Talking about how unsafe is not some new fancy rust feature and exists in other languages. Your comment makes it sound like the choice is some new wild computing concept.
Memory safe languages that are not garbage collected are not all that common. Ada and Rust are two examples.
With great care C++ and zig can be.
I’m sure there’s a good reason a lot of the big players and the community at large have picked up rust though. Docs, error messages, cargo community etc.
I would argue that Rust does bring a lot to the table. I certainly would never code in C for work but I’ll happily reach for Rust.
That’s legitimately a good reason. They can pry my C from my cold dead hands…but someday someone will have to. May as well think about what that should look like.
Rust by default will not allow you to make certain kinds of errora, which is great. But if you are doing something advanced, down at the hardware level [see below], you might need to disable those defaults in order to write the code you need. This is what people mean by “unsafe” – lacking the normal memory safeguards.
With careful coding, “unsafe rust” or normal C, for that matter, can be free of bugs and safe. But if programmers make a mistake, vulnerabilities can creep in more easily in the unsafe sections.
But if you are doing something advanced, down at the hardware level
This part is wrong. Otherwise yes correct.
The “unsafe” code in rust is allowed to access memory locations in ways that skip the compiler’s check and guarantee that that memory location has valid data. They programmer is on their own to ensure that.
Which as you say is just the normal state of affairs for all C code.
This is needed not because of hardware access but just because sometimes the proof that the access is safe is beyond what the compiler is able to represent.
Thank you for the correction, I’ll edit my comment.
sometimes the proof that the access is
safe is bevond what the compiler is able to represent
Could you say a few more words about this? In what situations do you have to write ‘unsafe-tagged’ code blocks? Could this be changed by improvements to the compiler? Or is it necessitated by the type of task being done by the code?
Check out the excellent tutorial # Learn Rust With Entirely Too Many Linked Lists
especially chapters five and six. It has a lot more words, it’s entertaining, engaging, and informative.
What’s the point of rewriting parts of the kernel in unsafe rust?
Because Rust lets you choose when something is unsafe vs writing all unsafe in code all the time:
Yes same concept as other languages like C#
You go ahead and write an OS kernel in C# then.
Why the hell would you do that
Why would you bring up C# in a thread about kernel programming?
Talking about how unsafe is not some new fancy rust feature and exists in other languages. Your comment makes it sound like the choice is some new wild computing concept.
Memory safe languages that are not garbage collected are not all that common. Ada and Rust are two examples.
With great care C++ and zig can be.
I’m sure there’s a good reason a lot of the big players and the community at large have picked up rust though. Docs, error messages, cargo community etc.
I would argue that Rust does bring a lot to the table. I certainly would never code in C for work but I’ll happily reach for Rust.
it’s not like the whole driver is written in unsafe rust
Mostly to attract new, younger kernel maintainers.
That’s legitimately a good reason. They can pry my C from my cold dead hands…but someday someone will have to. May as well think about what that should look like.
Because Rust is the popular thing in FOSS/Linux at the moment.
For memory safety, which is not unsafe rust
You say that. But the CVE is a memory corruption bug.
Which is worse?
Surely if X > 0 then this is still a net improvement?
You don’t understand what unsafe means
Rust by default will not allow you to make certain kinds of errora, which is great. But if you are doing something advanced,
down at the hardware level[see below], you might need to disable those defaults in order to write the code you need. This is what people mean by “unsafe” – lacking the normal memory safeguards.With careful coding, “unsafe rust” or normal C, for that matter, can be free of bugs and safe. But if programmers make a mistake, vulnerabilities can creep in more easily in the unsafe sections.
Is that basically it?
This part is wrong. Otherwise yes correct.
The “unsafe” code in rust is allowed to access memory locations in ways that skip the compiler’s check and guarantee that that memory location has valid data. They programmer is on their own to ensure that.
Which as you say is just the normal state of affairs for all C code.
This is needed not because of hardware access but just because sometimes the proof that the access is safe is beyond what the compiler is able to represent.
Thank you for the correction, I’ll edit my comment.
Could you say a few more words about this? In what situations do you have to write ‘unsafe-tagged’ code blocks? Could this be changed by improvements to the compiler? Or is it necessitated by the type of task being done by the code?
Check out the excellent tutorial # Learn Rust With Entirely Too Many Linked Lists especially chapters five and six. It has a lot more words, it’s entertaining, engaging, and informative.