rust: thread: Add Thread wrapper

[fbq]

It's working (on my machine), but sure, a lot to improve.

Updates (v9):

• Fix the potential memory leak found by @wedsonaf .
• Now we have two thread structure: RawThread and Thread<ThreadArg>, each thread struct has its own try_new function. try_new_closure is now kernel::thread::spawn.
• Other minor fixes.

Updates (v8):

• Rebase to the latest rust/rust.

Updates (v7):

• Rebase to the latest rust/rust to adopt sampe code changes.

Updates (v6):

• Fix style and typo as suggestions from @ojeda
• Add the case where a DST is shared between threads in examples, where try_new_closure() is slightly more appropriate than try_new().
• Fix a bug: the ThreadArg parameter of try_new() should have 'static lifetime, because the new thread may live longer.

Updates (v5):

• Make ThreadArg more easily to merge with PointerWrapper
• Take the suggestion from @ojeda on the function names (I still keep the try_ prefixes, as that indicates the return type is KernelResult not Thread
• Add the documentation section of "Memory Cost" for try_new_closure, so that the users will know the current drawbacks.

Updates (v4):

• Don't use macro to generate bridge functions
• Still surface try_new_c_style.

Updates (v3):

• Multiple document and style fixes
• Renames Thread::new to Thread::try_new because as the return type suggests the creation may fail.
• Adds Thread::try_new_c_style to allow people use C function pointer for thread creation.
• Moves the name parameter as the first parameter of Thread::try_new

Update:

• Documentation is added ;-)
• Thread::stop is added, to support waiting for a thread to finish.
• Correctly handle the refcount of the task_struct. during Thread::new and Thread::drop.
• Now Thread::new accepts FnOnce() -> KernelResult<()> as the closure for kernel threads.

[wedsonaf]

This is very cool. Once this is in, we can add better examples for mutex/spinlock/condvar to the examples.

[ojeda]

Thanks a lot for this! Having new contributors is definitely great :)

[ojeda]

I think I'd like to see first workqueues etc. before lower-level APIs, but nevertheless any proof of concept is welcome :)

[wedsonaf]

How hard would it be to have c-style non-allocating version? The thread function would be a static function that doesn't capture any environment and takes a single argument no bigger than the size of a pointer.

[fbq]

You mean something like below, which is basically a wrapper of kthread_create_on_node. And if you want to share data between threads, you still need to do box/Arc dance yourself.

     pub unsafe fn new_unsafe<F>(
         name: CStr,
         f: extern "C" fn(*mut c_types::c_void) -> i32,
         arg: *mut c_types::c_void,
     ) -> KernelResult<Self> {
         let task;
         
         task = bindings::kthread_create_on_node(
                 Some(f),
                 arg,
                 bindings::NUMA_NO_NODE,
                 "%s".as_ptr() as _,
               name.as_ptr(),
             );
     
         let result = ptr_to_result(task);

         if let Err(e) = result {
             Err(e)
         } else {
             Ok(Thread { task: task })
         }
      }

[wedsonaf]

That's very close to what I was suggestion. By c-style I just meant that it should take one pointer-sized argument: it doesn't have to be extern "C", and it can use usize or perhaps some arbitrary type T whose size is less than or equal to size_of(usize) -- perhaps we could enforce this with a static assert.

[fbq]

@wedsonaf Could we do function pointer conversion from Rust to C? If not, what's the function pointer that we are going to pass to kthread_create_on_node?

[ojeda]

What do you mean? Whether it is safe to cast a C function pointer to a Rust function pointer?

[fbq]

And I push the old version, the one with thread creation macro here: https://github.com/fbq/linux-rust/tree/dev/thread-old, for discussion purpose.

[fbq]

@ojeda I upload an updated version:

• take your suggestion on the names, but I still keep the try_ prefixes since the return type is KernelResult. And instead of hiding try_new_closure, I add a "Memory Cost" section in the document. I think the API itself doesn't have problems it's the implementation that we are more worried about, so I keep it public but not recommend it to users unless they are aware of the cost.
• Do some prepare work for the future mergement with PointerWrapper.

[ojeda]

Looks better! Thanks a lot, and sorry again for the delay.

Is there any use case for which try_new() cannot (reasonably easily) cover try_new_closure() that you can think of? If yes, it would be good to put it as an example.

[fbq]

One limitation is that ThreadArg has to be Sized, otherwise we cannot convert it to *const (). So if there is a DST shared between threads, we either use try_new_closure() or do our own double boxing and stay with try_new(). A somewhat pointless example is as follow:

let boxed_slice: Box<[i32]> = Box::try_new([1,2,3,4])?;

Thread::try_new_closure(move || {
    println!("{:?}" boxed_slice);
});

// This will fail to compile
// Thread::try_new::<...>(boxed_slice);

// Do your own double boxing, it will work
Thread::try_new::<...>(Box::try_new(boxed_slice)?);

[ojeda]

I think in that case doing the double boxing "by hand" is fine and it can be explained in try_new's docs.

But I also think showing how closures could be done may be worth it since it is early days. So I think we can keep it, and see what other folks think (and perhaps someone comes up with a way to support closures with a single allocation etc.).

In the end, I suspect only the faster and non-/less-allocating APIs will survive considering this is the kernel, but we will see!

[fbq]

https://github.com/Rust-for-Linux/linux/pull/109/checks?check_run_id=2147388614#step:35:26

Is this a false postive? Because the code is in a unsafe block

5d3fd95#diff-67dbdd410624adbd4c7ff8aac814d8aa148376945f04c4d690b4d947809d17c4R73

Besides the raw pointer is actually not dereferenced in the function

[wedsonaf]

I'm not sure this is a false-positive. What I think it's saying is "you're taking a raw pointer as argument and you're potentially dereferencing it, how can you claim to be safe?" IOW, I think you need to mark it unsafe. You already even have a Safety section where you describe the requirements.

…

________________________________ From: Boqun Feng ***@***.***> Sent: 19 March 2021 10:44 To: Rust-for-Linux/linux ***@***.***> Cc: Wedson Almeida Filho ***@***.***>; Mention ***@***.***> Subject: Re: [Rust-for-Linux/linux] [RFC] rust: thread: Add Thread wrapper (#109) https://github.com/Rust-for-Linux/linux/pull/109/checks?check_run_id=2147388614#step:35:26 Is this a false postive? Because the code is in a unsafe block 5d3fd95#diff-67dbdd410624adbd4c7ff8aac814d8aa148376945f04c4d690b4d947809d17c4R73<5d3fd95#diff-67dbdd410624adbd4c7ff8aac814d8aa148376945f04c4d690b4d947809d17c4R73> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#109 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABZFV63CK7HSCC33T4SS7TLTEMTJPANCNFSM4ZHA2EGQ>.

[fbq]

@wedsonaf But I don't dereference the pointer in the function. So should the following function be unsafe?

pub fn(ptr: *mut i32) -> i32 {
     ptr as usize as i32
}

[fbq]

And if I assign arg to a local binding, the problem is gone:

--- a/rust/kernel/thread.rs
+++ b/rust/kernel/thread.rs
@@ -62,18 +62,21 @@ impl Thread {
     ) -> KernelResult<Self> {
         let task;

+        // To make clippy happy.
+        let arg_copy = arg;
+
         // SAFETY:
         //
         // - `kthread_create_on_node` won't use `f` or dereference `arg`, if `arg` is an invalid
         // pointer or `f` doesn't handle `arg` as it should, the new thread will case unsafe
         // behaviors.

         // - `kthread_create_on_node` will copy the content of `name`, so we don't need to make the
         // `name` live longer.
         unsafe {
             task = ptr_to_result(bindings::kthread_create_on_node(
                 Some(f),
-                arg,
+                arg_copy,

[wedsonaf]

@wedsonaf But I don't dereference the pointer in the function.

Well, you call an unsafe function defined in another language. The compiler doesn't know what the function does nor what its unsafe requirements are, so it can't convince itself that the pointer is not dereferenced.

So should the following function be unsafe?

No, because the compiler can convince itself that you don't dereference it in this case.

[wedsonaf]

And if I assign arg to a local binding, the problem is gone:

I guess clippy is not smart enough to follow the usage of the copy...

But let's consider why we mark a function unsafe. I see at least two distinct reasons:

1. Because it genuinely does something that violates Rust's safety rules.
2. Because it has extra requirements beyond the ordinary ones on the caller, and we'd like the make the caller aware of these requirements.

I think this function falls in the second category. WDYT?

[fbq]

But let's consider why we mark a function unsafe. I see at least two distinct reasons:

1. Because it genuinely does something that violates Rust's safety rules.
2. Because it has extra requirements beyond the ordinary ones on the caller, and we'd like the make the caller aware of these requirements.

I think this function falls in the second category. WDYT?

I did consider to make it unsafe at first but the function itself doesn't dereference the arg pointer or call the f function, so I made it as safe. But now think about it, it makes more sense to make it unsafe. Let me send an udpated version.

[ojeda]

Nit-review.

To clarify on the whole newline vs. no newline thing around safety comments:

• /// # Safety goes with newlines because it is a Markdown section (#) for an unsafe function/method docs (i.e. 3 slashes: ///). It explains the preconditions the caller must uphold.
• // SAFETY: goes without newlines because it is a code comment (i.e. 2 slashes //, no Markdown section) on the following unsafe block that explains why it is sound.

[ojeda]

Because it has extra requirements beyond the ordinary ones on the caller, and we'd like the make the caller aware of these requirements.

A function should be qualified as unsafe whenever there is a path of execution that triggers UB. If there is no way to trigger UB with it, it shouldn't be marked as unsafe, even if it panics or breaks the logic of the program.

I am not sure we want to mark things as unsafe just to make the caller aware of extra preconditions (the same way, we don't want to mark things as safe just because it is safe "in most cases" or "if you do the right thing").

Some people may want to have an "almost safe" qualifier, though. For instance, when the only real way to break a function is to pass an invalid pointer but otherwise there is no other UB. I mention this and a few other things in N2659 (feedback welcome!), although I only propose [[safe]] for C.

Well, you call an unsafe function defined in another language. The compiler doesn't know what the function does nor what its unsafe requirements are, so it can't convince itself that the pointer is not dereferenced.

FFI is already unsafe: when we call an external function, we are promising that function won't trigger UB in any way with the arguments we are passing. The compiler does not need to know whether it is safe or not: we are stating it is.

In summary: if kthread_create_on_node can trigger UB, and we have no way of preventing that (e.g. by checking arguments before calling it), then try_new_c_style should be qualified as unsafe.

[wedsonaf]

A function should be qualified as unsafe whenever there is a path of execution that triggers UB. If there is no way to trigger UB with it, it shouldn't be marked as unsafe, even if it panics or breaks the logic of the program.

This is not true. A function needs to be marked unsafe even if the function itself cannot lead to UB, but something later on can. An example of this from the standard library is Pin::get_unchecked_mut: the function is trivial and obviously doesn't cause UB, but it has extra safety requirements that are imposed on the caller so as to avoid future UBs.

FFI is already unsafe: when we call an external function, we are promising that function won't trigger UB in any way with the arguments we are passing. The compiler does not need to know whether it is safe or not: we are stating it is.

This is also not true. Our "promise" can be conditional: if we mark the caller as unsafe as well, we're saying that calling an unsafe FFI won't trigger UB as long as the caller of the function also abides by the additional safety requirements.

In summary: if kthread_create_on_node can trigger UB, and we have no way of preventing that (e.g. by checking arguments before calling it), then try_new_c_style should be unsafe.

We are in agreement on this part. :)

[ojeda]

This is not true. A function needs to be marked unsafe even if the function itself cannot lead to UB, but something later on can. An example of this from the standard library is Pin::get_unchecked_mut: the function is trivial and obviously doesn't cause UB, but it has extra safety requirements that are imposed on the caller so as to avoid future UBs.

Yes, by "any path of execution" and "If there is no way to trigger UB with it", I'm including the context, not just the operations inside the function, e.g. if somewhere else you are relying on an invariant to avoid UB and your function may break that invariant, then it is unsafe.

The same thing applies in reverse: a function may contain a fundamentally unsafe operation in it, e.g. a dereference, and yet be marked as safe as long as something else in the program ensures that dereference is always valid (i.e. that there is no path of execution that may arrive at the dereference triggering UB).

This is also not true. Our "promise" can be conditional: if we mark the caller as unsafe as well, we're saying that calling an unsafe FFI won't trigger UB as long as the caller of the function also abides by the additional safety requirements.

Of course, I am talking about the case when the outer function is qualified as safe. If it isn't, the language does not require to use unsafe blocks to begin with (although it is still a good idea).

[ojeda]

Bits here and there.

[fbq]

My thought is that if we don't make try_new_c_style as unsafe, then we need to make wake_up as unsafe, because wake_up is the function that potentially trigger the call of the unsafe C function, and that's undesirable, because wake_up a Thread created by try_new is safe. If you all agree on this, I will add the reasoning to the comments for try_new_c_style, so that the future me (e.g. six months later version) will be grateful ;-)

[fbq]

v9 -> v10:

• Use single boxing implement for closures as thread functions
• Remove ThreadFunctor way of thread creation, since using closures doesn't require double boxing.

[fbq]

Pushing a temporary version to see which commit triggered the "Inconsistent kallsym data", as I failed to reproduce this locally.

[fbq]

Seems like I'm hitting a rarely seen "bug" of scripts/link-vmlinux.sh: currently file sizes are used to decide whether the kallsym results of step 1 and step 2 are different, however, I'm hitting a case where the file sizes are the same but the content is different...

[fbq]

Seems like I'm hitting a rarely seen "bug" of scripts/link-vmlinux.sh: currently file sizes are used to decide whether the kallsym results of step 1 and step 2 are different, however, I'm hitting a case where the file sizes are the same but the content is different...

And the problem is gone, maybe because we update to a new version of toolchain.

[ojeda]

Seems like I'm hitting a rarely seen "bug" of scripts/link-vmlinux.sh: currently file sizes are used to decide whether the kallsym results of step 1 and step 2 are different, however, I'm hitting a case where the file sizes are the same but the content is different...

Hmm... perhaps we should put this in an issue even if it gone.

[fbq]

Seems like I'm hitting a rarely seen "bug" of scripts/link-vmlinux.sh: currently file sizes are used to decide whether the kallsym results of step 1 and step 2 are different, however, I'm hitting a case where the file sizes are the same but the content is different...

Hmm... perhaps we should put this in an issue even if it gone.

Done #502

[wedsonaf]

This is looking really good, thank you Boqun! And apologies for taking so long to get back to this.

[wedsonaf]

Technically, arg could be a pointer-sized integer, couldn't it?

Also, when it actually is a pointer, I think we need to be more explicit about its lifetime requirements: in addition to being valid when the new thread begins to run, it must remain valid for as long as f needs it. (IOW, if f needs it forever, it should stay alive forever.)

[wedsonaf]

nit about wording: I would prefer that we avoid using the imperative mood. So instead of saying "do not call this atomic context", perhaps say something like "Callers must not be in atomic context".

[wedsonaf]

Probably something for another PR, but given we should probably allow callers to specify rust-style formats when calling this function so that they can do something similar to C when choosing names, something like ("my-thread-{}", index), where in C we'd see ("my-thread-%d", index).

[fbq]

Agreed, but that requires the API implemented as a macro, right?

[wedsonaf]

Agreed, but that requires the API implemented as a macro, right?

Maybe not. Instead of taking a &CStr as argument, you'd take a core::fmt::Arguments. Callers would have to use the format_args! macro to create the name, but they already had to use c_str! anyway; if format_args! is too long, perhaps we could define a new one called fmt! that just calls format_args!.

And the implementation would pass c_str!("%pA") as the format, with a pointer to the Arguments arg as the first (and only) format argument.

Perhaps you could do it in this PR if you're so inclined. But I'm fine with deferring it too.

[wedsonaf]

Are there any functions from Task that we don't want exposed by RawThread?

If not, I think we should have RawThread implement Deref<Target = Task> so that we expose all Task methods directly without having to write these helper routines.

[wedsonaf]

One of the selling points of Rust is that we don't mix errors and proper return values. In this instance, it seems like we're violating this by returning an error when the function actually succeeded.

I think we should try to avoid this. Perhaps return Result<bool>: an Err indicates that something went wrong in our attempt to stop the thread; Ok(b) means that we successfully stopped the thread, and b is true if it (the thread) managed to run at some point, false if we stopped it before it ever ran. Of course, I'm not insisting on this solution, but I'd like to clearly separate success and failure cases. WDYT?

[wedsonaf]

Do we actually need this in the sample?

[wedsonaf]

Same question here wrt methods from Task/RawThread -- can we use Deref to avoid having to forward these calls to the wrapped object?

[wedsonaf]

We also have cond_resched in rust/kernel/sync/mod.rs.

I think these two need to be together. I'm trying to think of a good place for them, one thing that comes to mind is Task, so one would call Task::schedule() and Task::cond_reschedule (no self involved here). WDYT?

[wedsonaf]

Looking at this, the following thought came to mind: what if we never call wake_up (either on purpose or by omission, i.e., not having realised that it needs to called)?

The thread and its state would be stuck in no-man's land, right? I think we should make it harder for such a state to be reached; another way to put it: a better design would one in which this no-man's state is reached only when the user explicitly intends it.

Two things come to mind:

1. We should offer a constructor that automatically starts the thread in addition to the one we have now. In fact, I think the try_new one should automatically wake up the thread and the other one could be something like try_new_paused (or something to that effect).

2. Do thread creation in two stages with different types. The first stage is one in which the thread was never started; there are three ways to come out of it (they would all consume this initial type and optionally return a new one): starting the thread (returns the Thread as you have here); stopping the thread (doesn't return anything); upgrading (doesn't start the thread, but returns Thread as you have here). If none of these actions are taken, i.e., we default to stop.

Some examples to illustrate what I mean:

Thread::try_new(...); // automatically runs the closure

Thread::try_new_paused(...).run(); // automatically runs the closure

// Creates the thread but never runs it and automatically cleans
// everything up (no accidental leaks).
Thread::try_new_paused();

// Same as above
Thread::try_new_paused().stop();

// `upgrade` is not the best name, we should think of something better.
//
// creates the thread, never runs it, but don't do cleanups beyond 
// `put_task_struct`, which is basically what we have today but with
// explicit action from the user (calling `upgrade`).
Thread::try_new_paused().upgrade(); 

To implement the above, Thread::try_new_paused would return a different type, something like InitialThread that would have the run, upgrade, stop methods plus a Drop implementations that calls stop (and would be inhibited by the calls to run and upgrade).

WDYT?

[wedsonaf]

Two more examples to make the role of InitialThread clearer:

fn example1() -> Result {
    let t = Thread::try_new_paused(...);
    // Do other stuff. If it fails, and we return, `t` never runs and is cleaned up.
    let t = t.run();
    // Now we can use `t` as a `Thread`.
}

fn example1() -> Result {
    let t = Thread::try_new_paused(...).upgrade();
    // Do other stuff. If it fails, and we return, `t` never runs and leaks memory.
    let t = t.run();
    // Now we can use `t` as a `Thread`.
}

[fbq]

Looking at this, the following thought came to mind: what if we never call wake_up (either on purpose or by omission, i.e., not having realised that it needs to called)?

The Thread::drop will handle it in that case. So if you do

fn do_something() {
    let t = Thread::try_new(...)?;
    // never call t.wake_up();
}

the Thread will be freed when do_something() returns. IOW, the lifetime of a kernel thread is the same as the lifetime of a Thread. For a (kernel) thread that forever runs, kernel must keep a reference to is somewhere, otherwise kernel won't have a way to manipulate it.

The thread and its state would be stuck in no-man's land, right? I think we should make it harder for such a state to be reached; another way to put it: a better design would one in which this no-man's state is reached only when the user explicitly intends it.

The interface that I want to provide to users is that if a Thread is alive, then the thread must be there. And if the users want to keep a thread alive for a long time (maybe forever), they are required to manage the lifetime of Thread.

[wedsonaf]

The Thread::drop will handle it in that case. So if you do

fn do_something() {
    let t = Thread::try_new(...)?;
    // never call t.wake_up();
}

the Thread will be freed when do_something() returns. IOW, the lifetime of a kernel thread is the same as the lifetime of a Thread. For a (kernel) thread that forever runs, kernel must keep a reference to is somewhere, otherwise kernel won't have a way to manipulate it.

If we never call t.wake_up, do_something() will never run and therefore never return, right? (Or am I missing something here?)

IOW, it looks to me that we're leaking by inaction (i.e., not calling t.wake_up). I'm saying that we should design things to avoid accidental leaks like this one. If users actually do want to leak, they should do it explicitly (e.g., by calling some function that will result in the leak).

[fbq]

The Thread::drop will handle it in that case. So if you do

fn do_something() {
    let t = Thread::try_new(...)?;
    // never call t.wake_up();
}

the Thread will be freed when do_something() returns. IOW, the lifetime of a kernel thread is the same as the lifetime of a Thread. For a (kernel) thread that forever runs, kernel must keep a reference to is somewhere, otherwise kernel won't have a way to manipulate it.

If we never call t.wake_up, do_something() will never run and therefore never return, right? (Or am I missing something here?)

No, please see the comments below (I adjust a little on the return type of do_something().

fn do_something() -> Result {
     let t = Thread::try_new(...)?; // create a thread, and thread doesn't start to run
     // if t.wake_up() here, the thread will start running
     return Ok(()); // here `drop(t)` will be called, if `t` hasn't started, `t` will get recycled, otherwise, we wait `t` to finish and then recycle it.
}

IOW, it looks to me that we're leaking by inaction (i.e., not calling t.wake_up). I'm saying that we should design things to avoid accidental leaks like this one. If users actually do want to leak, they should do it explicitly (e.g., by calling some function that will result in the leak).

I don't think we leak anything here, all thread related resources are bound to Thread, and they will get recycled when Thread reach the end of life, that's how I want to design the API.

[fbq]

My point is that even if we call t.wake_up(), we could still "leak" memory,

Sure, but I think that the fact that we may 'leak' later has no bearing on the fact that we definitely leak between try_new and wake_up.

I agree that we should resolve this, but I'm not sure Thread is the proper layer that we resolve it. The current design of Thread is combination of JoinHandle in Rust std and Linux C kernel API, both of which are already known and somehow well-defined, but what's we don't know is the usage pattern that Rust users may choose to manage the kernel threads, for example, will Rust user prefer one-shot threads (only run one time and return) or long-live threads? Given the uncertainness, I'm not sure the best API the users want. The current rule of Thread is easy, if one wants to make sure all the resources of a thread is recycled, one must call stop, otherwise, there is no guarantee. Upon the Thread, we can build other layers to resolve various leaking issues.

It seems to me that part of your argument is that the situation above is unique. So let me show 3 examples from the project that, in my view, show a pattern that I think we should follow here:

1. Reference-counted object:

    let r = UniqueRef::try_new(...)?;
    do_something()?; // <- if this fails, we automatically free the object.
    r.into() // <- converts UniqueRef<T> to Ref<T> -- users may leak this by creating
             // circular references and many other ways, but we still clean up if
             // do_something fails.

2. Red-black tree nodes:

    let r = RBTree::try_reserve_node()?;
    do_something()?; // <- if this fails, we automatically free the node reservation.
    tree.insert(r.into_node()); // <- this converts a reservation into a node and inserts it
                                // into the tree -- users may "leak" it by never removing it from the
                                // tree but we still clean up the reservation if do_something above 
                                // fails. 

3. File descriptor:

    let r = FileDescriptorReservation::new(...)?;
    do_something()?; // <- if this fails, we automatically free the fd reservation.
    r.commit(file); // <- ties this fd reservation to the given file -- users may "leak" the
                    // file descriptors by never closing it, but we still clean up the reservation
                    // if do_something fails.

It makes more sense considering this is a widely used pattern ;-)

So perhaps one way to address your concern wrt to keeping things simple would be something like this: Thread::try_new() creates and automatically runs a thread -- I suspect this would be usual way of doing things, and would be similar to userspace and kthread_run.

I probably name it as Thread::try_run().

For the more unusual scenario where one needs to do some work before letting the thread run, we'd have a type 'PausedThread' (or something similar, but would play the same role as UniqueRef, FdReservation and NodeReservation in the examples above). PausedThread::try_new creates a paused thread that is automatically cleaned up if it goes out of scope. Eventually the users would call paused_thread.into_thread() which would consume the paused thread and turn it into a regular Thread by just waking it up. (We may even avoid the extra reference count increment on the new task if we have PausedThread::wake_up that consumes the PausedThread but doesn't return anything -- we don't need to increment the refcount because we're giving up any pointers to the new task).

So we keep Thread as simple as it gets. The extra 'complexity' only comes in when users want the less common scenarios, and even then it is contained in PausedThread. And we never leak paused threads if an error occurs before they run.

OK, I will update this PR accordingly.

[fbq]

So we keep Thread as simple as it gets. The extra 'complexity' only comes in when users want the less common scenarios, and even then it is contained in PausedThread. And we never leak paused threads if an error occurs before they run.

@wedsonaf there is an interesting limitation: should PausedThread impl Deref<Target=Task>? It makes sense it does, because most of operations between try_new and wake_up are task related: e.g. set nice value. However, this conflicts with having a Task::wake_up(), because directly calling wake_up on PausedThread violates the type invariants. But having a Task::wake_up() is quite natural, which I already did in this PR. Any idea?

[wedsonaf]

That's indeed problematic. I agree that we should have Task::wake_up, especially because it's used/useful in other scenarios, but that seems to prevent us from implementing Deref<Target = Task> for PausedThread. I can think of two ways of going about this, none of them ideal:

1. Simply not implement Deref<Target = Task>, which means that we need to implement a bunch of Task methods in PausedThread and forward them.
2. Implement an unsafe variant of Deref (e.g., an as_task_unsafe() method) with the safety requirement being that the caller must not call wake_up on the returned task.

Or perhaps we can do a combination of both, for example, we only implement the most common Task methods in PausedThread (e.g., nice()). Other users can go the unsafe route of caling as_task_unsafe() or simply adding the method to PauseThread if it is common enough. WDYT?

[fbq]

That's indeed problematic. I agree that we should have Task::wake_up, especially because it's used/useful in other scenarios, but that seems to prevent us from implementing Deref<Target = Task> for PausedThread. I can think of two ways of going about this, none of them ideal:

1. Simply not implement Deref<Target = Task>, which means that we need to implement a bunch of Task methods in PausedThread and forward them.
2. Implement an unsafe variant of Deref (e.g., an as_task_unsafe() method) with the safety requirement being that the caller must not call wake_up on the returned task.

Or perhaps we can do a combination of both, for example, we only implement the most common Task methods in PausedThread (e.g., nice()). Other users can go the unsafe route of caling as_task_unsafe() or simply adding the method to PauseThread if it is common enough. WDYT?

How about a AutoStopThread instead of PausedThread? AutoStopThread impl Deref<Target=Task> and can convert to or from Thread, which means AutoStopThread can represent a thread that is already running, the only difference is that AutoStopThread will call kthread_stop when it goes out of scope (i.e. in AutoStopThread::drop) while Thread::drop is just put_task_struct.

AutoStopThread does the same thing as PausedThread: cleaning up when drop. The only downside is that we need to get_task_struct when we create a new AutoStopThread for the same reason as we do for Thread.

Thoughts?

[wedsonaf]

Oh, I really like this! It also addresses the problem of storing a pointer to the task somewhere else before running the thread (from a cursory look at the uses of kthread_create, it seems to be fairly common).

I'm not too concerned about having to call get_task_struct. Creating a thread is already an expensive operation anyway.