Contents
I’d be curious to know how rust deals with undefined arithmetic but it’s simply a fact that they’ll be making trade offs, there’s no free lunch. I have mixed feelings on rust but my big concern is tooling. 5 years ago i tried to install rust on Debian arm-linux-gnueabi, and i met an astonishing array of problems. The parts of the rust community that i was exposed to were already quite arrogant about the fact that rust was already a fully-supported language and the only reason not to use it is a head-in-the-sand kind of intransigency. The community has not changed their tune one bit in the intervening 5 years, so my gut reflex is that the toolchain is still not remotely ready for mass adoption.
To a certain extent, the world has done a great deal of the first option, what with things like safe string and I/O functions that are meant to replace the extremely unsafe C originals, and integer types that have explicit, defined sizes. Because creating a pure Rust kernel would take years, maybe even decades to get close to what the current kernel is – its already got those decades of development and bug fixes. The Rust crowd seems desperate to drive language adoption, and from time to time will ramp up the hype/AstroTurf in an attempt to get devs to care. However, unless people plan to refactor the millions of lines of C into rust, the project vulnerability coverage goal is unfeasible. According to its author Zig 1.0.0 is still at least 2 years away, and there are 130 accepted language change proposals that have not yet been implemented. Rust has a huge development community; Zig has a very small one.
Featured in AI, ML & Data Engineering
Greg Kroah-Hartman asked how subsystem-specific Rust bindings will go upstream; will they go through the Rust tree or via the relevant subsystem maintainers? Ojeda answered that core Rust support will go through the Rust tree, but the rest should go through maintainers. Torvalds answered that it should be up to the maintainers; there is no need for global rules at this point.
That’s simply not possible without a massive performance hit in many cases. USB 2.0 userspace drivers are fine because the performance needs are so low. Now, one can go further and either support branches in the hierarchy, or just handle access rights on a per thread/process basis instead. But both of these adds even more complexities and usually access latency. OK, so someone writes a string cut-paste interface in a text-editer whose clipboard is only 500 characters long… because they forgot to increase the buffer size after a quick test. A grad-student or legal-professional just cut two hundred pages, pasted it elsewhere, and lost all but the last.
At that talk, they presented their work prototyping Rust kernel modules and made the case for adopting Rust in the kernel. They focused on security concerns, citing work showing that around two-thirds of the kernel vulnerabilities that were assigned CVEs in both Android and Ubuntu stem from memory-safety issues. Rust, in principle, can completely avoid this error class via safer APIs enabled by its type system and borrow checker.
- This session built on prior work by many developers, including a talk last year by Alex Gaynor and Geoffrey Thomas at the Linux Security Summit.
- In any case, there are many paths to supporting all the architectures people are willing to support.
- But editions are opt-in rather than opt-out and older editions still get updates, the Linux kernel could simply choose to stay on the 2021 edition of Rust and never lose any of the features that might get removed in the next 3 or 6 years.
- I bet there are people out there trying to make OS kernels directly from python.
It’s specifically for the reason superkuh speculates. People who are using rust are into novelty, and those people are going to be using idioms so close to the bleeding edge that they get cut. This tendency must be overcome to be a stable language for kernel development. But i just can’t resist pointing out, C and unix are almost synonymous. Are any of the above issues likely to be deal breakers? The addition of Rust will change the way kernel development happens a bit, and kernel maintainers will have to brush up on their Rust knowledge.
Rust then
Torvalds repeated that, for now, maintainers will be able to say that they don’t want to deal with Rust. Starovoitov countered, though, that BPF will be affected regardless of what he might decide; developers will need to be able to trace Rust code to debug problems. Everybody will need to know Rust eventually, he added.
Have a look at the “horrible UB” examples in C, and see how many of them are cases of the coder trying to do two things at once for some imaginary gain, at the expense of readability and exposure to language lawyering. If a language has no UB, the compiler has more knowledge and can aggressively optimize your code more. Unlike languages with UB, where it has to be conservative with its optimizations. Another surprising piece of UB is that pointers can only be magnitude-compared when they’re pointing at the same object. Maybe Rust is the way you should go but really C++ is far superior concernig low level programming and error checking. It is well known that Linux is the face of the C language.
Better iOS Projects: Advanced Usages of rbenv
To enable the use of functions and types available in C, Rust for Linux creates bindings, which are a set of Rust declarations translating their C-layer counterparts into Rust. In 1966 Peter Landin followed up his articles using λ-calculus to describe ALGOL with his article The Next 700 Programming Languages. Here he invents functional programming in the form of an invented language called ISWIM , as you can see again with a good dry humour. The language is λ-calculus with “syntactic sugar” on top, so a broad family of languages are possible to create using the framework as a basis. Landin’s article was popular, and people did invent languages. Functional programming languages then, implements lambda calculus.
The parent commenter was talking about keeping an independent compiler up to date with new Rust features, not about keeping Rust code working and relevant. The problem in the issue you linked to was JoinGuard assuming safe Rust doesn’t leak. So this problem wasn’t due to an interaction between unsafe code modules, but because one piece of unsafe code assumed a property of safe Rust code that doesn’t necessarily hold. The session ended without any further specific next steps, but it seems that, overall, there is enthusiasm for eventually supporting Rust modules along with increasing agreement on the broad requirements for that support. The next big step will likely be when someone proposes a real Rust driver for inclusion into the kernel.
The behavior is more complicated than that, but for our example, it is all you need to understand. And to add to the difficulty, not only is the calling convention architecture-dependent, but also the numbering of the syscalls. For instance, write has number 4 on x86, on ARM, it can be 4 or 0x depending on the application binary interface used, 4004 on MIPS32, while having 5001 on MIPS64. And some syscalls only exist on some specific architectures.
In practice, this would mean that tooling, documentation, and example code would be merged into the kernel right away. At some point in the future, one of the interested parties, like Google, would start writing new drivers in Rust. Google seems to be very interested in converting parts of Android to Rust, likely in an attempt to thwart the continued pwnage of their OS from the likes of the NSO group.
High-level languages—such as PHP, Python, or Java—aim to be both easier to read and write and safer to write code in. A large part of the additional safety they offer comes from implicit memory management—the language itself will refuse to allow you to stuff 16K of data into a 2K buffer, thereby avoiding buffer overflows. That said, I think it will take some time for the “less security issues” to really materialize. Sure, Rust prevents a lot of such bugs, but to interface with C you need bindings and Rust abstractions over those bindings. Imperfect abstractions can also be a source of bugs. I think it will take some time to get Rust APIs in the kernel which live up the level of robustness we expect in most userland Rust code.
It digs into issues with CPUs and operating systems, the latter summarizing challenges inherent in making concurrent code work correctly on Linux, macOS, and Windows. I was particularly https://topbitcoinnews.org/ happy to see that Mara illustrates these topics with working Rust code. It wraps up by discussing semaphores, lock-free linked lists, queued locks, sequence locks, and even RCU.
Linux 6.1 Officially Adds Support for Rust in the Kernel
All the flakes who gravitate to the “new hotness” will get bored and move on to something else before actually getting to production quality code. In other words, it has the same vulnerabilities as J2EE, which recently gave us (and in some case is still “giving”) the log4shell bug – trusting 3rd parties for basic functionality. Just like there was never any intention of rewriting Linux in Rust. The aim is to enable the use of Rust in the kernel not to replace C. It’s a huge source tree with massive dependencies. In this year’s Stack Overflow Developer Survey, 86.73% of developers said they love Rust.
Thomas Gleixner said that having the blessed compiler available on kernel.org would be good enough, but Torvalds answered that he would rather get compilers from his distributor if possible. Bottomley asked when Rust would become mandatory to build the kernel; the answer was “when the hardware he has requires it”. Torvalds said that, if and when that point comes, it will be an indication that Rust is a success for kernel development. Paolo Bonzini said that the Rust code implementing abstractions for subsystems is often the most unreadable for developers who are unfamiliar with the language, “but it’s stupid code” that is not doing anything complex. Driver-level Rust code is a lot more straightforward.
There’s also the project culture developed around the language choice. So why exactly are the grey-beards of kernel development even entertaining the idea of adding Rust? To answer in a single line, it’s because C was designed in 1971, to run on the minicomputers at Bell Labs. If you want to shoot yourself in the foot, C will hand you the loaded firearm.
Oh right, no one would care unless their infrastructure already relied on the legacy software. NPMs issues are mostly cultural and Rust has mostly avoided them. That’s why Cargo requires you to specify the exact version of every library you want to pull in. There’s no “npm update” or whatever – Rust programs are reproducible anywhere on earth at any time.
Now a developer has to be an expert in not only C and the compiler’s code generation, but rust as well. The kernel is already got python, bash, make, etc i’m not sure it really needs another language. Particularly rust which is quickly becoming a write only language to work around all the edge cases that crop up. Maybe in another ~10 years when its has a lot more developer support and has a proven track record. For all we know at this point rust is going to be just another ada/etc. Initial Rust support is just the absolute minimum to get Rust code building in the kernel, say Rust for Linux maintainers.
C++ programming language and safety: Here’s where it goes next
Looking ahead, Ojeda wrote, “We will keep upgrading until we do not rely on any unstable features; at which point we may want to start declaring a minimum Rust version is supported like it is done, e.g. GCC and Clang. Financial Innovation and FinTech European Banking Authority However, he added, “The idea that we have a boring and staid development possess doesn’t mean we have a boring and staid project. I’m actively encouraging people to try new things,” as with the Rust initiative.