++ memory model I am aware of allow this -- C++ just disallows this because of their insistence on an "object model" with typed memory, where `atomic_ref` temporarily creates an "atomic object" that may not be accesses via regular non-atomic operations. So instead of tying our operations to `atomic_ref`, let us tie them directly to the underlying C++ memory model. I am not sure what is the best way to phrase this, so here's a first attempt. We also carve out an exception from the "no mixed-size atomic accesses" rule to permit mixed-size atomic reads -- given that we permit mixed-size non-atomic reads, it seems odd that this would be disallowed for atomic reads. However, when an atomic write races with any other atomic operation, they must use the same size. With this change, it is finally the case that every non-atomic access can be replaced by an atomic access without introducing UB. Cc `@rust-lang/opsem` `@chorman0773` `@m-ou-se` `@WaffleLapkin` `@Amanieu` Fixes rust-lang/unsafe-code-guidelines#483
We currently define our atomics in terms of C++
atomic_ref. That has the unfortunate side-effect of making it UB for an atomic and a non-atomic read to race (concretely, this code has UB). There's really no good reason for this, all the academic models of the C++ memory model I am aware of allow this -- C++ just disallows this because of their insistence on an "object model" with typed memory, whereatomic_reftemporarily creates an "atomic object" that may not be accesses via regular non-atomic operations.So instead of tying our operations to
atomic_ref, let us tie them directly to the underlying C++ memory model. I am not sure what is the best way to phrase this, so here's a first attempt.We also carve out an exception from the "no mixed-size atomic accesses" rule to permit mixed-size atomic reads -- given that we permit mixed-size non-atomic reads, it seems odd that this would be disallowed for atomic reads. However, when an atomic write races with any other atomic operation, they must use the same size.
With this change, it is finally the case that every non-atomic access can be replaced by an atomic access without introducing UB.
Cc @rust-lang/opsem @chorman0773 @m-ou-se @WaffleLapkin @Amanieu
Fixes rust-lang/unsafe-code-guidelines#483