From: Willy Tarreau <w@1wt.eu> To: Nick Desaulniers <ndesaulniers@google.com> Cc: Wedson Almeida Filho <wedsonaf@google.com>, Peter Zijlstra <peterz@infradead.org>, Miguel Ojeda <ojeda@kernel.org>, Linus Torvalds <torvalds@linux-foundation.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, rust-for-linux <rust-for-linux@vger.kernel.org>, Linux Kbuild mailing list <linux-kbuild@vger.kernel.org>, Linux Doc Mailing List <linux-doc@vger.kernel.org>, linux-kernel <linux-kernel@vger.kernel.org>, Dmitry Vyukov <dvyukov@google.com>, Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> Subject: Re: [PATCH 00/13] [RFC] Rust support Date: Tue, 20 Apr 2021 05:47:49 +0200 [thread overview] Message-ID: <20210420034749.GA28662@1wt.eu> (raw) In-Reply-To: <CAKwvOd=RadTs7Skv6KUBo4qZQtdi0kugTzxvZM+5X_2gstjyaQ@mail.gmail.com> Hi Nick, On Mon, Apr 19, 2021 at 05:24:33PM -0700, Nick Desaulniers wrote: > I don't think the introduction of Rust made Firefox _more_ insecure. > https://wiki.mozilla.org/Oxidation#Within_Firefox Browsers are human interfaces and do not fundamentally require low level access to memory/hardware/whatever. They can be written in about any language, only the resource usage and performance will make a difference. As such, some were even written in Java or JS for example. Operating systems, and particularly drivers *do* require low-level accesses, and stuff that can hardly be abstracted or understood by a compiler. You may have to perform two 16-bit reads/writes on a 32-bit MMIO address to perform an operation and the compiler does not have to know it, just to obey. > Really, a key point is that a lot of common mistakes in C are compile > time errors in Rust. I know no "true" kernel dev would make such > mistakes in C, Everyone makes mistakes, the level of attention varies over time and the focus often changes when dealing with build errors. How many time some of us facing a bug remembered having changed the code very late after a build error, and being less careful from this point when the goal changed from "let's do it right" to "let's get this to build" ? > but is there nothing we can do to help our peers > writing drivers? The point is to transfer cost from runtime to > compile time to avoid costs at runtime; like all of the memory safety > bugs which are costing our industry. And do we have stats on the number of logical bugs, some of which are caused by developers trying to work around compilers' stubbornness ? For me, personally speaking, they have *increased* over time, usually trying to avoid some annoying modern gcc warnings, resulting in integer casts being placed close to string formats, or returns being placed in switch/case to avoid the fall-through warning, etc. Thus I'm worried that a non-negligible part of the 70% of bugs caused by memory safety issues could be replaced with logic bugs to get to the point where the rust compiler finally accepts to compile the code. It makes me think about researchers trying to reduce the causes of certain deaths and claiming to "save lives" while in the end the people they "save" will simply die from something else. And I'm not particularly trying to blindly defend C here. I'm complaining every single day about some of its shortcomings like the vast amount of UB, stupid type promotion, counter-intuitive operators precedence when combining bit-ops with arithmetic, limited size of enums, lack of rotate operator, strict aliasing, or the recourse to asm() statements every 10 lines to do stuff that can hardly be expressed in a way understandable by a compiler. I'm just seeing that a lot of the griefs I'm having against C come from the compiler trying to be too smart or too stubborn, so giving even more of the handle to a compiler doesn't appeal me at all. In addition, we all know how painful it is to work around compiler bugs by writing complex code that carefully avoids certain constructs. I'm wondering if we'll still have that luxury with a stricter compiler, or if the only response will have to be between "let's disable this driver that does not compile" or "please force distros to upgrade their compilers". But we'll see :-/ Regards, Willy
next prev parent reply other threads:[~2021-04-20 3:48 UTC|newest] Thread overview: 201+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-04-14 18:45 ojeda 2021-04-14 18:45 ` [PATCH 01/13] kallsyms: Support "big" kernel symbols (2-byte lengths) ojeda 2021-04-14 19:44 ` Matthew Wilcox 2021-04-14 19:59 ` Miguel Ojeda 2021-04-14 18:45 ` [PATCH 02/13] kallsyms: Increase maximum kernel symbol length to 512 ojeda 2021-04-14 23:48 ` Nick Desaulniers 2021-04-14 18:45 ` [PATCH 03/13] Makefile: Generate CLANG_FLAGS even in GCC builds ojeda 2021-04-14 18:59 ` Nathan Chancellor 2021-04-15 10:18 ` Miguel Ojeda 2021-04-14 23:46 ` Nick Desaulniers 2021-04-15 0:47 ` Miguel Ojeda 2021-04-14 18:45 ` [PATCH 04/13] Kbuild: Rust support ojeda 2021-04-14 23:19 ` Nick Desaulniers 2021-04-15 0:43 ` Miguel Ojeda 2021-04-15 18:03 ` Nick Desaulniers 2021-04-16 12:23 ` Miguel Ojeda 2021-04-17 19:35 ` Masahiro Yamada 2021-04-16 13:38 ` Peter Zijlstra 2021-04-16 17:05 ` Linus Torvalds 2021-04-16 17:47 ` Miguel Ojeda 2021-04-16 18:09 ` Al Viro 2021-04-16 18:57 ` Miguel Ojeda 2021-04-16 20:22 ` Willy Tarreau 2021-04-16 20:34 ` Connor Kuehl 2021-04-16 20:58 ` Willy Tarreau 2021-04-16 21:39 ` Miguel Ojeda 2021-04-16 22:04 ` Willy Tarreau 2021-04-16 22:45 ` Al Viro 2021-04-16 23:46 ` Miguel Ojeda 2021-04-17 4:24 ` Willy Tarreau 2021-04-17 15:38 ` Miguel Ojeda 2021-04-16 21:19 ` Miguel Ojeda 2021-04-16 17:34 ` Miguel Ojeda 2021-04-19 19:58 ` David Sterba 2021-04-19 20:17 ` Matthew Wilcox 2021-04-19 21:03 ` Miguel Ojeda 2021-04-19 20:54 ` Miguel Ojeda 2021-04-14 18:45 ` [PATCH 05/13] Rust: Compiler builtins crate ojeda 2021-04-14 19:19 ` Linus Torvalds 2021-04-14 19:34 ` Miguel Ojeda 2021-04-14 18:45 ` [PATCH 06/13] Rust: Module crate ojeda 2021-04-14 18:45 ` [PATCH 07/13] Rust: Kernel crate ojeda 2021-04-14 19:31 ` Linus Torvalds 2021-04-14 19:50 ` Miguel Ojeda 2021-04-14 18:45 ` [PATCH 08/13] Rust: Export generated symbols ojeda 2021-04-14 18:46 ` [PATCH 09/13] Samples: Rust examples ojeda 2021-04-14 19:34 ` Linus Torvalds 2021-04-14 19:42 ` Miguel Ojeda 2021-04-14 19:49 ` Matthew Wilcox 2021-04-16 11:46 ` Andrej Shadura 2021-04-14 23:24 ` Nick Desaulniers 2021-04-15 7:10 ` Greg Kroah-Hartman 2021-04-15 7:39 ` Nick Desaulniers 2021-04-15 12:42 ` Miguel Ojeda 2021-04-16 13:07 ` Sven Van Asbroeck 2021-04-16 13:20 ` Greg Kroah-Hartman 2021-04-14 18:46 ` [PATCH 10/13] Documentation: Rust general information ojeda 2021-04-14 22:17 ` Nick Desaulniers 2021-04-14 23:34 ` Miguel Ojeda 2021-04-14 18:46 ` [PATCH 11/13] MAINTAINERS: Rust ojeda 2021-04-14 21:55 ` Nick Desaulniers 2021-04-14 22:02 ` Miguel Ojeda 2021-04-14 22:36 ` Nick Desaulniers 2021-04-14 18:46 ` [PATCH 12/13] Rust: add abstractions for Binder (WIP) ojeda 2021-04-14 18:46 ` [PATCH 13/13] Android: Binder IPC in Rust (WIP) ojeda 2021-04-14 19:44 ` [PATCH 00/13] [RFC] Rust support Linus Torvalds 2021-04-14 20:20 ` Miguel Ojeda 2021-04-15 1:38 ` Kees Cook 2021-04-15 8:26 ` David Laight 2021-04-15 18:08 ` Kees Cook 2021-04-15 12:39 ` Miguel Ojeda 2021-04-14 20:09 ` Matthew Wilcox 2021-04-14 20:21 ` Linus Torvalds 2021-04-14 20:35 ` Josh Triplett 2021-04-14 22:08 ` David Laight 2021-04-14 20:29 ` Miguel Ojeda 2021-04-18 15:31 ` Wedson Almeida Filho 2021-04-15 0:22 ` Nick Desaulniers 2021-04-15 10:05 ` Miguel Ojeda 2021-04-15 18:58 ` Peter Zijlstra 2021-04-16 2:22 ` Wedson Almeida Filho 2021-04-16 4:25 ` Al Viro 2021-04-16 5:02 ` Wedson Almeida Filho 2021-04-16 5:39 ` Paul Zimmerman 2021-04-16 7:46 ` Peter Zijlstra 2021-04-16 7:09 ` Peter Zijlstra 2021-04-17 5:23 ` comex 2021-04-17 12:46 ` David Laight 2021-04-17 14:51 ` Paolo Bonzini 2021-04-19 7:32 ` Peter Zijlstra 2021-04-19 7:53 ` Paolo Bonzini 2021-04-19 8:26 ` Peter Zijlstra 2021-04-19 8:35 ` Peter Zijlstra 2021-04-19 9:02 ` Paolo Bonzini 2021-04-19 9:36 ` Peter Zijlstra 2021-04-19 9:40 ` Paolo Bonzini 2021-04-19 11:01 ` Will Deacon 2021-04-19 17:14 ` Linus Torvalds 2021-04-19 18:38 ` Paolo Bonzini 2021-04-19 18:50 ` Linus Torvalds 2021-04-22 10:03 ` Linus Walleij 2021-04-22 14:09 ` David Laight 2021-04-22 15:24 ` Wedson Almeida Filho 2021-04-26 0:18 ` Linus Walleij 2021-04-26 14:26 ` Miguel Ojeda 2021-04-26 14:40 ` Wedson Almeida Filho 2021-04-26 16:03 ` Miguel Ojeda 2021-04-27 10:54 ` Linus Walleij 2021-04-27 11:13 ` Robin Randhawa 2021-04-29 1:52 ` Wedson Almeida Filho 2021-04-26 18:01 ` Miguel Ojeda 2021-04-22 21:28 ` Miguel Ojeda 2021-04-26 0:31 ` Linus Walleij 2021-04-26 18:18 ` Miguel Ojeda 2021-04-27 11:13 ` Linus Walleij 2021-04-28 2:51 ` Kyle Strand 2021-04-28 3:10 ` Miguel Ojeda 2021-05-04 21:21 ` Linus Walleij 2021-05-04 23:30 ` Miguel Ojeda 2021-05-05 11:34 ` Linus Walleij 2021-05-05 14:17 ` Miguel Ojeda 2021-05-05 15:13 ` Enrico Weigelt, metux IT consult 2021-05-06 12:47 ` Linus Walleij 2021-05-07 18:23 ` Miguel Ojeda 2021-04-16 4:27 ` Boqun Feng 2021-04-16 6:04 ` Nick Desaulniers 2021-04-16 18:47 ` Paul E. McKenney 2021-04-19 20:35 ` Nick Desaulniers 2021-04-19 21:37 ` Paul E. McKenney 2021-04-19 22:03 ` Miguel Ojeda 2021-04-16 20:48 ` Josh Triplett 2021-04-16 8:16 ` Michal Kubecek 2021-04-16 9:29 ` Willy Tarreau 2021-04-16 11:24 ` Peter Zijlstra 2021-04-16 13:07 ` Wedson Almeida Filho 2021-04-16 14:19 ` Peter Zijlstra 2021-04-16 15:04 ` Miguel Ojeda 2021-04-16 15:43 ` Peter Zijlstra 2021-04-16 16:21 ` Miguel Ojeda 2021-04-16 15:33 ` Wedson Almeida Filho 2021-04-16 16:14 ` Willy Tarreau 2021-04-16 17:10 ` Miguel Ojeda 2021-04-16 17:18 ` Peter Zijlstra 2021-04-16 18:08 ` Matthew Wilcox 2021-04-17 11:17 ` Peter Zijlstra 2021-04-17 11:46 ` Willy Tarreau 2021-04-17 14:24 ` Peter Zijlstra 2021-04-17 14:36 ` Willy Tarreau 2021-04-17 13:46 ` David Laight 2021-04-16 17:37 ` Willy Tarreau 2021-04-16 17:46 ` Connor Kuehl 2021-04-20 0:24 ` Nick Desaulniers 2021-04-20 3:47 ` Willy Tarreau [this message] 2021-04-20 5:56 ` Greg Kroah-Hartman 2021-04-20 6:16 ` Willy Tarreau 2021-04-29 15:38 ` peter enderborg 2021-04-17 13:53 ` Wedson Almeida Filho 2021-04-17 14:21 ` Willy Tarreau 2021-04-17 15:23 ` Miguel Ojeda 2021-04-18 15:51 ` Wedson Almeida Filho 2021-04-17 12:41 ` David Laight 2021-04-17 13:01 ` Wedson Almeida Filho 2021-04-16 15:03 ` Matthew Wilcox 2021-04-17 13:29 ` Wedson Almeida Filho 2021-04-16 15:58 ` Theodore Ts'o 2021-04-16 16:21 ` Wedson Almeida Filho 2021-04-17 15:11 ` Paolo Bonzini 2021-04-16 14:21 ` Miguel Ojeda 2021-04-17 20:42 ` Richard Weinberger 2021-04-28 18:34 ` Mariusz Ceier 2021-04-28 20:25 ` Nick Desaulniers 2021-04-28 21:21 ` David Laight 2021-04-29 11:14 ` Kajetan Puchalski 2021-04-29 11:25 ` Kajetan Puchalski 2021-04-29 14:06 ` Mariusz Ceier 2021-04-29 14:13 ` Sven Van Asbroeck 2021-04-29 14:26 ` Willy Tarreau 2021-04-29 15:06 ` Al Viro 2021-04-29 16:09 ` Mariusz Ceier 2021-04-30 6:39 ` Thomas Schoebel-Theuer 2021-04-30 8:30 ` David Laight 2021-05-05 13:58 ` Enrico Weigelt, metux IT consult 2021-05-05 14:41 ` Miguel Ojeda 2022-06-20 15:11 ` Olliver Schinagl 2022-06-27 17:44 ` Miguel Ojeda 2022-07-18 6:56 ` Olliver Schinagl 2022-07-20 19:23 ` Miguel Ojeda 2022-07-20 20:21 ` Nicolas Pitre 2022-07-27 7:47 ` Olliver Schinagl 2022-07-27 13:32 ` Nicolas Pitre 2022-07-27 8:05 ` Olliver Schinagl 2022-07-28 10:21 ` Gary Guo 2022-07-28 12:09 ` Greg Kroah-Hartman 2022-07-28 12:28 ` Gary Guo 2022-07-28 20:45 ` Olliver Schinagl 2022-07-29 8:04 ` Greg Kroah-Hartman 2022-07-28 20:43 ` Olliver Schinagl 2021-04-29 5:20 Mariusz Ceier 2021-04-29 5:21 Mariusz Ceier 2021-04-29 8:18 ` David Laight 2021-07-30 23:22 Dillan Jackson
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210420034749.GA28662@1wt.eu \ --to=w@1wt.eu \ --cc=dvyukov@google.com \ --cc=gregkh@linuxfoundation.org \ --cc=linux-doc@vger.kernel.org \ --cc=linux-kbuild@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=miguel.ojeda.sandonis@gmail.com \ --cc=ndesaulniers@google.com \ --cc=ojeda@kernel.org \ --cc=peterz@infradead.org \ --cc=rust-for-linux@vger.kernel.org \ --cc=torvalds@linux-foundation.org \ --cc=wedsonaf@google.com \ --subject='Re: [PATCH 00/13] [RFC] Rust support' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).