Posted Mar 22, 2022 13:04 UTC (Tue) by immibis (subscriber, #105511) [Link]

Kevin, could you please explain me "restrict" ? I've started to see it a few years ago in includes and man pages, and all info I've read on it were incomprehensible to me. I've always been interested in strong typing (and am using const a lot). I'd like to know if "restrict" may bring me anything at all or if I shouldn't care.

Posted Mar 22, 2022 14:05 UTC (Tue) by farnz (subscriber, #17727) [Link]

"restrict" is a promise from the programmer to the compiler, which is why it's a pain to understand.

Using the following names for exposition:

int foo[16];
int * foo_ptr = &foo[0];
int * restrict foo_restrict = foo;

With foo_ptr, the programmer makes no promises about aliasing. There can be a second pointer to any element of foo, and you can use foo[2] and *(foo_ptr + 2) interchangeably.

"restrict" makes a promise to the compiler about using overlapping names, and hence a promise that no aliasing is used for as long as the "restrict" pointer is alive. For as long as foo_restrict is alive, you promise not to access foo directly, or via foo_ptr, and you promise that if you use *(foo_restrict + 4), you have not accessed foo[4] any other way since foo_restrict was initialized, and that you will not access it any other way (e.g. via foo[4], or *(foo_ptr + 4)) until the lifetime of foo_restrict ends.

The usual concrete example is memcpy versus memmove; the inputs to memcpy are "restrict" pointers, because if you do memcpy(foo, bar, 16 * sizeof(foo[0]));, you promise the compiler that until memcpy returns, *(foo + 0) through *(foo + 15) cannot be accessed via *(bar + offset). memmove, on the other hand, permits that overlap, so its input pointers cannot be marked restrict.

Beingessner: Rust's Unsafe Pointer Types Need An Overhaul

On other platforms, with other compilers, you get what you asked for, not what you expected. Maybe you get lucky and maybe you don't. Maybe if you get unlucky you can write "volatile" in a few extra places and now it works. Voodoo.

Posted Mar 22, 2022 1:47 UTC (Tue) by jlombera (guest, #155698) [Link]

Beingessner: Rust's Unsafe Pointer Types Need An Overhaul

This all pre-dates a formal memory model, but it is promised in POSIX and so you are indeed welcome to rely on it on a POSIX system. Like making errno work the way the standard says it should, on modern systems this involves a considerable amount of extra lifting for your compiler and C library, but that work is done and so yes you might as well rely on it.

There's a lot of low-level code out there actually banging on MMIO far from any POSIX system and MMIO is, in fact by my understanding where volatile starts out (first C compilers are too naive to eliminate duplicate stores/ loads, as the optimiser improves it elides enough apparently useless loads and stores that now the device driver doesn't work, volatile qualifier tells the compiler not to optimise the loads and stores and now the device drivers work properly again), so if I was a betting man I might take the other side of your bet.

Posted Mar 22, 2022 19:01 UTC (Tue) by khim (subscriber, #9252) [Link]

Technically nothing in Rust is Rust innovation and most ideas it uses were already old when it was conceived. Heck, it was presented to the world with words technology from the past come to save the future from itself!

But most compileable “mainstream” language are based on ideas so ancient that even these, pretty old and well-tested ideas are looking like some kind of radical revelation to C/C++/ObjectPascal/etc developers (Swift took some of these ideas, though).

They appear to have plenty about formal properties at https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ch... , including papers like "Exploring C Semantics and Pointer Provenance" which adds CHERI-like semantics to a subset of C, based on (if I understand it correctly) the Cerberus tool which carefully transforms C programs into a 'Core' language that makes the memory model explicit and has well-defined operational semantics. The Core code can then be analysed for pointer provenance violations etc. And https://www.cl.cam.ac.uk/~pes20/cerberus/ lists many proposals submitted to ISO by that research group. (Of course they're still a long way from a complete semantics for C, despite working on this for well over a decade with many PhDs, so it's far from a solved (or even solvable) problem in general.)

(Hmm, actually Cerberus seems to be somewhat more relaxed than CHERI, because it doesn't require you to use intptr_t. See https://cerberus.cl.cam.ac.uk/?short/2eaa24 , select "Model > Integer provenance (PVI)", "Search > Random", and it complains of undefined behaviour when dereferencing the pointer, because it gets understandably confused about provenance. But comment out lines 9-10 (which are a noop in regular C) and it works okay, because it can still track provenance through the cast to long and back. If you step "Forward" enough times then you can see the allocation number associated with each pointer.)

C could of course as easily add new way to combine a pointer with an address using some other syntax than a method. The problem with this is that it would break existing code (which for Rust somehow seems OK). The other problem is that the in most cases where you need to convert an integer to a pointer you do not have the pointer available, so you simply can not use ptr.with_addr(address). If you had the pointer you could also just to ptr + offset which is the same as ptr + (addr - base_addr), so I do not see how ptr.with_addr(address) solves the same problem.

C has a lot issues, but it also has many advantages: Widely supported, long-term stability, many existing tools, fast compilation, low complexity, emerging formal semantics, etc. And yes, it will take a long time fixing its many issues. It will also take a long time before Rust is ready (the long compile times and lack of stability rule it out for me at this time) and it is already too complex for my taste.

Posted Mar 23, 2022 15:10 UTC (Wed) by farnz (subscriber, #17727) [Link]

There are two important differences between Rust and C that make breaking changes in handling raw pointers more palatable on the Rust side:

1. Use of raw pointers in Rust is already gated behind unsafe, and Rust style says to keep the use of unsafe to a minimum. This allows you to use data in papers like this ACM paper on Unsafe Rust to judge the maximum blast radius of changes - the data supports the idea that at most 25% of Rust code could be affected (as around 75% of published crates contain no Unsafe Rust), and that 3% of Rust code would be a good estimate of the amount of code affected by changes to raw pointers (about 10% of Unsafe Rust deals with raw pointers). In contrast, because of the nature of C, it's harder to tell how much C code is likely to be affected by any given change to pointer semantics.
2. Rust's module system allows you to have maintained legacy code in an older edition and modern Rust in the same binary - I can link Rust 2015 code with Rust 2027 code, and the compiler will give the Rust 2015 code the semantics that went with Rust 2015, while giving me modern semantics for Rust 2027 code. #include in C means that I can't clearly delineate code that has modern semantics from code that doesn't, because some code has to have the "right" semantics whether it's #included into a compilation unit that has C99 semantics or whether it's #included into a compilation unit that has C27 semantics.

Of these, I think the former is the hard one to overcome; fixing the latter is something that can be done by a sufficiently smart C standard committee and compiler implementation team, while the former is about gathering statistics easily on which code might be affected.