Hacker News new | ask | show | jobs
by EatYourGreens 2779 days ago
These slides are quite high-level, so I've got to ask: what's the expected benefit of using Rust to implement a kernel? I somehow thought that nearly all interesting concurrency there would not fit into the paradigm of exclusive ownership. And if we are preaching for programming in unsafe Rust, then doesn't the message become less compelling?
3 comments
eximius 2779 days ago
The purported benefit would be to wrap all of the unsafe bits in safe wrappers and then have a less bug prone, more secure OS, I suppose.

This would be, to put it mildly, quite difficult. Even then, unsafe code is sometimes not written correctly which brings the whole thing down.

I, personally, still think it's worth it. I think efforts like Redox OS can teach us a lot about what we're doing and offer a chance to collapse some of the layers of cruft existing OSes have accumulated.

link
OoooooooO 2779 days ago
Having only a small part of the code with unsafe means you only have to check only a small % of the code for UB/security holes and not the whole code base like in C.

It just limits the places shit can happen and which need to be closely reviewed which alone is a big help.

link
cyphar 2779 days ago
It should be noted that you can have correctness bugs can occur in safe code if a Rust guarantee was violated in an unsafe block. This might seem obvious, but it does mean that when you hit one of these bugs you might start with debugging safe code and thus it's not as clean a separation as some Rust evangelists might imply.
link
TheCoelacanth 2778 days ago
Exclusive ownership is only half of Rust's ownership story. The other half is borrows. Borrows actually fit very well with concurrency.

For example, if you have some data structure synchronized with a mutex, the mutex would be the owner of that data structure. Everything else would just get borrowed access to the data structure when it locks the mutex. Rust's borrow checker can make sure that you don't keep any references to that data structure after you have released the mutex so you can't access the data structure again without locking the mutex again. The mutex itself would need unsafe code, but everything using the mutex wouldn't.

link
empath75 2779 days ago
In practice, even in redox there’s not as much unsafe code as you might think.
link