-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clarify how Rust atomics correspond to C++ atomics #97516
Conversation
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
r? @kennytm (rust-highfive has picked a reviewer for you, use r? to override) |
My comment with more context: rust-lang/miri#1963 (comment) I think this formulation is pretty clever, and I can't think of an edge case where it wouldn't work. This doesn't answer how things should behave with |
There are no atomic accesses on
I would assume this is allowed by C++? |
If calling atomic methods on the same thread don't count as atomic - they don't exhibit any weak behaviours anyway - then yes.
You can definitely express it in normal C++. You can also reuse a location used by an One thing is different though in C++: I've been told on the mailing list that there is no way to get two |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a neat formulation, and does seem to correspond to how I believed things work. I'll give it a day or so for other people to weigh in, in case they disagree, but otherwise r=me.
CC @Amanieu, @m-ou-se, @talchas, @chorman0773
I think one open question is whether or not this should go somewhere in the reference instead. As it is, it might be a bit confusing to people not familiar with C++, or who don't need to know the formal model's details. |
One issue:
Might save it, but that means that the following is definately undefined behaviour (and the safety comment is wrong): let x = AtomicI32::new(0);
let y = &x;
let p = x.as_mut_ptr();
// SAFETY: The following line is safe because the current thread is the only one with access to `x`, so no data race occurs
unsafe{p.write(1);}
`` |
No, it's just not possible. All atomic operations take
Ah, fair. OTOH
Yeah, I would say that is ruled out by the current safety comment. (FWIW I think we should allow such code eventually, but that needs a more careful survey of the memory model literature.) |
I like this pr. |
Well, it's more because we say "The rust model is equivalent to the C++ model" (or however we phrase it), but then the rust model, on its face, seems like it provides capabilities that are inaccessible to the C++ model, and this elaborates on how that is not the case, explaining what it means exactly that we follow the C++20 memory model. If it were just explaining the equivalent of the Rust construct to C++ programmers, I'd say this would be too niche. |
Actually, this is really documenting something about the language, and while it's essentially already true, it probably still needs sign-off from someone other than me, I think t-lang (probably FCP too). Does this work? r? rust-lang/lang |
Well, currently we say "the |
It is not clear to me that this is a consequence of the C++ spec, but I think we should also explicitly say that racey (ie not otherwise synchronized) overlapping atomic accesses that do not use the same size and "base address" are generally UB. This means users can't be doing If this turns out to be controversial, I can open a UCG issue to discuss (I found some examples of misusing such accesses that turn out to be problematic). |
It's hard for me to imagine we can really support mixed size access as not UB when the x86 manual literally says not to do it, but at the same time it might be needed for various use cases we don't want to completely forbid. (Specifically to provide access to the "sub-basement" mentioned in https://gankra.github.io/blah/tower-of-weakenings/ :p) But perhaps it's worth discussing more separately? I think that's at least a little bit more controversial than these changes, and would hate to block it on that. |
Actually, one another thing I'm unsure about. When you take a Two possible options:
|
I can do the same in C++ by creating an atomic_ref to some regular data, using it atomically, destroying the atomic_ref, creating a new atomic_ref, and using that atomically. If the C++ spec fails to say what happens in that case, that is a C++ spec bug. |
Yes, you can. I did explicitly mention that I don't believe that it does
|
Okay, then I don't think that affects this PR. We're not going to start fixing C++ spec bugs here. :) (FWIW I think the modification order has to persist for this to make any sense.) |
One reason I'm concerned about this is that if its the former, then the rules in [intro.races] seem to imply the following result which does not make intuitive sense: _Alignas(std::atomic_ref<int>::required_alignment) int atomic;
std::atomic_ref ref{atomic};
ref.store(1,std::memory_order::relaxed);
ref->~std::atomic_ref(); // ends the lifetime of ref
atomic = 2;
::new(&ref) std::atomic_ref{atomic}; // creates a new one in-place. This is basically equivalent to dropping the first reference, and replacing it with a new one
int val = ref->fetch_add(1, std::memory_order::relaxed); // val is 1, since [atomics.order] requires that a read-modify-write operation reads the last value written in modification order before the corresponding write. This happens because the value stored in the The corresponding rust is: let mut atomic = AtomicI32::new(0); // value in new isn't required, since `atomic` was default-init in C++
atomic.store(1,Ordering::Relaxed);
atomic = AtomicI32::new(2); // or `*atomic.get_mut() = 2;`
let val = atomic.fetch_add(1, Ordering::Relaxed); // reads the 1 stored 2 lines above |
Whatever it is makes equally little sense in C++ and Rust though. So it doesn't affect this PR. (IMO the entire notion of 'atomic object' makes no sense, so I am not surprised there are problems. So one day I hope we can have our own memory model that avoids such notions, but still interoperate with C++. But for now I fail to see how your comments are not entirely off-topic for this particular clarification I am proposing.) |
I do agree, it seems as though
I do also agree that |
Is there any concrete change you are proposing for this PR? If not, I suggest to stop this off-topic discussion. I don't think we should start listing C++ atomics errata in our library docs. Feel free to open a PR against the reference if you think this needs to be carefully spelled out there. |
I'm not sure there's an easy change here, without ripping up the whole MT Model, and substituting something else (which is fun to say the least). It's more of something that should be considered. C++ isn't sure how this functions, and given that it can be observed in safe code, it's a potential problem (either has suprising results for both users and implementors, or is a potential footgun when combined with sequential-consistency or release-acquire synchronization) either way. It might be better to leave this unspecified until this is resolved. |
@chorman0773 if you want to discuss further about C++ atomic_ref issues you could use this mailing list thread https://lists.isocpp.org/std-discussion/2022/05/1662.php |
Added one suggestion to leave the door open for future improvements in this area; otherwise, happy to merge this. |
Co-authored-by: Josh Triplett <josh@joshtriplett.org>
@bors r=joshtriplett |
📌 Commit 4768bfc has been approved by |
@bors rollup=always |
clarify how Rust atomics correspond to C++ atomics `@cbeuw` noted in rust-lang/miri#1963 that the correspondence between C++ atomics and Rust atomics is not quite as obvious as one might think, since in Rust I can use `get_mut` to treat previously non-atomic data as atomic. However, I think using C++20 `atomic_ref`, we can establish a suitable relation between the two -- or do you see problems with that `@cbeuw?` (I recall you said there was some issue, but it was deep inside that PR and Github makes it impossible to find...) Cc `@thomcc;` not sure whom else to ping for atomic memory model things.
Rollup of 10 pull requests Successful merges: - rust-lang#95446 (update CPU usage script) - rust-lang#96768 (Use futex based thread parker on Fuchsia.) - rust-lang#97454 (Add release notes for 1.62) - rust-lang#97516 (clarify how Rust atomics correspond to C++ atomics) - rust-lang#97818 (Point at return expression for RPIT-related error) - rust-lang#97895 (Simplify `likely!` and `unlikely!` macro) - rust-lang#98005 (Add some tests for impossible bounds) - rust-lang#98226 (Document unstable `--extern` options) - rust-lang#98356 (Add missing period) - rust-lang#98363 (remove use of &Alloc in btree tests) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
@cbeuw noted in rust-lang/miri#1963 that the correspondence between C++ atomics and Rust atomics is not quite as obvious as one might think, since in Rust I can use
get_mut
to treat previously non-atomic data as atomic. However, I think using C++20atomic_ref
, we can establish a suitable relation between the two -- or do you see problems with that @cbeuw? (I recall you said there was some issue, but it was deep inside that PR and Github makes it impossible to find...)Cc @thomcc; not sure whom else to ping for atomic memory model things.