From: Kent Overstreet <kent.overstreet@linux.dev>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Boqun Feng <boqun.feng@gmail.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
Christoph Hellwig <hch@infradead.org>,
rust-for-linux <rust-for-linux@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
David Airlie <airlied@gmail.com>,
linux-kernel@vger.kernel.org, ksummit@lists.linux.dev
Subject: Re: Rust kernel policy
Date: Sat, 22 Feb 2025 11:04:16 -0500 [thread overview]
Message-ID: <sbcgis4vibueieejklfvv5zgz5omirryjyiynd5kloilxfygqb@zcqrjc6snxey> (raw)
In-Reply-To: <2025021954-flaccid-pucker-f7d9@gregkh>
On Wed, Feb 19, 2025 at 06:39:10AM +0100, Greg KH wrote:
> Rust isn't a "silver bullet" that will solve all of our problems, but it
> sure will help in a huge number of places, so for new stuff going
> forward, why wouldn't we want that?
I would say that Rust really is a silver bullet; it won't solve
everything all at once but it's a huge advance down the right path, and
there's deep theoretical reasons why it's the right approach - if we
want to be making real advances towards writing more reliable code.
Previously, there have been things like Compcert (writing a compiler in
a proof checking language) and Sel4 (proving the behaviour of a (small)
C program), but these approaches both have practical problems. A proof
checker isn't a systems programming language (garbage collection is
right out), and writing correctness proofs for C programs is arduous.
The big thing we run into when trying to bring this to a practical
systems language, and the fundamental reason the borrow checker looks
the way it does, is Rice's theorem. Rice's theorem is a direct corollary
of the halting problem - "any nontrivial property of a program is either
a direct consequence of the syntax or undecidable".
The halting problem states - "given an arbitrary program, you can't tell
without running it whether it halts or not, and then..." - you know.
Rice's theorem extends that: not only can you not tell if a program
halts or not, you can't tell in general anything about what a program
does without running it and seeing what happens.
The loophole is the "unless that property is a direct consequence of
the syntax".
"Direct consequence of the syntax" directly corresponds to static type
systems. This is the explanation for why large programs in statically
typed languages tend to be more maintainable than in python/javascript -
there are things about your program that you can understand just by
reading code, instead of running it and waiting to see what type a
variable has and what method is called or what have you.
IOW: improvements in static analysis have to come from type system
improvements, and memory safety in particular (in a language without
garbage collection) has to come from baking information about references
into the type system.
So this is why all those other "let's just add some safety features to C
or what have you" efforts are doomed to fail - for them to work, and be
as good as Rust, they'd have to add all the core difficult features of
Rust to C, and we'd still have to rewrite pretty much all of our code,
because making effective use of the borrow checker does require a fair
amount of rearchitecting and rewriting to make things more explicit and
more regular.
And Rust gets us a lot. Besides solving memory safety, the W^R rule of
the borrow checker gets us a lot of the nice "easy to analyze"
properties of pure functional languages, and it's a good foundation for
the next advances in formal verification - dependent types.
TL;DR - it's going to be worth it.
(Also, listen to people like Josef who say "I'm now writing Rust in my
day to day and I never want to go back". It really is that good.)
next prev parent reply other threads:[~2025-02-22 16:04 UTC|newest]
Thread overview: 186+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CANiq72m-R0tOakf=j7BZ78jDHdy=9-fvZbAT8j91Je2Bxy0sFg@mail.gmail.com>
2025-02-18 16:08 ` Christoph Hellwig
2025-02-18 16:35 ` Jarkko Sakkinen
2025-02-18 16:39 ` Jarkko Sakkinen
2025-02-18 18:08 ` Jarkko Sakkinen
2025-02-18 21:22 ` Boqun Feng
2025-02-19 6:20 ` Jarkko Sakkinen
2025-02-19 6:35 ` Dave Airlie
2025-02-19 11:37 ` Jarkko Sakkinen
2025-02-19 13:25 ` Geert Uytterhoeven
2025-02-19 13:40 ` Jarkko Sakkinen
2025-02-19 7:05 ` Boqun Feng
2025-02-19 11:32 ` Jarkko Sakkinen
2025-02-18 17:36 ` Jiri Kosina
2025-02-20 6:33 ` Christoph Hellwig
2025-02-20 18:40 ` Alexei Starovoitov
2025-02-18 18:46 ` Miguel Ojeda
2025-02-18 21:49 ` H. Peter Anvin
2025-02-18 22:38 ` Dave Airlie
2025-02-18 22:54 ` Miguel Ojeda
2025-02-19 0:58 ` H. Peter Anvin
2025-02-19 3:04 ` Boqun Feng
2025-02-19 5:07 ` NeilBrown
2025-02-19 5:39 ` Greg KH
2025-02-19 15:05 ` Laurent Pinchart
2025-02-20 20:49 ` Lyude Paul
2025-02-21 19:24 ` Laurent Pinchart
2025-02-20 7:03 ` Martin Uecker
2025-02-20 7:10 ` Greg KH
2025-02-20 8:57 ` Martin Uecker
2025-02-20 13:46 ` Dan Carpenter
2025-02-20 14:09 ` Martin Uecker
2025-02-20 14:38 ` H. Peter Anvin
2025-02-20 15:25 ` Dan Carpenter
2025-02-20 15:49 ` Willy Tarreau
2025-02-22 15:30 ` Kent Overstreet
2025-02-20 14:53 ` Greg KH
2025-02-20 15:40 ` Martin Uecker
2025-02-21 0:46 ` Miguel Ojeda
2025-02-21 9:48 ` Dan Carpenter
2025-02-21 16:28 ` Martin Uecker
2025-02-21 17:43 ` Steven Rostedt
2025-02-21 18:07 ` Linus Torvalds
2025-02-21 18:19 ` Steven Rostedt
2025-02-21 18:31 ` Martin Uecker
2025-02-21 19:30 ` Linus Torvalds
2025-02-21 19:59 ` Martin Uecker
2025-02-21 20:11 ` Linus Torvalds
2025-02-22 7:20 ` Martin Uecker
2025-02-21 22:24 ` Steven Rostedt
2025-02-21 23:04 ` Linus Torvalds
2025-02-22 17:53 ` Kent Overstreet
2025-02-22 18:44 ` Linus Torvalds
2025-02-23 16:42 ` David Laight
2025-02-21 23:37 ` Martin Uecker
2025-02-25 22:49 ` David Laight
2025-02-22 18:42 ` Linus Torvalds
2025-02-22 9:45 ` Dan Carpenter
2025-02-22 10:25 ` Martin Uecker
2025-02-22 11:07 ` Greg KH
2025-02-21 18:23 ` Martin Uecker
2025-02-21 22:14 ` Steven Rostedt
2025-03-01 13:22 ` Askar Safin
2025-03-01 13:55 ` Martin Uecker
2025-03-02 6:50 ` Kees Cook
2025-02-21 18:11 ` Theodore Ts'o
2025-02-24 8:12 ` Dan Carpenter
2025-02-20 22:08 ` Paul E. McKenney
2025-02-22 23:42 ` Piotr Masłowski
2025-02-23 8:10 ` Martin Uecker
2025-02-23 23:31 ` comex
2025-02-24 9:08 ` Ventura Jack
2025-02-24 18:03 ` Martin Uecker
2025-02-20 12:28 ` Jan Engelhardt
2025-02-20 12:37 ` Greg KH
2025-02-20 13:23 ` H. Peter Anvin
2025-02-20 13:51 ` Willy Tarreau
2025-02-20 15:17 ` C aggregate passing (Rust kernel policy) Jan Engelhardt
2025-02-20 16:46 ` Linus Torvalds
2025-02-20 20:34 ` H. Peter Anvin
2025-02-21 8:31 ` HUANG Zhaobin
2025-02-21 18:34 ` David Laight
2025-02-21 19:12 ` Linus Torvalds
2025-02-21 20:07 ` comex
2025-02-21 21:45 ` David Laight
2025-02-22 6:32 ` Willy Tarreau
2025-02-22 6:37 ` Willy Tarreau
2025-02-22 8:41 ` David Laight
2025-02-22 9:11 ` Willy Tarreau
2025-02-21 20:06 ` Jan Engelhardt
2025-02-21 20:23 ` Laurent Pinchart
2025-02-21 20:24 ` Laurent Pinchart
2025-02-21 22:02 ` David Laight
2025-02-21 22:13 ` Bart Van Assche
2025-02-22 5:56 ` comex
2025-02-21 20:26 ` Linus Torvalds
2025-02-21 22:19 ` henrychurchill
2025-02-21 22:52 ` henrychurchill
2025-02-20 22:13 ` Rust kernel policy Paul E. McKenney
2025-02-21 5:19 ` Felipe Contreras
2025-02-21 5:36 ` Boqun Feng
2025-02-21 5:59 ` Felipe Contreras
2025-02-21 7:04 ` Dave Airlie
2025-02-24 20:27 ` Felipe Contreras
2025-02-24 20:37 ` Boqun Feng
2025-02-26 2:42 ` Felipe Contreras
2025-02-22 16:04 ` Kent Overstreet [this message]
2025-02-22 17:10 ` Ventura Jack
2025-02-22 17:34 ` Kent Overstreet
2025-02-23 2:08 ` Bart Van Assche
2025-02-19 5:53 ` Alexey Dobriyan
2025-02-19 5:59 ` Dave Airlie
2025-02-22 18:46 ` Kent Overstreet
2025-02-19 12:37 ` Miguel Ojeda
2025-02-20 11:26 ` Askar Safin
2025-02-20 12:33 ` vpotach
2025-02-19 18:52 ` Kees Cook
2025-02-19 19:08 ` Steven Rostedt
2025-02-19 19:17 ` Kees Cook
2025-02-19 20:27 ` Jason Gunthorpe
2025-02-19 20:46 ` Steven Rostedt
2025-02-19 20:52 ` Bart Van Assche
2025-02-19 21:07 ` Steven Rostedt
2025-02-20 16:05 ` Jason Gunthorpe
2025-02-20 8:13 ` Jarkko Sakkinen
2025-02-20 8:16 ` Jarkko Sakkinen
2025-02-20 11:57 ` Fiona Behrens
2025-02-20 14:07 ` Jarkko Sakkinen
2025-02-21 10:19 ` Jarkko Sakkinen
2025-02-22 12:10 ` Miguel Ojeda
2025-03-04 11:17 ` Fiona Behrens
2025-03-04 17:48 ` Jarkko Sakkinen
2025-02-20 9:55 ` Leon Romanovsky
2025-02-19 19:33 ` H. Peter Anvin
2025-02-20 6:32 ` Alexey Dobriyan
2025-02-20 6:53 ` Greg KH
2025-02-20 8:44 ` Alexey Dobriyan
2025-02-20 13:53 ` Willy Tarreau
2025-02-20 16:04 ` Jason Gunthorpe
2025-02-20 12:01 ` H. Peter Anvin
2025-02-20 12:13 ` H. Peter Anvin
2025-02-20 23:42 ` Miguel Ojeda
2025-02-22 15:21 ` Kent Overstreet
2025-02-20 6:42 ` Christoph Hellwig
2025-02-20 23:44 ` Miguel Ojeda
2025-02-21 15:24 ` Simona Vetter
2025-02-22 12:10 ` Miguel Ojeda
2025-02-26 13:17 ` Fiona Behrens
2025-02-21 0:39 ` Linus Torvalds
2025-02-21 12:16 ` Danilo Krummrich
2025-02-21 15:59 ` Steven Rostedt
2025-02-23 18:03 ` Laurent Pinchart
2025-02-23 18:31 ` Linus Torvalds
2025-02-26 16:05 ` Jason Gunthorpe
2025-02-26 19:32 ` Linus Torvalds
2025-02-19 8:05 ` Dan Carpenter
2025-02-19 14:14 ` James Bottomley
2025-02-19 14:30 ` Geert Uytterhoeven
2025-02-19 14:46 ` Martin K. Petersen
2025-02-19 14:51 ` Bartosz Golaszewski
2025-02-19 15:15 ` James Bottomley
2025-02-19 15:33 ` Willy Tarreau
2025-02-19 15:45 ` Laurent Pinchart
2025-02-19 15:46 ` James Bottomley
2025-02-19 15:56 ` Willy Tarreau
2025-02-19 16:07 ` Laurent Pinchart
2025-02-19 16:15 ` Willy Tarreau
2025-02-19 16:32 ` Laurent Pinchart
2025-02-19 16:34 ` Willy Tarreau
2025-02-19 16:33 ` Steven Rostedt
2025-02-19 16:47 ` Andrew Lunn
2025-02-19 18:22 ` Jarkko Sakkinen
2025-02-20 6:26 ` Alexey Dobriyan
2025-02-20 15:37 ` Steven Rostedt
2025-02-19 17:00 ` Martin K. Petersen
2025-02-19 15:13 ` Steven Rostedt
2025-02-19 14:05 ` James Bottomley
2025-02-19 15:08 ` Miguel Ojeda
2025-02-19 16:03 ` James Bottomley
2025-02-19 16:44 ` Miguel Ojeda
2025-02-19 17:06 ` Theodore Ts'o
2025-02-20 23:40 ` Miguel Ojeda
2025-02-22 15:03 ` Kent Overstreet
2025-02-20 16:03 ` James Bottomley
2025-02-20 23:47 ` Miguel Ojeda
2025-02-20 6:48 ` Christoph Hellwig
2025-02-20 12:56 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=sbcgis4vibueieejklfvv5zgz5omirryjyiynd5kloilxfygqb@zcqrjc6snxey \
--to=kent.overstreet@linux.dev \
--cc=airlied@gmail.com \
--cc=boqun.feng@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=ksummit@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=rust-for-linux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox