Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp551815pxb; Fri, 16 Apr 2021 12:00:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyOik6MHfIj1GdwnvzYlqx8mZZfHuIIv61udUpViXRYt2b5VE8RAQhHs8NWgn9+dWuhbewo X-Received: by 2002:aa7:c913:: with SMTP id b19mr11822536edt.170.1618599600415; Fri, 16 Apr 2021 12:00:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618599600; cv=none; d=google.com; s=arc-20160816; b=RsRi+NERTZD4LZXWIVK07Snarz5MGi9zNOC/KBmX1o04Nldx6RtLBlwDhy5cTuCXOy fKjl7SQdOcZWWd4NVzuKdUn2Ks7rII2Lgmrh4WKsgccceoHA1HUYOylAvcDnSpGxTp3G WiLOZ70OFc5PWrWzy1pY6k9kj6kigjgN1oyShaxZ7S0y3MjjkOdI/Ew3CvOrk96/nu6M ZEnZpwbXdRs8roG1whXaGkRcnEZd2hx61hwCowQv9bFibvShTJ2bW6IMYgrWVYf74QZO ZvZAtfnXxc4xd/BdJOCMuEmvSkHG/7SvUVOirKJ+GI86unkme+EOkNQvDKEKXRlyCAJS bOEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=/WZ2cARjZnk14Px9t0lXIGfgkqn7kmRWCZSssVhM94U=; b=wt6CEa2qTq/tHZOxqTCviUs1PsDMnmI9vNWf64DMQ2yHH9ARWErLAZSHyczW0TQ9Zu jOhx2sFO2JSXsVZqkXtnzMMX61mCArtTJV6yBsXVRtPpFCV/Vp6WozJXgiS8KYtS6jao +I2zGvsULYEb1oqUn4BXzpd7ArwNKDK9ncodtiyPsHg5J4uxJ+icM+mAFr33E/asB4jb KqHAQ1GdqkKz41a9AMvTH8OmDW88PSsxriKVRoXAC51ZXz/GDC5avwufjSzfxFy8aNAD TD57SHrSmIE2e5/adAX6mKRvLPQU0fsrGVNhpZndf4t+kP8StJhacdOFfqsyH+QRyc3a BF0w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t22si5789519edd.558.2021.04.16.11.59.37; Fri, 16 Apr 2021 12:00:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243186AbhDPRh5 (ORCPT + 99 others); Fri, 16 Apr 2021 13:37:57 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:51729 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242995AbhDPRhz (ORCPT ); Fri, 16 Apr 2021 13:37:55 -0400 Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 13GHbHGh010904; Fri, 16 Apr 2021 19:37:17 +0200 Date: Fri, 16 Apr 2021 19:37:17 +0200 From: Willy Tarreau To: Miguel Ojeda Cc: Wedson Almeida Filho , Peter Zijlstra , Miguel Ojeda , Linus Torvalds , Greg Kroah-Hartman , rust-for-linux@vger.kernel.org, Linux Kbuild mailing list , Linux Doc Mailing List , linux-kernel Subject: Re: [PATCH 00/13] [RFC] Rust support Message-ID: <20210416173717.GA10846@1wt.eu> References: <20210414184604.23473-1-ojeda@kernel.org> <20210416161444.GA10484@1wt.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Miguel, On Fri, Apr 16, 2021 at 07:10:17PM +0200, Miguel Ojeda wrote: > And by having the compiler enforce this safe-unsafe split, you can > review safe code without having to constantly worry about UB; and be > extra alert when dealing with `unsafe` blocks. I do appreciate this safe/unsafe split and a few other things I've seen in the language. The equivalent I'm using in C is stronger typing and "const" modifiers wherever possible. Of course it's much more limited, it's just to explain that I do value this. I just feel like "unsafe" is the universal response to any question "how would I do this" while at the same time "safe" is the best selling argument for the language. As such, I strongly doubt about the real benefits once facing reality with everything marked unsafe. Except that it will be easier to blame the person having written the unsafe one-liner instead of writing 60 cryptic lines doing the functional equivalent using some lesser known extensions :-/ > Of course, UB is only a subset of errors, but it is a major one, and > particularly critical for privileged code. Not in my experience. I do create bugs that very seldomly stem from UB, like any of us probably. But the vast majority of my bugs are caused by stupid logic errors. When you invert an error check somewhere because the function name looks like a boolean but its result works the other way around, you can pass 10 times over it without noticing, and the compiler will not help. And these ones are due to the human brain not being that powerful in front of a computer, and whatever language will not change this. Or worse, if it's harder to express what I want, I will write more bugs. It happened to me quite a few times already trying to work around absurd gcc warnings. Based on the comments in this thread and the responses often being around "we'll try to get this done" or "we'll bring the issue to the compiler team", combined with the difficulty to keep control over resources usage, I'm really not convinced at all it's suited for low-level development. I understand the interest of the experiment to help the language evolve into that direction, but I fear that the kernel will soon be as bloated and insecure as a browser, and that's really not to please me. Cheers, Willy