rust-lang / lang-team

Home of the Rust lang team
http://lang-team.rust-lang.org/
Apache License 2.0
203 stars 48 forks source link

Should we have provenance? #171

Closed JakobDegen closed 2 years ago

JakobDegen commented 2 years ago

Summary

The goal of this meeting is to lay out the arguments for and against the existence of pointer provenance, and hopefully arrive at a place where we can decide whether Rust should or should not have it. It is explicitly not the goal of this meeting to discuss what kind of provenance we should have if we do have it.

Time allowing, if people generally come to the conclusion that we should have provenance, we can additionally start some discussion as to whether or not we should stabilize (possibly a subset of) the strict provenance APIs. This is not the core goal of the meeting though.

Background reading

I plan on putting together a write-up for the meeting presenting the reasons for and against provenance. Strictly speaking, the intent is that it will be self-contained. That being said, some familiarity with the surroundings is probably good to have for any attendees that are entirely new to the concept of provenance; a good starting point here is Ralf's article on the need for pointer provenance or the section on this topic in the standard library documentation.

About this issue

This issue corresponds to a lang-team design meeting proposal. It corresponds to a possible topic of discussion that may be scheduled for deeper discussion during one of our design meetings.

joshtriplett commented 2 years ago

It is explicitly not the goal of this meeting to discuss what kind of provenance we should have if we do have it.

I think it would be appropriate to also present one of the (current) leading models, namely the looser provenance model that includes expose_addr and from_exposed_addr and similar. At the very least, I found it helpful to have that model in mind as contrasted with the strict provenance model.

RalfJung commented 2 years ago

MiniRust already specifies a model of provenance that supports expose_addr and from_exposed_addr. So it might be useful to look over the relevant parts of the code, maybe that can help clarify some lingering questions:

RalfJung commented 2 years ago

a good starting point here is Ralf's article on the need for pointer provenance or the section on this topic in the standard library documentation.

That blog-post has some follow-up posts:

eddyb commented 2 years ago

I still stand by my "you can't really avoid provenance" (https://github.com/rust-lang/rust/issues/95228#issuecomment-1084028786) reasoning, but to account for certain things @RalfJung brought up at the time I need to add some extra caveats:

RalfJung commented 2 years ago

I don't know which "specific example" you mean. I think there is an interesting experiment to be made for how far one can get with just allocator non-determinism, but certainly this will not give us anything like noalias or Stacked Borrows. If we want optimizations based on aliasing rules for references, we need provenance.

DavidVonDerau commented 2 years ago

My 2 cents as a bystander:

I think strict provenance is probably one of the most important developments I've seen in Rust's design, as it pertains to safety and correctness. I am incredibly excited for it!

I also think that the "tower of weakenings" concept is a brilliant escape hatch for the debates I've seen thus far -- teach strict provenance, provide the APIs for it, check it with Miri and/or the compiler, and we all accept that there's a weaker memory model that people can fall back to when they need to commit some crimes with pointers, e.g. due to an FFI boundary or some memory-mapped I/O at an absolute address on an embedded platform.

alercah commented 2 years ago

I got here while trying to catch up on Zulip and while I eventually gave up trying to read the whole thhead, I think there was far more ink spilled than necessary on things like LLVM, optimizations, C/C++, etc. when there is already aliasing rules in Rust that very heavily constrain our ability to do anything other than provenance. I'm not sure you really need to talk about anything else in the conversation.

saethlin commented 2 years ago

when there is already aliasing rules in Rust

What aliasing rules are you referring to?

nikomatsakis commented 2 years ago

Meeting minutes

and Zulip discussion