The Linux Kernel would beg to differ. I love Rust, I love strong typing, but statements like this are what make people scoff at its evangelist.

People can and do get C right, in safety critical systems, at larges scale, all over the world.

>The Linux Kernel would beg to differ

And it would be wrong in differing. Memory and synchronization bugs the kind of Rust prevents are found in the kernel all the time.

Rust does no such prevention. You are free (and encouraged to) use the unsafe parts of the language for performance sensitive code. A kernel written in Rust would likely have memory leaks and overflow errors too.

It's all speculative whether a kernel in Rust would or would not have as many bugs as a kernel in C.

As for a kernel just ending up as a bunch of unsafe, doesn't seem grounded in reality.

https://os.phil-opp.com/minimal-rust-kernel/

> Note that there's an unsafe block around all memory writes. The reason is that the Rust compiler can't prove that the raw pointers we create are valid.

[..]

> I want to emphasize that this is not the way we want to do things in Rust! I

[..]

> So we want to minimize the use of unsafe as much as possible. Rust gives us the ability to do this by creating safe abstractions. For example, we could create a VGA buffer type that encapsulates all unsafety and ensures that it is impossible to do anything wrong from the outside. This way, we would only need minimal amounts of unsafe and can be sure that we don't violate memory safety. We will create such a safe VGA buffer abstraction in the next post.

As is always the response to the "A kernel in rust would be just as unsafe as a kernel in C", the goal is to build safe abstractions.

So you have unsafe, plus some constraints that you enforce at a module level, which wraps the unsafety.

This is not perfect - you'll still write vulnerable unsafe code, I'm sure, sometimes. But the rest of your code can be built on top of it, and now your unsafe code can be the main target of your testing and verification.

We have no real rust kernel the size of Linux to compare to but I think there's plenty of reason to believe that it would have considerably fewer vulnerabilities and would make auditing far simpler.

Wouldn't the exact same arguments work for C++ too? Modern C++ is just as safe as Rust.

That’s just not correct.

Nice try, Stroustrup

> You are free (and encouraged to) use the unsafe parts of the language for performance sensitive code.

The point of the Unsafe Rust is the containment of relative "unsafeness" (that is, however, not equivalent to C/C++'s UB [1]) within a certain boundary. Having less things to audit surely helps.

[1] https://doc.rust-lang.org/nomicon/safe-unsafe-meaning.html

That said, of course Rust is not a panacea for memory and synchronization bugs. Rust helps a lot but does not fully solve logical memory leaks and deadlocks for example.

On the contrary, you should spend a couple of hours watching the Linux Kernel Security Summit 2018.

Kernel devs are of a different opinion than yours.

Hence the Linux Kernel Self Protection Project initiative.

EDIT: corrected as suggested.

s/Preservation/Protection/

https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Pr...

Thanks

What definition of “correctness” are you using here? Bugs are found and fixed in Linux all the time.

Bugs would be found in a Rust codebase all the time as well. The difference is that a certain class of bugs is going to be absent from safe usage of Rust. (Unsafe Rust gives you just as much rope to hang yourself with as C).

Unsafe Rust has a little less rope than C because there are less cases that can lead to undefined behavior (see https://doc.rust-lang.org/nomicon/what-unsafe-does.html and https://doc.rust-lang.org/reference/behavior-considered-unde...). However, once you trigger UB, it's the same.

By the way, Rust devs are working on a mathematical formalization of those rules. Here's a blog post about a part of this effort: https://www.ralfj.de/blog/2018/07/24/pointers-and-bytes.html. (There are similar formalization efforts for subsets of C, that led to software like the CompCert verified compiler)