Hacker News new | ask | show | jobs
by Ygg2 410 days ago
> Oh wait, doesn't this invalidate your argument?

Not really. If you can't be perfect, at least be good.

Unless you want to make an argument that searching all of your code base for UB is better than running on a relatively small subset (20-30%).

Or that Linux should use tracing GC + value types. Which I would find decent as well. But sadly LKML would probably disagree with inclusion of C# (or Java 35).
2 comments
uecker 410 days ago
You can't be perfect. The question is how much improvement "rewriting in Rust" actually brings, how important that is, and what downsides it may have.
link
throwawayqqq11 409 days ago
Another, way more impertant question is, can we keep maintaining legacy C code in community driven FOSS projects, when the world moves on.
link
uecker 409 days ago
Does the world really move on? I think HN could be misleading here. And is moving to evermore complex solution the right answer to mainentance problems? I doubt it.
link
eru 410 days ago
If you really want, you could write your code in Agda or similar and prove it correct. See also seL4 https://github.com/seL4/seL4 which is a proven correct kernel.

https://sel4.systems/Verification/proofs.html

link
uecker 410 days ago
... written in C.
link
eru 410 days ago
It's written in C in the same way it's written in assembly:

C is just used as part of the process to go from a high level spec to executable code.

You can also compile eg Haskell via C.

The subset of C used in seL4 is highly constrained.

link
johnnyjeans 410 days ago
a subset of C is provable, and is the de-facto standard in the industry.

what is it with rust people and thinking robust, automatic correctness checking was invented in the last 20 years?

link
Ygg2 410 days ago
Wow, the Linux kernel must be full of dunces that rather than writing in proven correct C, added another language that other maintainers hate. What morons! /sarcasm

Disclaimer: above is sarcasm, while I don't think Linux Kernel Maintainers are perfect, I don't consider them dunces either. If they can't avoid writing UAF (use after free) or DF (Double free) bugs then what hope does the average C programmer has?

link
johnnyjeans 409 days ago
I'm not sure what you're even trying to say. Do you think that formally verified C isn't a thing? Because it's not used in Linux?

Linux isn't designed to be formally verifiable. For all of the manpower and resources dedicated to it, it's still bidden to the technical debt of being a 30 year old hobbyist experiment at its core. If you want a formally verified, secure kernel that wasn't written by a college student to see if he could, seL4 exists.

link
Ygg2 408 days ago
> Do you think that formally verified C isn't a thing? Because it's not used in Linux?

No. It exists but is it practical to be used in an OS? From what I gathered from HN, sel4 is very limited in scope and extending that to a semi-usable OS (that uses ""proven"" C) is expensive time and money wise.

> still bidden to the technical debt of being a 30 year old hobbyist experiment

Citation needed. I admit it has limitations but it's not like the biggest corps in the world aren't working on it.

See: https://news.ycombinator.com/item?id=43452185#43454498 https://news.ycombinator.com/item?id=43853283

link
uecker 409 days ago
While the memory safety issues are a concern, switching to Rust + Unsafe will only reduce but not eliminate those issues and it is unclear whether adding a lot of complexity is actually worth it compared to other efforts to improve memory safety in C.
link
Ygg2 409 days ago
> switching to Rust + Unsafe will only reduce but not eliminate those issues

Except in practice the code written in Rust experiences no safety issues[1].

I've seen this argument before a million times it is one part FUD (by making actual memory issues bigger than they are) one part Nirvana fallacy (argments that make so Java isn't memory safe because it will have to call into C).

[1] https://storage.googleapis.com/gweb-research2023-media/pubto...

> is actually worth it compared to other efforts to improve memory safety in C

As I aluded before, I am sure Linux Kernel Maintainers are aware of sel4. Which begs the question, why they didn't do it? It's in C, proves everything, and solves even more than Rust, why isn't it in kernel?

I'm going to hazard a guess, the effort of going full proof for something like Linux would be through the roof. You would need lifetime of LKML dedication.

link
immibis 410 days ago
Proven correct C
link