← Back to context

Comment by menaerus

8 hours ago

> let's start by prefacing that 'production quality' C is 100% unsafe in Rust terms.

I don't know what one should even make from that statement.

> here's where we fundamentally disagree: you listed a couple dozen unsafe places in 1.5kLOC of code; let's be generous and say that's 10%

It's more than 10%, you didn't even bother to look at the code but still presented it, what in reality is a toy driver example, as something credible (?) to support your argument of me spreading FUD. Kinda silly.

Even if it was only that much (10%), the fact it is in the most crucial part of the code makes the argument around Rust safety moot. I am sure you heard of 90/10 rule.

The time will tell but I am not holding my breath. I think this is a bad thing for Linux kernel development.

19 comments

menaerus

Reply
baq  8 hours ago

> I don't know what one should even make from that statement.

it's just a fact. by definition of the Rust language unsafe Rust is approximately as safe as C (technically Rust is still safer than C in its unsafe blocks, but we can ignore that.)

> you didn't even bother to look at the code but still presented

of course I did, what I've seen were one-liner trait impls (the 'whole traits' from your own post) and sub-line expressions of unsafe access to bindings.

  • zozbot234  7 hours ago

    > technically Rust is still safer than C in its unsafe blocks

    This is quite dubious in a practical sense, since Rust unsafe blocks must manually uphold the safety invariants that idiomatic Safe Rust relies on at all times, which includes, e.g. references pointing to valid and properly aligned data, as well as requirements on mutable references comparable to what the `restrict` qualifier (which is rarely used) involves in C. In practice, this is hard to do consistently, and may trigger unexpected UB.

    Some of these safety invariants can be relaxed in simple ways (e.g. &Cell<T> being aliasable where &mut T isn't) but this isn't always idiomatic or free of boilerplate in Safe Rust.

    • Xylakant  6 hours ago

      It's great that the Google Android team has been tracking data to answer that question for years now and their conclusion is:

      -------

      The primary security concern regarding Rust generally centers on the approximately 4% of code written within unsafe{} blocks. This subset of Rust has fueled significant speculation, misconceptions, and even theories that unsafe Rust might be more buggy than C. Empirical evidence shows this to be quite wrong.

      Our data indicates that even a more conservative assumption, that a line of unsafe Rust is as likely to have a bug as a line of C or C++, significantly overestimates the risk of unsafe Rust. We don’t know for sure why this is the case, but there are likely several contributing factors:

          unsafe{} doesn't actually disable all or even most of Rust’s safety checks (a common misconception).
    The practice of encapsulation enables local reasoning about safety invariants.
    The additional scrutiny that unsafe{} blocks receive.

      -----

      From https://security.googleblog.com/2025/11/rust-in-android-move...

      10 replies →

  • menaerus  7 hours ago

    So, unsafe block every 70 LoC in 1500 LoC toy example? Sure, it's a strong argument.

    • kaoD  5 hours ago

      How is that worse than everything being unsafe?

      I've seen this argument thrown around often here in HN ("$IMPROVEMENT is still not perfect! So let's keep the statu quo.") and it baffles me.

      C is not perfect and it still replaced ASM in 99% of its use cases.

      4 replies →