logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Does-Rust-belong-in-Linux.md (10120B)

    

  1. ---
  2. title: Does Rust belong in the Linux kernel?
  3. date: 2022-10-03
  4. ---
  6. I am known to be a bit of a polemic when it comes to Rust. I will be forthright
  7. with the fact that I don't particularly care for Rust, and that my public
  8. criticisms of it might set up many readers with a reluctance to endure yet
  9. another Rust Hot Take from my blog. My answer to the question posed in the title
  10. is, of course, "no". However, let me assuage some of your fears by answering
  11. a different question first: does Hare belong in the Linux kernel?
  13. If I should owe my allegiance to any programming language, it would be
  14. [Hare](https://harelang.org). Not only is it a systems programming language that
  15. I designed myself, but I am using it [to write a kernel][helios]. [Like
  16. Rust][redox], Hare is demonstrably useful for writing kernels with. One might
  17. even go so far as to suggest that I consider it superior to C for this purpose,
  18. given that I chose to to write Helios in Hare rather than C, despite my
  19. extensive background in C. But the question remains: does Hare belong in the
  20. Linux kernel?
  22. [helios]: https://git.sr.ht/~sircmpwn/helios
  23. [redox]: https://www.redox-os.org/
  25. In my opinion, Hare does not belong in the Linux kernel, and neither does Rust.
  26. Some of the reasoning behind this answer is common to both, and some is unique
  27. to each, but I will be focusing on Rust today because Rust is the language which
  28. is actually making its way towards mainline Linux. I have no illusions about
  29. this blog post changing that, either: I simply find it an interesting case-study
  30. in software engineering decision-making in a major project, and that's worth
  31. talking about.
  33. Each change in software requires sufficient supporting rationale. What are the
  34. reasons to bring Rust into Linux? A kernel hacker thinks about these questions
  35. differently than a typical developer in userspace. One could espouse the
  36. advantages of Cargo, generics, whatever, but these concerns matter relatively
  37. little to kernel hackers. Kernels operate in a heavily constrained design space
  38. and a language has to fit into that design space. This is the first and foremost
  39. concern, and if it's awkward to mold a language to fit into these constraints
  40. then it will be a poor fit.
  42. Some common problems that a programming language designed for userspace will run
  43. into when being considered for kernelspace are:
  45. - Strict constraints on memory allocation
  46. - Strict constraints on stack usage
  47. - Strict constraints on recursion
  48. - No use of floating point arithmetic
  49. - Necessary evils, such as unsafe memory use patterns or integer overflow
  50. - The absence of a standard library, runtime, third-party libraries, or other
  51.   conveniences typically afforded to userspace
  53. Most languages can overcome these constraints with some work, but their
  54. suitability for kernel use is mainly defined by how well they adapt to them
  55. — there's a reason that kernels written in Go, C#, Java, Python, etc, are
  56. limited to being research curiosities and are left out of production systems.
  58. As Linus recently put it, "kernel needs trump any Rust needs". The kernel is
  59. simply not an environment which will bend to accommodate a language; it must go
  60. the other way around. These constraints have posed, and will continue to pose, a
  61. major challenge for Rust in Linux, but on the whole, I think that it will be
  62. able to rise to meet them, though perhaps not with as much grace as I would
  63. like.
  65. If Rust is able to work within these constraints, then it satisfies the ground
  66. rules for playing in ring 0. The question then becomes: what advantages can Rust
  67. bring to the kernel? Based on what I've seen, these essentially break down to
  68. two points:[^benefits]
  70. 1. Memory safety
  71. 2. Trendiness
  73. [^benefits]: There are some other arguable benefits which mainly boil down to
  74.   finding Rust to have a superior language design to C or to be more enjoyable
  75.   to use. These are subjective and generally are not the most important traits
  76.   a kernel hacker has to consider when choosing a language, so I'm leaving them
  77.   aside for now.
  79. I would prefer not to re-open the memory safety flamewar, so we will simply move
  80. forward with the (dubious) assumptions that memory safety is (1) unconditionally
  81. desirable, (2) compatible with the kernel's requirements, and (3) sufficiently
  82. provided for by Rust. I will offer this quote from an unnamed kernel hacker,
  83. though:
  85. > There are possibly some well-designed and written parts which have not
  86. > suffered a memory safety issue in many years. It's insulting to present this
  87. > as an improvement over what was achieved by those doing all this hard work.
  89. Regarding "trendiness", I admit that this is a somewhat unforgiving turn of
  90. phrase. In this respect I refer to the goal of expanding the kernel's developer
  91. base from a bunch of aging curmudgeons writing C[^ageism] towards a more
  92. inclusive developer pool from a younger up-and-coming language community like
  93. Rust. C is boring[^boring] — it hasn't really excited anyone in decades.
  94. Rust is exciting, and its community enjoys a huge pool of developers building
  95. their brave new world with it. Introducing Rust to the kernel will certainly
  96. appeal to a broader audience of potential contributors.
  98. [^boring]: A trait which, I will briefly note, is actually desirable for a
  99.   production kernel implementation.
  101. [^ageism]: A portrayal which, though it may have a grain of truth, is largely false
  102.   and offensive to my sensibilities as a 29-year-old kernel hacker. For the
  103.   record.
  105. But there is an underlying assumption to this argument which is worth
  106. questioning: is the supply of Linux developers dwindling, and, if so, is it to
  107. such and extent that it demands radical change?
  109. Well, no. Linux has consistently enjoyed a tremendous amount of attention from
  110. the software development community. This week's release of Linux 6.0, one of the
  111. largest Linux releases ever, boasted more than 78,000 commits by almost 5,000
  112. different authors since 5.15. Linux has a broad developer base reaching from
  113. many different industry stakeholders and independent contributors working on the
  114. careful development and maintenance of its hundreds of subsystems. The scale of
  115. Linux development is on a level unmatched by any other software project —
  116. free software or otherwise.
  118. Getting Rust working in Linux is certainly an exciting project, and I'm all for
  119. developers having fun. However, it's not likely to infuse Linux with a
  120. much-needed boost in its contributor base, because Linux has no such need.
  121. What's more, Linux's portability requirements prevent Rust from being used in
  122. most of the kernel in the first place. Most work on Rust in Linux is simply
  123. working on getting the systems to cooperate with each other or writing drivers
  124. which are redundant with existing C drivers, but cannot replace them due to
  125. Rust's limited selection of targets.[^gcc] Few to none of the efforts from the
  126. Rust-in-Linux team are likely to support the kernel's broader goals for some
  127. time.
  129. [^gcc]: Rust in GCC will help with this problem, but it will likely take several
  130.   years to materialize and several more years to become stable. Even when this
  131.   is addressed, rewriting drivers wholesale will be labor intensive and is
  132.   likely to introduce more problems than solutions — rewrites always
  133.   introduce bugs.
  135. We are thus left with memory safety as the main benefit offered by Rust to
  136. Linux, and for the purpose of this article we're going to take it at face value.
  137. So, with the ground rules set and the advantages enumerated, what are some of
  138. the problems that Rust might face in Linux?
  140. There are a few problems which could be argued over, such as substantial
  141. complexity of Rust compared to C, the inevitable doubling of Linux's build time,
  142. the significant shift in design sensibilities required to support an idiomatic
  143. Rust design, the fragile interface which will develop on the boundaries between
  144. Rust and C code, or the challenges the kernel's established base of C developers
  145. will endure when learning and adapting to a new language. To avoid letting this
  146. post become too subjective or lengthy, I'll refrain from expanding on these.
  147. Instead, allow me to simply illuminate these issues as risk factors.
  149. Linux is, on the whole, a conservative project. It is deployed worldwide in
  150. billions of devices and its reliability is depended on by a majority of Earth's
  151. population. Risks are carefully evaluated in Linux as such. Every change
  152. presents risks and offers advantages, which must be weighed against each other
  153. to justify the change. Rust is one of the riskiest bets Linux has ever
  154. considered, and, in my opinion, the advantages may not weigh up. I think that
  155. the main reason we're going to see Rust in the kernel is not due to a careful
  156. balancing of risk and reward, but because the Rust community wants Rust in
  157. Linux, and they're large and loud enough to not be worth the cost of arguing
  158. with.
  160. I don't think that changes on this scale are appropriate for most projects. I
  161. prefer to encourage people to write new software to replace established
  162. software, rather than rewriting the established software. Some projects, such as
  163. [Redox][redox], are doing just that with Rust. However, operating systems are in
  164. a difficult spot in this respect. Writing an operating system is difficult work
  165. with a huge scope — few projects can hope to challenge Linux on driver
  166. support, for example. The major players have been entrenched for decades, and
  167. any project seeking to displace them will have decades of hard work ahead of
  168. them and will require a considerable amount of luck to succeed. Though I think
  169. that new innovations in kernels are badly overdue, I must acknowledge that
  170. there is some truth to the argument that we're stuck with Linux. In this
  171. framing, if you want Rust to succeed in a kernel, getting it into Linux is the
  172. best strategy.
  174. But, on the whole, my opinion is that the benefits of Rust in Linux are
  175. negligible and the costs are not. That said, it's going to happen, and the
  176. impact to me is likely to be, at worst, a nuisance. Though I would have chosen
  177. differently, I wish them the best of luck and hope to see them succeed.