[ansible]

Linus Torvalds famously does not like and will not allow the use of C++ in the Linux kernel.

Also, Rust explicitly puts safety first, and C++ cannot give the same guarantees for normal code. The uses of `unsafe` in Rust should be relatively uncommon and deserve extra scrutiny.

[ninkendo]

It’s actually sort of interesting why Linus has basically closed the door on C++ ever getting into the kernel, while Rust seems to have gotten the green light.

If you look at Linus’s initial reasoning [0] (which was from a long time ago, nearly 20 years now, way before C++11), it was because the abstractions it offered/encouraged could make it hard to reason about what’s really happening, which may be bad for kernel code, and that allowing C++ would open the floodgates for C++ programmers to contribute, and Linus famously hated C++ programmers.

Rust-in-the-kernel came up many years later, and IMO if Linus was really honest with himself he’d either (1) not allow rust for essentially the same reasons he disallowed C++, or (2) admit his views have evolved, and say that C++ should be allowed on the same tentative basis that Rust is.

I get that rust offers safety advantages that C++ doesn’t, but I don’t think that’s the complete picture… modern C++ offers so many of the same advantages (although obviously not all) that if we’re really being honest with ourselves, it would seem to be unfair that Rust is let in while C++ is not. Both of them are enormous steps up in safety over C.

[0] https://harmful.cat-v.org/software/c++/linus

[hypeatei]

> Both of them are enormous steps up in safety over C.

I would argue one (Rust) is, but not C++. Rust is more "batteries included" and doesn't require specific compiler flags or complicated tooling, it just works and gives you guarantees out of the box. C++ seems to allow escape hatches by default while Rust requires you to call that out via `unsafe`.

[bfrog]

C++ makes things very hard to reason about still compared to Rust even. C++ programmers are bike shed machines in my experience, always chasing their own ideal of pedantic C++ which does not exist in practice.

How would C++ features like RTTI, exceptions, and the std template library be used? What about the insane ideas of classes and inheritance which induce mind numbing impossible to comprehend code?

Rust is actually pretty readable and reviewable. C++ tends to be mind numbingly hard to review.

[insanitybit]

> not allow rust for essentially the same reasons he disallowed C++,

Unless what he disliked was the inheritance/OOP stuff in C++, which isn't an issue in Rust.

[pjmlp]

Rust has its own flavour of OOP, only data inheritance isn't part of the picture.

Interfaces/traits, dynamic dispatch, static dispatch, encapsulation, polymorphism, traits inheritance, is all there.

Additionally macro system as powerful as Common Lisp, which allows to do stuff that would make Linus blowup on the spot.

[insanitybit]

> Rust has its own flavour of OOP, only data inheritance isn't part of the picture.

I think it's fair to say that Rust is a lot less 'OOP' than C++. There is no concept of 'protected', traits are separate from structs, there's no data inheritance, there's no 'isinstance', dynamic dispatch is explicitly behind 'dyn' keyword, etc.

> Additionally macro system as powerful as Common Lisp,

It's not like the Linux kernel doesn't make use of C's macros.

[pjmlp]

There is no "less" or "more" OOP as per CS definition.

Plain textual text replacement isn't the same as a proper macro system.

[jstimpfle]

Abusing inheritance of virtual methods instead of interfaces (which makes classes closed to extension, and the possibility of overriding non-zero methods is nothing short of weird), and implicit "this" parameter (which makes stuff needlessly hard to read and refactor), are two of the biggest annoyances on my list -- because they are so basic.

[pjmlp]

Well, you can enjoy explicit this parameter in C++23, if that is your thing.

As for the complaints, they are kind of doable in Rust as well.

Use traits with function pointers, empty types, and some macros.

[dig1]

> C++ cannot give the same guarantees for normal code

Can you give me example of a normal C++ code where compiler and/or language will not guarantee safety? Let's put aside UBs, because they are everything but normal code.

[AgentME]

Undefined behavior is absolutely easy to trigger in normal C++ code, and being able to prevent it is a massive safety benefit. Ignoring UB while talking about safety is like ignoring car crashes when judging whether seat belts give any benefit.

An easy way to trigger undefined behavior in C++ is by using a pointer after the thing it's pointing to has been freed. Doing this in a process that takes any user input can easily create a vulnerability that allows an attacker to inject code into the process. There are many ways to accidentally do this while thinking you're safe. A pointer to an item inside a data structure like a vector or hash table is dangerous if you use it after some items may have been inserted into the data structure, because inserts can cause the data structure to reallocate and expand its backing memory. This mistake can easily go unnoticed for a long time because only a small fraction of inserts will cause that. This mistake isn't possible to make in safe Rust.

[moregrist]

Please define “normal”. Normal C++ for me runs the gamut of looking a lot like C to be a template metaprogramming monstrosity.

Almost all C++ code interacts with bare pointers at some point. And that’s just one of the places where you get into issues with safety.

You can also run into problems with iterators being invalidated: your iterator into a std::vector is no longer valid after a call to push_back().

Anything that stores a reference and can exist after the lifetime of the object, really. Lambdas are a problem here. But so are instances with reference members.

C++ is littered with these things.

[msla]

> Almost all C++ code interacts with bare pointers at some point.

This is a device driver. If it has to talk to memory-mapped hardware, that's a raw pointer, inherently, inevitably.

Other things are language issues, and can be solved by changing languages, but raw pointers are inherent in the task.

[cesarb]

> This is a device driver. If it has to talk to memory-mapped hardware

This is an IPC "device driver". It does not talk to any hardware, it's used to pass messages between processes.

[Narishma]

> This is a device driver.

It's not, it's an IPC subsystem. It doesn't talk to any hardware.

[nercury]

I would avoid saying that it's "Rust" that "gives guarantees". It paints Rust as this magical thing that will solve anything. My preferred explanation is that Rust provides better tools to build wrappers that can't be misused. The idea is to solve hard problem once, and reap the benefits many times. But it all depends on wrapper author. In that regard, it is perfectly possible to write horrible Rust code.

[vitiral]

> I would avoid saying that it's "Rust" that "gives guarantees".

Why would you avoid saying that? Rust does give guarantees: about memory safety and concurrency primarily, but also regarding the lack of undefined behavior.

> It paints Rust as this magical thing that will solve anything.

It does not, the above are not magical they are just challenging problems (although at some point they may have been deemed impossible problems and hence magical, I don't know)

> My preferred explanation is that Rust provides better tools to build wrappers that can't be misused.

"wrappers that can't be misused" sounds a LOT like it "gives guarantees".

[nercury]

The biggest wrapper that gives guarantees is the standard library, and usually, when people say that Rust does not do something, they have standard library in mind. For example, standard library made the choice to hide panics in out-of-memory situations. That does not mean you can't write your own version of relevant structures to gain different guarantees. I like to highlight the actual strengths of Rust (as a tool) instead of particular implementation details, especially when we are talking about situation (kernel) where Rust is used without its standard library.

[sophacles]

Rust the language gives these guarantees without the use of the unsafe keyword:

* you will not be able to compile undefined behavior

* you will not be able to create a data race

* a shared reference is read-only

* you cannot write past the end of an array

There are others, but those are pretty big ones that both guarantees and part of the language itself, independent of stdlib.

[Tyr42]

Allows you to modify containers while iterating.

[dthul]

Defining "normal" code as "not having UB" is quite disingenuous though, isn't it? Iterating over a vector while adding elements for example looks normal, but isn't generally safe, unless you know to pre-allocate enough memory.