Linus Torvalds weighs in on Rust language in the Linux kernel

This was an understandable mistake in 2015 because then there wasn’t as clear a picture of what the invariants around safe Rust actually are. The picture is clearer now, although still not fully clear. So maybe in the future some invariants will be clarified that invalidate the assumptions made by some unsafe code — but even then, there is no general problem of “the possibility of an interaction that makes the combination unsafe”. Similarly, the lock method on a Mutex object takes a shared reference to a Mutex, and returns a scoped guard which provides a unique, mutable reference to the data inside. If the code to implement the lock is sound, the compiler can then guarantee that nobody using that function is accessing locked data without holding the lock. If the safety rationale makes a claim that is false, that’s a problem.

Decades after C arrived on the scene, memory errors with C programs appear to be the most common of all coding security mistakes. In 2019, Microsoft confessed that 70% of its Common Vulnerabilities and Exposures security problems had been caused by developers making memory corruption mistakes in their C and C++ code. Why it’s all happening for the Rust programming language, how it made it into the Linux kernel, and where it will go from here.

rust takes toward linux kernel

Why do you think python has become an illusion replacement for c/c++? They’re the ones causing all the bugs and memory leaks in “C”. Realy, it has been years since C++ proposal for the kernel has been issued with a negative feed back. I’ve used Rust a little, though mostly at the “Hello, World! “Torvalds seems to have accepted the idea” is the one thing here that surprises me. Linus has always struck me as quite resistant to change.

He mentioned that introducing Rust software into Debian helped to motivate enthusiasts and users of niche architectures to improve Rust support, and he expected that adding support to the kernel would have a similar effect. In particular, he was confident that any architecture with an LLVM backend would quickly be supported in rustc. Rust has good support for interoperating with C code, including support for both calling functions using the C ABI and for defining functions with C-compatible ABIs that can be called from C. Furthermore, the bindgen tool is capable of parsing C header files to produce the appropriate Rust declarations, so that Rust does not need to duplicate definitions from C, which also provides a measure of cross-language type checking. Fortunately, people who are not profoundly stupid are busy designing and using programming languages that have the same power and access to the machine as C but with automated safety mechanisms that only dishonest imbeciles call “babysitting”.

Software

And the assembly part is rather messy, I might not have thought of every possible case. And to be completely honest, I have no idea if this way of doing introduces security breaches, even if I think not, given that C syscalls use pointers to userspace all the time. And I don’t know either whether my code is thread-safe or not. There is currently an ongoing effort to write a specification for Rust for safety-critical systems that will lead to a standard-like document. At the moment, though, Ojeda said, the developers of the GCC-based gccrs Rust compiler are finding the current documentation to be vague at times. Often, behavior is specified as “whatever the rustc compiler does”.

  • Rust’s forward compatibility guarantees only apply to stable features.
  • These constraints have posed, and will continue to pose, a major challenge for Rust in Linux, but on the whole, I think that it will be able to rise to meet them, though perhaps not with as much grace as I would like.
  • At the machine-level, it’s still running machine-code , so no matter what language you use, the machine code has access to memory-locations that aren’t in the scope of the variables defined in whatever higher-level language.
  • Well, he’s right in that UB can sometimes allow more optimisations.

In other words, an enum is a type that can have multiple forms, each form being able to contain almost anything, as long as this anything remains the same. Here, our enum only has one variant, but we could imagine to port both the write() and exit() syscalls , and here is what it would look like. If Rust’s “edge cases” bother you then C++ must be completely off the table. There’s no requirement for doing the same with Linux. Programs written against stable Rust ~never need changes due to new Rust releases. The fact that they release frequently does not mean that they break compatibility often.

Rust for Linux is coming, and what that means for us ?

Sure, for things like typos, whitespace changes, and other changes on a similar level. The scheduler, mm, and vfs subsystems being in C doesn’t help me making any kind of substantial change. If you want to avoid these kinds of things, keep a Cargo.lock and you’ll stick with versions that continue to work. Very rarely things do get removed in Rust updates, but these are typically soundness issues that can cause problems if they are used improperly. Luckily crater can be used to fix it across the ecosystem pretty easily.

It’s not likely to happen as long as Linus is in charge. He has been very negative about C++ for a long time, and there’s no indication that’s going to change. There’s a reason people who talk about how great C++ is always talk about the need to use a limited subset of the language. You may claim that rust is stable but my experience is very different.

If one day we’re feeling fancy, we can write a direct Nim compiler. Yeah, the main use of strncpy was for copying UNIX directory entries, which were zero-padded but not zero-terminated. It has awful semantics that have resulted in many bugs because people use it without understanding those semantics and thinking wrongly that it’s a size-checked strcpy. If one has an application that needs to properly secure data, then nothing other than that application and those it has accepted to have access to the data should be able to access it, not even the kernel is an exception. The kernel could unallocate it, but then the memory management system should fully erase the data in the allocated space before anything new can access it.

rust takes toward linux kernel

First, in April 2021, Ojeda introduced a Request for Comment on bringing Rust into Linux on the Linux Kernel Mailing List . This was followed up in July 2020, by Nick Desaulniers, a Google software engineer at Google working on compiling the Linux Kernel with Clang and LLVM, suggesting an “in-tree Rust” session for the 2020 Linux Plumbers Conference . That resulted in the August 2020 “Barriers to in-tree Rust” talk. This, in turn, moved the idea of Rust in Linux to the front burner.

Torvalds replied that he expects that process to take years. There’s one problem with Rust’s memory-safe guarantee — it’s impossible to write a kernel that is formally memory-safe. A kernel has to write to unallocated memory, do weird pointer math, and other seemingly bizarre things to actually make our computers work. This doesn’t work well with a language that tries to guarantee that memory manipulations are safe. Rust has added the unsafe keyword, allowing use of direct memory access and other such techniques that don’t work with Rusts’s memory guarantees. Keep the potential problems together, and it makes auditing easier.

Beginning with ALGOL

The other answer is that Rust is an easy fit with C code and kernel programming. The code you write is what actually runs, without an interpreter or garbage collection trying to be helpful. Rust hasn’t overdosed on Object Oriented patterns, but meshes nicely with the C-style structs already used in the kernel. There are some ambitious projects out there, like rewriting coreutils in Rust. Many other standard applications are getting a Rust rewrite. It’s fairly inevitable that the collection of Rust developers started to ask, could we invade the kernel next?

rust takes toward linux kernel

It’s the way that Android, ChromeOS, and OpenMandriva compile their kernels. One significant snag with building the kernel with Clang, though, is CPU architecture support. Only x86 and Arm are well supported this way, and https://forexaggregator.com/ other architectures are not as solid yet. After over two years in development, support for using Rust for kernel development has entered a stable Linux release, Linux 6.1, which became available a couple of weeks ago.

By the time Rust will be used for anything other than toy drivers, Rust-GCC should be done, so Linux with Rust will compile anywhere that Linux without Rust can. Torvalds goes on to describe device drivers as obvious low-hanging fruit for potential new work to be done in Rust. He says that because there are tons of them, and they’re relatively small and independent of other code.

Jaded is right – an “undefined” state is one the compiled program doesn’t have to test for. It’s actually the programmer’s job to ensure they don’t allow cases where the behavior is undefined. Sure, it is POSSIBLE for a compiler to eliminate redundant bounds checks, What is IT Help Desk Job Description Certifications and Salary but the programmer should already know if the range of a variable is guaranteed. I’m no fan of “must rewrite everything in rust because we could find and fix issues we don’t even know we have.” Rust rewrite is no better than big money spent on lotto tickets.

Don’t leave empty-handed

The abstract machine used was the LLM3 abstract LISP machine, which in turn ran on another computer. This is just one of the instances where we can see that the C programming language was not universally loved. The Bourne Shell scripting language that we all love and use is also quite close to ALGOL 68, so the descendants of this language is used more than we may think. Secondly, kernel code will have to be very careful if it wishes to return a container type like String or Vec.

However, it’s not likely to infuse Linux with a much-needed boost in its contributor base, because Linux has no such need. What’s more, Linux’s portability requirements prevent Rust from being used in most of the kernel in the first place. The Rust programming language entering the Linux kernel has been coming for some time. At the 2020 Linux Plumbers Conference, developers started considering using the Rust language for new Linux inline code. Google, which supports Rust for developing Android — itself a Linux distro — began pushing for Rust in the Linux kernel in April 2021.

Linux has a broad developer base reaching from many different industry stakeholders and independent contributors working on the careful development and maintenance of its hundreds of subsystems. The scale of Linux development is on a level unmatched by any other software project — free software or otherwise. In addition to bindings, Rust for Linux also uses abstractions, which are Rust wrappers built around C code available in the kernel. Abstractions are meant to allow developers to write Rust drivers without directly accessing the C bindings, but they are only available for a limited number of kernel APIs at the moment. However, their number will grow as Rust for Linux will be further developed, say the maintainers. Finally, any number of Linux-kernel developers are noting the progress that Rust is making toward being included in the Linux kernel; for example, see Jonathan Corbet’s article, “Next Steps for Rust in the Kernel”.

As others have mentioned, it is not replacing anything. This is infrastructure for writing drivers and other new modules in Rust. For now, Rust will be harder to program and of equal speed. It will be slightly more secure once you get inside a pure rust module.

Leave a Reply

Your email address will not be published. Required fields are marked *