Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3192162rwb; Mon, 19 Sep 2022 16:56:09 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7C3VFDMpLQujwrB3osV1Y40MUXh0QSgGxWUFYmz+bKunLyhr/5ElCNWaGOnV/AOOdX9Bm+ X-Received: by 2002:a17:902:c245:b0:178:3912:f1fe with SMTP id 5-20020a170902c24500b001783912f1femr2225297plg.13.1663631769286; Mon, 19 Sep 2022 16:56:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663631769; cv=none; d=google.com; s=arc-20160816; b=JL6PnH2Q0b9wLMOc6s02Qen/mk2dPH6Ka7jLNpkhawlKqD+EnJIAN06xn06u+xRV4e XViYxBKrUosHiGKNjygcETMWd/beo5Iv+Qdrd4YLDbETi+01ZvaYq8+zQPyR5DJjhvZ1 iMMC42M7A7DD7i86K8hqwsSL1SxnUpKm7RH0jn1dwWBJOlwTBjpftoopW8egJmwP4mmd /D+TeU8N9psQCcKanKCzqGBMK7iHeD+EqnIhNj1jYsFyKC+iYkY8/cwy1LElx0HKvLbJ mixGtokqQ+cAR0tiPOzvYTbq12V29MU7D79LNFMrg9slMD46qMxmJpWG7doBFMndwSAk +p/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=NXzXxlM9sVEFzc66soX0I+Z/mq5m2rg9T8SoVpFvUT4=; b=CaeYZKRZ9OVRav7Cw8s1Fq6jt17GuvzP5bkXmFD651hMNiacPjEMbNwf4lHDYwHVnP frpwka9fr8ia8WVjOeIQGWGr+TxdmzjY7NwBxFQxJncQnyEvQvw+3Mt6hYXaC11JIJ7o vZiiVTdPJHtTQQPKjHntEAiQbP50lV9C0HEbISxWmV/zX5aPHpgeIrZ+U6pLUr5fecDe r29S1OD3cZb4wOMcgvsE5nss1bwv9GscdRSzz0YvJyGEj6u1R4bjWtvol3ndqXvLftg6 6xLdU9CbgssbplafvAnmDMo51/k1MQj0Y8QvmN1sRftcP6uUg2/6YQe2skb9eNsfXELQ LesA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=NsywTCeY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id na2-20020a17090b4c0200b00200b5c30f73si87205pjb.106.2022.09.19.16.55.57; Mon, 19 Sep 2022 16:56:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=NsywTCeY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229807AbiISXkf (ORCPT + 99 others); Mon, 19 Sep 2022 19:40:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229822AbiISXkc (ORCPT ); Mon, 19 Sep 2022 19:40:32 -0400 Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCEC84BA56 for ; Mon, 19 Sep 2022 16:40:30 -0700 (PDT) Received: by mail-ej1-x633.google.com with SMTP id kr11so2245706ejc.8 for ; Mon, 19 Sep 2022 16:40:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=NXzXxlM9sVEFzc66soX0I+Z/mq5m2rg9T8SoVpFvUT4=; b=NsywTCeY9sd40b/41h2okvpTgyG2TSi3t/dg5pbH/L3beDvVkydnABPeMyhFxfDIgt 4OZkJs8sPvCO28LEtRRl+3W+3YNo6DLVmNhyIyLg+6fJ8XdVP3Pw424Mqr/64OBW8YJx KH623RdzusneU5G9sBz+JF5PMau1u0ftV/Lbg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=NXzXxlM9sVEFzc66soX0I+Z/mq5m2rg9T8SoVpFvUT4=; b=IALi7SrBgWBcEv5uuW7Gc9ykhJaJNDE/EYxmyksz7WjZZ5a4z5+7g11W0R0uxh0caF UMW48I1ePveVoRBl6deFqG6TGr99dMiRm+snfAN8Tdw3JztBMIKT76iCFfPxCQxYwCMh VP5Q6c4dapyrbtrTHBx4/eDhJ8ujF6u0jIuP5TQ2iGZXFgl+p6FYNxz9MNlHJ9PzpgXs q7XgWHsV+F3xN7ZcOKgKZWYLdyFyjhL0bI1f1olhJRsvDiA4Nt9ljYAZk/V3skOGV0jA Xr2Vp2twD+HlNgZ+6NAT/juit2Iy0/DXqZVnyBqc9MpgkrWMPc7IqJyF5sqq2PzoXDdj daNA== X-Gm-Message-State: ACrzQf3V63+DaECk6QTitGN4svZH1RMie7Vyr/7m3puRfHhxJhWptzS8 6S6F2IsXDCLnkcU2C30niFMTjoXhx3hyRDbtfiw= X-Received: by 2002:a17:906:58c7:b0:722:f4bf:cb75 with SMTP id e7-20020a17090658c700b00722f4bfcb75mr14743827ejs.450.1663630828382; Mon, 19 Sep 2022 16:40:28 -0700 (PDT) Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com. [209.85.208.52]) by smtp.gmail.com with ESMTPSA id 13-20020a170906300d00b00770880dfc4fsm16217143ejz.29.2022.09.19.16.40.24 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 19 Sep 2022 16:40:26 -0700 (PDT) Received: by mail-ed1-f52.google.com with SMTP id m3so1378652eda.12 for ; Mon, 19 Sep 2022 16:40:24 -0700 (PDT) X-Received: by 2002:a2e:9886:0:b0:26c:57d9:10c6 with SMTP id b6-20020a2e9886000000b0026c57d910c6mr778573ljj.309.1663630813877; Mon, 19 Sep 2022 16:40:13 -0700 (PDT) MIME-Version: 1.0 References: <20220805154231.31257-13-ojeda@kernel.org> In-Reply-To: From: Linus Torvalds Date: Mon, 19 Sep 2022 16:39:56 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v9 12/27] rust: add `kernel` crate To: Wedson Almeida Filho Cc: Matthew Wilcox , Kees Cook , Miguel Ojeda , Konstantin Shelekhin , ojeda@kernel.org, alex.gaynor@gmail.com, ark.email@gmail.com, bjorn3_gh@protonmail.com, bobo1239@web.de, bonifaido@gmail.com, boqun.feng@gmail.com, davidgow@google.com, dev@niklasmohrin.de, dsosnowski@dsosnowski.pl, foxhlchen@gmail.com, gary@garyguo.net, geofft@ldpreload.com, gregkh@linuxfoundation.org, jarkko@kernel.org, john.m.baublitz@gmail.com, leseulartichaut@gmail.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, m.falkowski@samsung.com, me@kloenk.de, milan@mdaverde.com, mjmouse9999@gmail.com, patches@lists.linux.dev, rust-for-linux@vger.kernel.org, thesven73@gmail.com, viktor@v-gar.de, Andreas Hindborg Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 19, 2022 at 3:35 PM Wedson Almeida Filho wrote: > > No one is talking about absolute safety guarantees. I am talking about > specific ones that Rust makes: these are well-documented and formally > defined. If you cannot get over the fact that the kernel may have other requirements that trump any language standards, we really can't work together. Those Rust rules may make sense in other environments. But the kernel really does have hard requirements that you continue to limp along even if some fundamental rule has been violated. Exactly because there's often no separate environment outside the kernel that can deal with it. End result: a compiler - or language infrastructure - that says "my rules are so ingrained that I cannot do that" is not one that is valid for kernel work. This is not really any different from the whole notion of "allocation failures cannot panic" that Rust people seemed to readily understand is a major kernel requirement, and that the kernel needed a graceful failure return instead of a hard panic. Also note that the kernel is perfectly willing to say "I will use compiler flags that disable certain guarantees". We do it all the time. For example, the C standard has a lot of "the compiler is allowed to make this assumption". And then we disagree with those, and so "kernel C" is different. For example, the standard says that dereferencing a NULL pointer is undefined behavior, so a C compiler can see a dereference of a pointer to be a guarantee that said pointer isn't NULL, and remove any subsequent NULL pointer tests. That turns out to be one of those "obviously true in a perfect world, but problematic in a real world with bugs", and we tell the compiler to not do that by passing it the '-fno-delete-null-pointer-checks' flag, because the compiler _depending_ on undefined behavior and changing code generation in the build ends up being a really bad idea from a security standpoint. Now, in C, most of these kinds of things come from the C standard being very lax, and having much too many "this is undefined behavior" rules. So in almost all cases we end up saying "we want the well-defined implementation, not the 'strictly speaking, the language specs allows the compiler to do Xyz". Rust comes from a different direction than C, and it may well be that we very much need some of the rules to be relaxed. And hey, Rust people do know about "sometimes the rules have to be relaxed". When it comes to integer overflows etc, there's a "overflow-checks" flag, typically used for debug vs release builds. The kernel has similar issues where sometimes you might want the strict checking (lockdep etc), and sometimes you may end up being less strict and miss a few rules (eg "we don't maintain a preempt count for this config, so we can't check RCU mode violations"). > But I won't give up on Rust guarantees just yet, I'll try to find > ergonomic ways to enforce them at compile time. I think that compile-time static checking is wonderful, and as much as possible should be done 100% statically so that people cannot write incorrect programs. But we all know that static checking is limited, and then the amount of dynamic checking for violations is often something that will have to depend on environment flags, because it may come with an exorbitant price in the checking. Exactly like integer overflow checking. Linus