p1necone
12 hours ago
"Torvalds said that it is not necessary to understand Rust to let it into a subsystem; after all, he said, nobody understands the memory-management subsystem, but everybody is able to work with it."
Chuckled a bit at this line, anyone have context on how true this is?
j16sdiz
11 hours ago
"Torvalds said that, for now, breaking the Rust code is permissible, but that will change at some point in the future. Kroah-Hartman said that the Rust developers can take responsibility for the maintenance of the abstractions they add."
This need some very good expectation management.
j16sdiz
11 hours ago
For most driver or subsystem, maybe you don't need to know how mm works.
Rust is different. The kernel Rust teams are trying to encode some safety invariant. If any of those mismatch with the C side, it breaks. Those invariant need some non trivial knowledge of rust to understand
nine_k
11 hours ago
Is there an example of what you're describing?
steveklabnik
11 hours ago
There’s a recent drama where the Rust folks asked some people to clarify some of the semantics of some of the filesystem APIs, and this request wasn’t taken well. There’s been a bunch of hn threads about it.
asne11
11 hours ago
like which?
xgstation
10 hours ago
not sure if this is what the op referred but like this one https://news.ycombinator.com/item?id=41450347
didn't find threads that regarding "clarify APIs semantics", but kernel docs are indeed not in a very good condition. Since C does not provide same level of soundness that Rust does, there are many hidden traps.
asahi developer had a good discuss about this https://threadreaderapp.com/thread/1829852697107055047.html
steveklabnik
10 hours ago
This overall situation is, yes. And the stuff from Lina is related, thanks for also pointing that out.
steveklabnik
11 hours ago
I apologize, I am on my phone, so rather than curating links, check out https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu..., most of which are about this situation.
dangitman
10 hours ago
I'm kind of shocked that C has defined memory behavior. Wouldn't this vary per arch and compiler?
vlovich123
9 hours ago
By definition the undefined memory behavior is only in the undefined parts of the spec modulo bugs. The spec is written against an abstract virtual machine and C was one of the first to pioneer such a concept and why it was so successful at getting ported everywhere.
raggi
11 hours ago
It's very probably true in the totality of "as expressed in a real build for all configurations and architectures", too much variation of behavior to have the whole map in mind at once. You can work through it potentially, and I'm sure a few come close, but others will have things top of mind that experts don't.
syndicatedjelly
11 hours ago
It’s an opinion, but it sounds very good from the perspective of treating the relationships between system and subsystems as an interface to be managed.
klysm
11 hours ago
It's true in the sense that nobody understands it well enough to avoid writing memory safety bugs.
AlotOfReading
11 hours ago
A lot of kernel resources are managed through infrastructure like devres:
https://docs.kernel.org/6.0/driver-api/driver-model/devres.h...
These days it's entirely possible to write a decent driver with only the foggiest idea of how memory management happens in the kernel.