← Back to context

Comment by baq

8 hours ago

> I am not sure what point did you try to make by giving something that is not even a production quality code?

let's start by prefacing that 'production quality' C is 100% unsafe in Rust terms.

> Sorry, I am not buying that argument.

here's where we fundamentally disagree: you listed a couple dozen unsafe places in 1.5kLOC of code; let's be generous and say that's 10% - and you're trying to sell it as a bad thing, whereas I'm seeing the same numbers and think it's a great improvement over status quo ante.

19 comments

baq

Reply
menaerus  7 hours ago

> let's start by prefacing that 'production quality' C is 100% unsafe in Rust terms.

I don't know what one should even make from that statement.

> here's where we fundamentally disagree: you listed a couple dozen unsafe places in 1.5kLOC of code; let's be generous and say that's 10%

It's more than 10%, you didn't even bother to look at the code but still presented it, what in reality is a toy driver example, as something credible (?) to support your argument of me spreading FUD. Kinda silly.

Even if it was only that much (10%), the fact it is in the most crucial part of the code makes the argument around Rust safety moot. I am sure you heard of 90/10 rule.

The time will tell but I am not holding my breath. I think this is a bad thing for Linux kernel development.

  • baq  7 hours ago

    > I don't know what one should even make from that statement.

    it's just a fact. by definition of the Rust language unsafe Rust is approximately as safe as C (technically Rust is still safer than C in its unsafe blocks, but we can ignore that.)

    > you didn't even bother to look at the code but still presented

    of course I did, what I've seen were one-liner trait impls (the 'whole traits' from your own post) and sub-line expressions of unsafe access to bindings.

    • zozbot234  6 hours ago

      > technically Rust is still safer than C in its unsafe blocks

      This is quite dubious in a practical sense, since Rust unsafe blocks must manually uphold the safety invariants that idiomatic Safe Rust relies on at all times, which includes, e.g. references pointing to valid and properly aligned data, as well as requirements on mutable references comparable to what the `restrict` qualifier (which is rarely used) involves in C. In practice, this is hard to do consistently, and may trigger unexpected UB.

      Some of these safety invariants can be relaxed in simple ways (e.g. &Cell<T> being aliasable where &mut T isn't) but this isn't always idiomatic or free of boilerplate in Safe Rust.

      10 replies →