Content-Length: 14514 | pFad | http://lwn.net/Articles/830162/

Supporting Linux kernel development in Rust [LWN.net]
|
|
Subscribe / Log in / New account

Supporting Linux kernel development in Rust

Supporting Linux kernel development in Rust

Posted Aug 31, 2020 20:15 UTC (Mon) by geofft (subscriber, #59789)
In reply to: Supporting Linux kernel development in Rust by vegard
Parent article: Supporting Linux kernel development in Rust

Yes, you'd want a safe Rust wrapper to define the locking expectations / ownership and deallocation contracts / etc.

That's basically the distinction between the two approaches mentioned in the article. One approach (the one we've been working on) is to pick one area (e.g., filesystems and struct dentry, struct file, etc., or maybe network drivers and struct sk_buff and friends), write and review some bindings, and add a driver that is itself written safe Rust and only relies on unsafe Rust inside reusable abstractions. The other approach is to write unsafe Rust that looks mostly like idiomatic C code, which is a fair bit less work and still provides you with a bit nicer syntax than writing C but won't take advantage of compiler-checked memory safety. (Though you could always convert such drivers to using safe wrappers later, once they exist.)


to post comments

Supporting Linux kernel development in Rust

Posted Sep 4, 2020 7:04 UTC (Fri) by vegard (subscriber, #52330) [Link] (2 responses)

Just thinking about this some more.

What you say sounds "easy" in a way, but is it really possible at all in most cases?

The Linux kernel is notorious for its use of intrusive doubly-linked lists, and Rust is notorious for the difficulty/discouragement of linked lists. Surely if it was just a matter of finding a safe abstraction in Rust (i.e. wrapper around unsafe code), Rust would also have easy-to-use linked lists?

If I remember correctly, whenever you have two pieces of unsafe code that individually present a "safe" interface, there is a possibility of an interaction that makes the combination unsafe, most famously <https://github.com/rust-lang/rust/issues/24292>. A whole bunch of people have worked on proving that all these safe abstractions are safe in the presence of each other (i.e. the RustBelt project). Wouldn't we need a whole bunch of verification work to make this work for the kernel?

Supporting Linux kernel development in Rust

Posted Sep 4, 2020 8:45 UTC (Fri) by farnz (subscriber, #17727) [Link]

Rust has a standard library linked list, and the abstractions for instrusive double-linked list and intrusive single-linked list have been written.

The reason linked lists are discouraged in Rust apply to C and assembly, too - they are fundamentally all about pointer chasing, and that's the hardest thing for a CPU to perform well at; other data structures are normally what you want, but the emphasis on linked lists in formal education (and in languages with "sufficiently smart" compilers like Haskell) means that people reach for them when they're the wrong choice.

Supporting Linux kernel development in Rust

Posted Sep 4, 2020 9:30 UTC (Fri) by roc (subscriber, #30627) [Link]

> whenever you have two pieces of unsafe code that individually present a "safe" interface, there is a possibility of an interaction that makes the combination unsafe

The problem in the issue you linked to was JoinGuard assuming safe Rust doesn't leak. In fact, safe Rust is allowed to leak. So this problem wasn't due to an interaction between unsafe code modules, but because one piece of unsafe code assumed a property of safe Rust code that doesn't necessarily hold.

This was an understandable mistake in 2015 because then there wasn't as clear a picture of what the invariants around safe Rust actually are. The picture is clearer now, although still not fully clear. So maybe in the future some invariants will be clarified that invalidate the assumptions made by some unsafe code --- but even then, there is no general problem of "the possibility of an interaction that makes the combination unsafe".


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds









ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://lwn.net/Articles/830162/

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy