| |
| ▲ | jcranmer 6 hours ago | parent | next [-] | | C currently remains the language of system ABIs, and there remains functionality that C can express that Rust cannot (principally bitfields). Furthermore, in terms of extensions to the language to support more obtuse architecture, Rust has made a couple of decisions that make it hard for some of those architectures to be supported well. For example, Rust has decided that the array index type, the object size type, and the pointer size type are all the same type, which is not the case for a couple of architectures; it's also the case that things like segmented pointers don't really work in Rust (of course, they barely work in C, but barely is more than nothing). | | |
| ▲ | vlovich123 3 hours ago | parent | next [-] | | Can you expand on bitfields? There’s crates that implement bitfield structs via macros so while not being baked into the language I’m not sure what in practice Rust isn’t able to do on that front. | | |
| ▲ | ZeWaka 3 hours ago | parent [-] | | Yeah, not sure what they're saying... I use bitfields in multiple of my rust projects using those macros. | | |
| ▲ | maweki 3 hours ago | parent | next [-] | | I'm not a rust or systems programmer but I think it meant that as an ABI or foreign function interface bitfields are not stable or not intuitive to use, as they can't be declared granularily enough. | |
| ▲ | pjmlp an hour ago | parent | prev [-] | | Across binary libraries ABI, regardless of static or dynamically linked? |
|
| |
| ▲ | raggi 6 hours ago | parent | prev | next [-] | | That first sentence though. Bitfields and ABI alongside each other. Bitfield packing rules get pretty wild. Sure the user facing API in the language is convenient, but the ABI it produces is terrible (particularly in evolution). | | |
| ▲ | mjevans 5 hours ago | parent [-] | | I would like a revision to bitfields and structs to make them behave the way a programmer things, with the compiler free to suggest changes which optimize the layout. As well as some flag that indicates the compiler should not, it's a finalized structure. |
| |
| ▲ | kbolino 5 hours ago | parent | prev | next [-] | | I'm genuinely surprised that usize <=> pointer convertibility exists. Even Go has different types for pointer-width integers (uintptr) and sizes of things (int/uint). I can only guess that Rust's choice was seen as a harmless simplification at the time. Is it something that can be fixed with editions? My guess is no, or at least not easily. | | |
| ▲ | jcranmer 5 hours ago | parent | next [-] | | There is a cost to having multiple language-level types that represent the exact same set of values, as C has (and is really noticeable in C++). Rust made an early, fairly explicit decision that a) usize is a distinct fundamental type from the other types, and not merely a target-specific typedef, and b) not to introduce more types for things like uindex or uaddr or uptr, which are the same as usize on nearly every platform. Rust worded in its initial guarantee that usize was sufficient to roundtrip a pointer (making it effectively uptr), and there remains concern among several of the maintainers about breaking that guarantee, despite the fact that people on the only target that would be affected basically saying they'd rather see that guarantee broken. Sort of the more fundamental problem is that many crates are perfectly happy opting out of compiling for weirder platform--I've designed some stuff that relies on 64-bit system properties, and I'd rather like to have the ability to say "no compile for you on platform where usize-is-not-u64" and get impl From<usize> for u64 and impl From<u64> for usize. If you've got something like that, it also provides a neat way to say "I don't want to opt out of [or into] compiling for usize≠uptr" and keeping backwards compatibility. If you want to see some long, gory debates on the topic, https://internals.rust-lang.org/t/pre-rfc-usize-is-not-size-... is a good starting point. | | |
| ▲ | zozbot234 an hour ago | parent [-] | | > ...not to introduce more types for things like uindex or uaddr or uptr, which are the same as usize on nearly every platform. ... there remains concern among several of the maintainers about breaking that guarantee, despite the fact that people on the only target that would be affected basically saying they'd rather see that guarantee broken. The proper approach to resolving this in an elegant way is to make the guarantee target-dependent. Require all depended-upon crates to acknowledge that usize might differ from uptr in order to unlock building for "exotic" architectures, much like how no-std works today. That way "nearly every platform" can still rely on the guarantee with no rise in complexity. |
| |
| ▲ | aw1621107 5 hours ago | parent | prev [-] | | > Is it something that can be fixed with editions? My guess is no, or at least not easily. Assuming I'm reading these blog posts [0, 1] correctly, it seems that the size_of::<usize>() == size_of::<*mut u8>() assumption is changeable across editions. Or at the very least, if that change (or a similarly workable one) isn't possible, both blog posts do a pretty good job of pointedly not saying so. [0]: https://faultlore.com/blah/fix-rust-pointers/#redefining-usi... [1]: https://tratt.net/laurie/blog/2022/making_rust_a_better_fit_... |
| |
| ▲ | dataflow 6 hours ago | parent | prev | next [-] | | In what architecture are those types different? Is there a good reason for it there architecturally, or is it just a toolchain idiosyncrasy in terms of how it's exposed (like LP64 vs. LLP64 etc.)? | | |
| ▲ | jcranmer 5 hours ago | parent [-] | | CHERI has 64-bit object size but 128-bit pointers (because the pointer values also carry pointer provenance metadata in addition to an address). I know some of the pointer types on GPUs (e.g., texture pointers) also have wildly different sizes for the address size versus the pointer size. Far pointers on segmented i386 would be 16-bit object and index size but 32-bit address and pointer size. There was one accelerator architecture we were working that discussed making the entire datapath be 32-bit (taking less space) and having a 32-bit index type with a 64-bit pointer size, but this was eventually rejected as too hard to get working. | | |
| ▲ | sroussey an hour ago | parent [-] | | I guess today, instead of 128bit pointers we have 64bit pointers and secret provenance data inside the cpu, at least on the most recent shipped iPhones and Macs. In the end, I’m not sure that’s better, or maybe we should have had extra large pointers again (in that way back 32bit was so large we stuffed other stuff in there) like CHERI proposes (though I think it still has secret sidecar of data about the pointers). Would love to Apple get closer to Cheri. They could make a big change as they are vertically integrated, though I think their Apple Silicon for Mac moment would have been the time. I wonder what big pointers does to performance. | | |
|
| |
| ▲ | throw_a_grenade 2 hours ago | parent | prev [-] | | Also you can't do self-referential strutcs. Double-linked lists are also pain to implement, and they're are heavily used in kernel. | | |
| ▲ | K0nserv an hour ago | parent | next [-] | | > Also you can't do self-referential strutcs. You mean in safe rust? You can definitely do self-referential structs with unsafe and Pin to make a safe API. Heck every future generated by the compiler relies on this. | |
| ▲ | menaerus 2 hours ago | parent | prev [-] | | There's going to be ~zero benefit of Rust safety mechanisms in the kernel, which I anticipate will be littered with the unsafe sections. I personally see this move not as much technical as I see it as a political lobbying one (US gov). IMHO for Linux kernel development this is not a good news since it will inevitably introduce friction in development and consequently reduce the velocity, and most likely steer away certain amount of long-time kernel developers too. | | |
| ▲ | baq an hour ago | parent [-] | | Don’t spread FUD, you can check some example code yourself. https://git.kernel.org/pub/scm/linux/kernel/git/a.hindborg/l... | | |
| ▲ | menaerus a minute ago | parent [-] | | Sorry but what have I said wrong? The nature of code written in kernel development is such that using unsafe is inevitable. Low-level code with memory juggling and patterns that you usually don't find in application code. And yes, I have had a look into the examples - maybe one or two years there was a significant patch submitted to the kernel and number of unsafe sections made me realize at that moment that Rust, in terms of kernel development, might not be what it is advertised for. > https://git.kernel.org/pub/scm/linux/kernel/git/a.hindborg/l.. Right? Thank you for the example. Let's first start by saying the obvious - this is not an upstream driver but a fork so it's not used yet. Also, it can be considered a PoC at best and which isalso acknowledged by its very web page, https://rust-for-linux.com/nvme-driver, by saying "The driver is not currently suitable for general use." Now let's move to the analysis of the code. An example counting only 1500 LoC, without crates. rnvme.rs - 8x unsafe sections, 1x SyncUnsafeCell used for NvmeRequest::cmd (why?) nvme_mq/nvme_prp.rs - 1x unsafe section nvme_queue.rs - 6x unsafe not sections but complete traits nvme_mq.rs - 5x unsafe sections, 2x SyncUnsafeCell used, one for
IoQueueOperations::cmd second for AdminQueueOperations::cmd In total, this is 23x unsafe sections/traits over 1500LoC, for a driver that is not even a production driver. And this is a number which does not even taking the crates this driver uses into an analysis.
https://git.kernel.org/pub/scm/linux/kernel/git/a.hindborg/l... * https://git.kernel.org/pub/scm/linux/kernel/git/a.hindborg/l... * |
|
|
|
| |
| ▲ | pjmlp an hour ago | parent | prev | next [-] | | Yes it does, alongside C++, Rust isn't available everywhere. There are industry standards based in C, or C++, and I doubt they will be adopting Rust any time soon. POSIX (which does require a C compiler for certification), OpenGL, OpenCL, SYSCL, Aparavi, Vulkan, DirectX, LibGNM(X), NVN, CUDA, LLVM, GCC, Unreal, Godot, Unity,... Then plenty of OSes like the Apple ecosystem, among many other RTOS and commercial endevours for embedded. Also the official Rust compiler isn't fully bootstraped yet, thus it depends on C++ tooling for its very existence. Which is why efforts to make C and C++ safer are also much welcomed, plenty of code out there is never going to be RIR, and there are domains where Rust will be a runner up for several decades. | | |
| ▲ | Philpax 31 minutes ago | parent [-] | | I agree with you for the most part, but it's worth noting that those standards can expose a C API/ABI while being primarily implemented in and/or used by non-C languages. I think we're a long way away from that, but there's no inherent reason why C would be a going concern for these in the Glorious RIIR Future:tm:. |
| |
| ▲ | biorach 3 hours ago | parent | prev | next [-] | | There are certain styles of programming and data structure implementations that end up requiring you to fight Rust at almost every step. Things like intrusive data structures, pointer manipulation and so on. Famously there is an entire book online on how to write a performant linked list in idiomatic Rust - something that is considered straightforward in C. For these cases you could always use Zig instead of C | | |
| ▲ | pjmlp an hour ago | parent | next [-] | | Given Zig's approach to safety, you can get the same in C with static and runtime analysis tools, that many devs keep ignoring. Already setting the proper defaults on a Makefile would get many people half way there, without changing to language yet to be 1.0, and no use-after-free story. | |
| ▲ | wiz21c 2 hours ago | parent | prev | next [-] | | it is not straightforward in rust because the linked list is inherently tricky to implement correctly. Rust makes that very apparent (and, yeah, a bit too apparent). I know, a linked list is not exactly super complex and rust makes that a bit tough. But the realisation one must have is this: building a linked list will break some key assumptions about memory safety, so trying to force that into rust is just not gonna make it. Problem is I guess that for several of us, we have forgotten about memory safety and it's a bit painful to have that remembered to us by a compiler :-) | |
| ▲ | arbitrandomuser 2 hours ago | parent | prev | next [-] | | what is an intrusive data structure? | | |
| ▲ | ahartmetz an hour ago | parent | next [-] | | A container class that needs cooperation from the contained items, usually with special data fields. For example, a doubly linked list where the forward and back pointers are regular member variables of the contained items. Intrusive containers can avoid memory allocations (which can be a correctness issue in a kernel) and go well with C's lack of built-in container classes. They are somewhat common in C and very rare in C++ and Rust. | | |
| ▲ | eru 10 minutes ago | parent [-] | | At least for a double linked list you can probably get pretty far in terms of performance in the non-intrusive case, if your compiler unboxes the contained item into your nodes? Or are there benefits left in intrusive data structures that this doesn't capture? |
| |
| ▲ | ajuc an hour ago | parent | prev [-] | | A data structure that requires you to change the data to use it. Like a linked list that forces you to add a next pointer to the record you want to store in it. |
| |
| ▲ | ViewTrick1002 2 hours ago | parent | prev [-] | | Or just build a tested unsafe implementation as a library. For example the Linked List in the standard library. https://doc.rust-lang.org/src/alloc/collections/linked_list.... | | |
| ▲ | biorach 2 hours ago | parent | next [-] | | Yeah, if you need a linked list (you probably don't) use that. If however you are one of the very small number of people who need fine-grained control over a tailored data-structure with internal cross-references or whatnot then you may find yourself in a world where Rust really does not believe that you know what you are doing and fights you every step of the way. If you actually do know what you are doing, then Zig is probably the best modern choice. The TigerBeetle people chose Zig for these reasons, various resources on the net explain their motivations. | | |
| ▲ | ViewTrick1002 an hour ago | parent [-] | | The point with the linked list is that it is perfectly valid to use unsafe to design said ”tailored data structure with internal cross-reference or what not” library and then expose a safe interface. If you’re having trouble designing a safe interface for your collection then that should be a signal that maybe what you are doing will result in UB when looked at the wrong way. That is how all standard library collections in Rust works. They’ve just gone to the length of formally verifying parts of the code to ensure performance and safety. | | |
| ▲ | eru 8 minutes ago | parent [-] | | > If you’re having trouble designing a safe interface for your collection then that should be a signal that maybe what you are doing will result in UB when looked at the wrong way. Rust is great, but there are some things that are safe (and you could prove them safe in the abstract), but that you can't easily express in Rust's type system. More specifically, there are some some things and usage pattern of these things that are safe when taken together. But the library can't force the safe usage pattern on the client, with the tools that Rust provides. |
|
| |
| ▲ | mjlawson 2 hours ago | parent | prev [-] | | I think that misses the point though. C trusts you to design your own linked list. It also trusts your neighbor, your kid, your LLM, you, your dog, another linked list... |
|
| |
| ▲ | drnick1 6 hours ago | parent | prev | next [-] | | Every system under the Sun has a C compiler. This isn't remotely true for Rust. Rust is more modern than C, but has it's own issues, among others very slow compilation times. My guess is that C will be around long after people will have moved on from Rust to another newfangled alternative. | | |
| ▲ | jcranmer 6 hours ago | parent | next [-] | | There is a set of languages which are essentially required to be available on any viable system. At present, these are probably C, C++, Perl, Python, Java, and Bash (with a degree of asterisks on the last two). Rust I don't think has made it through that door yet, but on current trends, it's at the threshold and will almost certainly step through. Leaving this set of mandatory languages is difficult (I think Fortran, and BASIC-with-an-asterisk, are the only languages to really have done so), and Perl is the only one I would risk money on departing in my lifetime. I do firmly expect that we're less than a decade out from seeing some reference algorithm be implemented in Rust rather than C, probably a cryptographic algorithm or a media codec. Although you might argue that the egg library for e-graphs already qualifies. | | |
| ▲ | eru 7 minutes ago | parent | next [-] | | > Rust I don't think has made it through that door yet, but on current trends, it's at the threshold and will almost certainly step through. I suspect what we are going to see isn't so much Rust making it through that door, but LLVM. Rust and friends will come along for the ride. | |
| ▲ | account42 16 minutes ago | parent | prev | next [-] | | Java hasn't ever been essential outside enterprise-y servers and those don't care about "any viable system". | |
| ▲ | qalmakka 3 hours ago | parent | prev | next [-] | | We're already at the point where in order to have a "decent" desktop software experience you _need_ Rust too. For instance, Rust doesn't support some niche architectures because LLVM doesn't support them (those architectures are now exceedingly rare) and this means no Firefox for instance. | |
| ▲ | tormeh 3 hours ago | parent | prev | next [-] | | A system only needs one programming language to be useful, and when there's only one it's basically always C. | | |
| ▲ | trinix912 2 hours ago | parent [-] | | A C compiler is also relatively easy to implement (compared to a Rust compiler) if you're making your own hobby OS with its own C compiler and libc. |
| |
| ▲ | teruakohatu an hour ago | parent | prev | next [-] | | > There is a set of languages which are essentially required to be available on any viable system. At present, these are probably C, C++, Perl, Python, Java, and Bash Java, really? I don’t think Java has been essential for a long time. Is Perl still critical? | | | |
| ▲ | pantalaimon an hour ago | parent | prev | next [-] | | I don't think Perl comes pre installed on any modern system anymore | | |
| ▲ | pjmlp an hour ago | parent [-] | | I am yet to find one without it, unless you include Windows, consoles, or table/phone OSes, embedded RTOS, which aren't anyway proper UNIX derivatives. |
| |
| ▲ | jfjfnfjrh an hour ago | parent | prev | next [-] | | Debian and Ubuntu enter the chat..... | |
| ▲ | oblio an hour ago | parent | prev [-] | | Even Perl... It's not in POSIX (I'm fairly sure) and I can't imagine there is some critical utility written in Perl that can't be rewritten in Python or something else (and probably already has been). As much as I like Java, Java is also not critical for OS utilities. Bash shouldn't be, per se, but a lot of scripts are actually Bash scripts, not POSIX shell scripts and there usually isn't much appetite for rewriting them. |
| |
| ▲ | brokencode 6 hours ago | parent | prev | next [-] | | What other newfangled alternative to C was ever adopted in the Linux kernel? I have no doubt C will be around for a long time, but I think Rust also has a lot of staying power and won’t soon be replaced. | | |
| ▲ | ottah 5 hours ago | parent [-] | | I wouldn't be surprised to see zig in the kernel at some point | | |
| ▲ | eru 6 minutes ago | parent | next [-] | | I would be. Mostly because while Zig is better than C, it doesn't really provide all that much benefit, if you already have Rust. | |
| ▲ | littlestymaar 4 hours ago | parent | prev [-] | | IMHO Zig doesn't bring enough value of its own to be worth bearing the cost of another language in the kernel. Rust is different because it both: - significantly improve the security of the kernel by removing the nastiest class of security vulnerabilities. - And reduce cognitive burden for contributors by allowing to encode in thr typesystem the invariants that must be upheld. That doesn't mean Zig is a bad language for a particular project, just that it's not worth adding to an already massive project like the Linux kernel. (Especially a project that already have two languages, C and now Rust). | | |
| ▲ | sayamqazi 4 hours ago | parent | next [-] | | Pardon my ignorance but I find the claim "removing the nastiest cla ss of security vulnerabilities" to be a bold claim. Is there ZERO use of "unsafe" rust in kernel code?? | | |
| ▲ | vlovich123 3 hours ago | parent | next [-] | | Aside from the minimal use of unsafe being heavily audited and the only entry point for those vulnerabilities, it allows for expressing kernel rules explicitly and structurally whereas at best there was a code comment somewhere on how to use the API correctly. This was true because there was discussion precisely about how to implement Rust wrappers for certain APIs because it was ambiguous how those APIs were intended to work. So aside from being like 1-5% unsafe code vs 100% unsafe for C, it’s also more difficult to misuse existing abstractions than it was in the kernel (not to mention that in addition to memory safety you also get all sorts of thread safety protections). In essence it’s about an order of magnitude fewer defects of the kind that are particularly exploitable (based on research in other projects like Android) | |
| ▲ | bonzini 3 hours ago | parent | prev | next [-] | | You can absolutely write drivers with zero unsafe Rust. The bridge from Rust to C is where unsafe code lies. | |
| ▲ | littlestymaar 3 hours ago | parent | prev [-] | | Not zero, but Rust-based kernels (see redox, hubris, asterinas, or blog_os) have demonstrated that you only need a small fraction of unsafe code to make a kernel (3-10%) and it's also the least likely places to make a memory-related error in a C-based kernel in the first place (you're more likely to make a memory-related error when working on the implementation of an otherwise challenging algorithm that has nothing to do with memory management itself, than you are when you are explicitly focused on the memory-management part). So while there could definitely be an exploitable memory bug in the unsafe part of the kernel, expect those to be at least two orders of magnitude less frequent than with C (as an anecdotal evidence, the Android team found memory defects to be between 3 and 4 orders of magnitude less in practice over the past few years). |
| |
| ▲ | brabel 3 hours ago | parent | prev [-] | | Zig as a language is not worth, but as a build system it's amazing. I wouldn't be surprised if Zig gets in just because of the much better build system than C ever had (you can cross compile not only across OS, but also across architecture and C stlib versions, including musl). And with that comes the testing system and seamless interop with C, which make it really easy to start writing some auxiliary code in Zig... and eventually it may just be accepted for any development. | | |
| ▲ | littlestymaar 12 minutes ago | parent [-] | | I agree with you that it's much more interesting than the language, but I don't think it matters for a project like the Kernel that already had its build system sorted out. (Especially since no matter how nice and convenient Zig makes cross-compilation if you start a project from scratch, even in Rust thanks to cargo-zigbuild, it would require a lot of efforts to migrate the Linux build system to Zig, only to realize it doesn't support all the needs of the kernel at the start). |
|
|
|
| |
| ▲ | pjmlp an hour ago | parent | prev | next [-] | | As mentioned in another thread, POSIX requires the presence of a C compiler, https://pubs.opengroup.org/onlinepubs/9799919799/utilities/c... | | | |
| ▲ | vlovich123 6 hours ago | parent | prev | next [-] | | I can’t think of many real world production systems which don’t have a rust target. Also I’m hopeful the GCC backend for rustc makes some progress and can become an option for the more esoteric ones | | |
| ▲ | phire 5 hours ago | parent | next [-] | | There aren't really any "systems programming" platforms anywhere near production that doesn't have a workable rust target. It's "embedded programming" where you often start to run into weird platforms (or sub-platforms) that only have a c compiler, or the rust compiler that does exist is somewhat borderline. We are sometimes talking about devices which don't even have a gcc port (or the port is based on a very old version of gcc).
Which is a shame, because IMO, rust actually excels as an embedded programming language. Linux is a bit marginal, as it crosses the boundary and is often used as a kernel for embedded devices (especially ones that need to do networking). The 68k people have been hit quite hard by this, linux on 68k is still a semi-common usecase, and while there is a prototype rust back end, it's still not production ready. | | |
| ▲ | vlovich123 4 hours ago | parent [-] | | There’s also I believe an effort to target C as the mid level although I don’t know the state / how well it’ll work in an embedded space anyway where performance really matters and these compilers have super old optimizers that haven’t been updated in 3 decades. |
| |
| ▲ | MobiusHorizons 5 hours ago | parent | prev | next [-] | | It's mostly embedded / microcontroller stuff. Things that you would use something like SDCC or a vendor toolchain for. Things like the 8051, stm8, PIC or oddball things like the 4 cent Padauk micros everyone was raving about a few years ago. 8051 especially still seems to come up from time to time in things like the ch554 usb controller, or some NRF 2.4ghz wireless chips. | | |
| ▲ | vlovich123 4 hours ago | parent [-] | | Those don’t really support C in any real stretch, talking about general experience with microcontrollers and closed vendor toolchains; it’s a frozen dialect of C from decades ago which isn’t what people think of when they say C (usually people mean at least the 26 year old C99 standard but these often at best support C89 or even come with their own limitations) |
| |
| ▲ | pjmlp an hour ago | parent | prev [-] | | Commercial embedded OSes, game consoles, for example. |
| |
| ▲ | thayne 6 hours ago | parent | prev | next [-] | | > very slow compilation times That isn't always the case. Slow compilations are usually because of procedural macros and/or heavy use of generics. And even then compile times are often comparable to languages like typescript and scala. | | |
| ▲ | Yiin 3 hours ago | parent [-] | | typescript transpilation to js is nearly instant, it's not comparable | | |
| ▲ | baq an hour ago | parent [-] | | Good to know, my $DAYJOB project unfortunately isn’t as well informed and we have to use esbuild just to survive. |
|
| |
| ▲ | AceJohnny2 2 hours ago | parent | prev | next [-] | | > My guess is that C will be around long after people will have moved on from Rust to another newfangled alternative. if only due to the Lindy Effect https://en.wikipedia.org/wiki/Lindy_effect | |
| ▲ | mustache_kimono 4 hours ago | parent | prev | next [-] | | > Every system under the Sun has a C compiler... My guess is that C will be around long after people will have moved on from Rust to another newfangled alternative. This is still the worst possible argument for C. If C persists in places no one uses, then who cares? | | |
| ▲ | jazzyjackson 4 hours ago | parent | next [-] | | I think you didn't catch their drift C will continue to be used because it always has been and always will be available everywhere, not only places no one uses :/ | | |
| ▲ | mustache_kimono 3 hours ago | parent | next [-] | | > C will continue to be used because it always has been and always will be available everywhere Yes, you can use it everywhere. Is that what you consider a success? | | |
| ▲ | mrweasel an hour ago | parent | next [-] | | I'm curious as to which other metric you'd use to define successful? If it actual usage, C still wins. Number of new lines pushed into production each year, or new project started, C is still high up the list, would be my guess. Languages like Rust a probably more successful in terms of age vs. adoption speed. There's just a good number of platforms which aren't even supported, and where you have no other choice than C. Rust can't target most platforms, and it compiles on even less. Unless Linux want's to drop support for a good number of platforms, Rust adoption can only go so far. | |
| ▲ | AceJohnny2 2 hours ago | parent | prev [-] | | ... yes? |
| |
| ▲ | bigyabai 2 hours ago | parent | prev [-] | | > it always has been and always will be available everywhere "Always has been" is pushing it. Half of C's history is written with outdated, proprietary compilers that died alongside their architecture. It's easy to take modern tech like LLVM for granted. | | |
| ▲ | baq an hour ago | parent [-] | | This might actually be a solved problem soonish, LLMs are unreasonably effective at writing compilers and C is designed to be easy to write a compiler for, which also helps. I don’t know if anyone tried, but there’s been related work posted here on HN recently: a revived Java compiler and the N64 decompilation project. Mashed together you can almost expect to be able to generate C compilers for obscure architectures on demand given just some docs and binary firmware dumps. |
|
| |
| ▲ | johncolanduoni 3 hours ago | parent | prev [-] | | You almost certainly have a bunch of devices containing a microcontroller that runs an architecture not targeted by LLVM. The embedded space is still incredibly fragmented. That said, only a handful of those architectures are actually so weird that they would be hard to write a LLVM backend for. I understand why the project hasn’t established a stable backend plugin API, but it would help support these ancillary architectures that nobody wants to have to actively maintain as part of the LLVM project. Right now, you usually need to use a fork of the whole LLVM project when using experimental backends. | | |
| ▲ | mustache_kimono 3 hours ago | parent [-] | | > You almost certainly have a bunch of devices containing a microcontroller that runs an architecture not targeted by LLVM. This is exactly what I'm saying. Do you think HW drives SW or the other way around? When Rust is in the Linux kernel, my guess is it will be very hard to find new HW worth using, which doesn't have some Rust support. | | |
| ▲ | johncolanduoni 12 minutes ago | parent [-] | | In embedded, HW drives SW much more than the other way around. Most microcontrollers are not capable of running a Linux kernel as it is, even with NoMMU. The ones that are capable of this are overwhelmingly ARM or RISC-V these days. There’s not a long list of architectures supported by the modern Linux kernel but not LLVM/Rust. |
|
|
| |
| ▲ | blintz 5 hours ago | parent | prev [-] | | Doesn’t rustc emit LLVM IR? Are there a lot of systems that LLVM doesn’t support? | | |
| ▲ | loeg 3 hours ago | parent | next [-] | | There are a number of oddball platforms LLVM doesn't support, yeah. | |
| ▲ | aw1621107 4 hours ago | parent | prev | next [-] | | rustc can use a few different backends. By my understanding, the LLVM backend is fully supported, the Cranelift backend is either fully supported or nearly so, and there's a GCC backend in the works. In addition, there's a separate project to create an independent Rust frontend as part of GCC. Even then, there are still some systems that will support C but won't support Rust any time soon. Systems with old compilers/compiler forks, systems with unusual data types which violate Rust's assumptions (like 8 bit bytes IIRC) | |
| ▲ | einpoklum 2 hours ago | parent | prev [-] | | Many organizations and environments will not switch themselves to LLVM to hamfist compiled Rust code. Nor is the fact of LLVM supporting something in principle means that it's installed on the relevant OS distribution. | | |
| ▲ | simonask 25 minutes ago | parent | next [-] | | Using LLVM somewhere in the build doesn't require that you compile everything with LLVM. It generates object files, just like GCC, and you can link together object files compiled with each compiler, as long as they don't use compiler-specific runtime libraries (like the C++ standard library, or a polyfill compiler-rt library). `clang-cl` does this with `cl.exe` on Windows. | |
| ▲ | oblio 23 minutes ago | parent | prev [-] | | If you're developing, you generally have control over the development environment (+/-) and you can install things. Plus that already reduces the audience: set of people with oddball hardware (as someone here put it) intersected with the set of people with locked down development environments. Let alone the fact that conceptually people with locked down environments are precisely those would really want the extra safety offered by Rust. I know that real life is messy but if we don't keep pressing, nothing improves. |
|
|
| |
| ▲ | mmooss 6 hours ago | parent | prev | next [-] | | Before we ask if almost all things old will be rewritten in Rust, we should ask if almost all things new are being written in Rust or other memory-safe languages? Obviously not. When will that happen? 15 years? Maybe it's generational: How long before developers 'born' into to memory-safe languages as serious choices will be substantially in charge of software development? | | |
| ▲ | buster 3 hours ago | parent | next [-] | | I don't know I tend to either come across new tools written in Rust, JavaScript or Python but relatively low amount of C. The times I see some "cargo install xyz" in a git repo of some new tool is definitely noticeable. | |
| ▲ | sho_hn 5 hours ago | parent | prev | next [-] | | I'm a bit wary if this is hiding an agist sentiment, though. I doubt most Rust developers were 'born into' the language, but instead adopted it on top of existing experience in other languages. | | |
| ▲ | mmooss 5 hours ago | parent | next [-] | | People can learn Rust at any age. The reality is that experienced people often are more hesitant to learn new things. I can think of possible reasons: Early in life, in school and early career, much of what you work on is inevitably new to you, and also authorities (professor, boss) compel you to learn whatever they choose. You become accustomed to and skilled at adapting new things. Later, when you have power to make the choice, you are less likely to make yourself change (and more likely to make the junior people change, when there's a trade-off). Power corrupts, even on that small scale. There's also a good argument for being stubborn and jaded: You have 30 years perfecting the skills, tools, efficiencies, etc. of C++. For the new project, even if C++ isn't as good a fit as Rust, are you going to be more efficient using Rust? How about in a year? Two years? ... It might not be worth learning Rust at all; ROI might be higher continuing to invest in additional elite C++ skills. Certainly that has more appeal to someone who knows C++ intimately - continue to refine this beautiful machine, or bang your head against the wall? For someone without that investment, Rust might have higher ROI; that's fine, let them learn it. We still need C++ developers. Morbid but true, to a degree: 'Progress happens one funeral at a time.' | | |
| ▲ | a96 2 hours ago | parent | next [-] | | > experienced people often are more hesitant to learn new things I believe the opposite. There's some kind of weird mentality in beginner/wannabe programmers (and HR, but that's unrelated) that when you pick language X then you're an X programmer for life. Experienced people know that if you need a new language or library, you pick up a new language or library. Once you've learned a few, most of them aren't going to be very different and programming is programming. Of course it will look like work and maybe "experienced" people will be more work averse and less enthusiastic than "inexperienced" (meaning younger) people. | | |
| ▲ | psychoslave an hour ago | parent [-] | | >Experienced people know that if you need a new language or library, you pick up a new language or library. That heavily depends, if you tap into a green field project, yes. Or free reign over a complete rewrite of existing projects. But these things are more the exception than the regular case. Even on green field project, ecosystem and available talents per framework will be a consideration most of the time. There are also other things like being parent and wanting to take care of them that can come into consideration later in life. So more like more responsibilities constraints perspectives and choices than power corrupts in purely egoistic fashion. |
| |
| ▲ | sho_hn 5 hours ago | parent | prev | next [-] | | I still think you're off the mark. Again, most existing Rust developers are not "blank slate Rust developers". That they do not rush out to rewrite all of their past projects in C++ may be more about sunk costs, and wanting to solve new problems with from-scratch development. | | |
| ▲ | debugnik 2 hours ago | parent | next [-] | | > most existing Rust developers are not "blank slate Rust developers" Not most, but the pool of software devs has been doubling every five years, and Rust matches C# on "Learning to Code" voters at Stack Overflow's last survey, which is crazy considering how many people learn C# just to use Unity. I think you underestimate how many developers are Rust blank slates. Anecdotically, I've recently come across comments from people who've taught themselves Rust but not C or C++. | | |
| ▲ | gjajric an hour ago | parent [-] | | Steve Klabnik? Either way, that survey (you could have linked to it) has some issues. https://survey.stackoverflow.co/2025/technology#most-popular... Select the "Learning to Code" tab. > Which programming, scripting, and markup languages have you done extensive development work in over the past year, and which do you want to work in over the next year? (If you both worked with the language and want to continue to do so, please check both boxes in that row.) It describes two check marks, yet only has a single statistic for each language. Did StackOverflow mess up the question or data? The data also looks suspicious. Is it really the case that 44.6% of developers learning to code have worked with or want to work with C++? | | |
| ▲ | debugnik 22 minutes ago | parent [-] | | Oh I agree the survey has issues, I was just thinking about how each year the stats get more questionable! I just think it shows that interest in Rust doesn't come only from people with a C++ codebase to rewrite. Half of all devs have got less than five years of experience with any toolchain at all, let alone C++, yet many want to give Rust a try. I do think there will be a generational split there. > Steve Klabnik? Thankfully no. I've actually argued with him a couple times. Usually in partial agreement, but his fans will downvote anyone who mildly disagrees with him. Also, I'm not even big on Rust: every single time I've tried to use it I instinctively reached for features that turned out to be unstable, and I don't want to deal with their churn, so I consider the language still immature. |
|
| |
| ▲ | mmooss 5 hours ago | parent | prev [-] | | That's fair; my claims are kept simplistic for purposes of space and time. However, I'm talking about new projects, not rewriting legacy code. |
| |
| ▲ | gjajric an hour ago | parent | prev [-] | | According to the strange data at https://survey.stackoverflow.co/2025/technology#most-popular... , 44.6% have responded positively to that question regarding C++. But there may be some issues, for the question involves two check boxes, yet there is only one statistic. |
| |
| ▲ | pjmlp an hour ago | parent | prev [-] | | Sure there are plenty of them, hence why you seem remarks like wanting to use Rust but with a GC, or assigned to Rust features that most ML derived languages have. |
| |
| ▲ | lmm 5 hours ago | parent | prev [-] | | > Obviously not Is it obvious? I haven't heard of new projects in non-memory-safe languages lately, and I would think they would struggle to attract contributors. | | |
| ▲ | jandrewrogers 3 hours ago | parent | next [-] | | New high-scale data infrastructure projects I am aware of mostly seem to be C++ (often C++20). A bit of Rust, which I’ve used, and Zig but most of the hardcore stuff is still done in C++ and will be for the foreseeable future. It is easy to forget that the state-of-the-art implementations of a lot of systems software is not open source. They don’t struggle to attract contributors because of language choices, being on the bleeding edge of computer science is selling point enough. | | |
| ▲ | ACCount37 an hour ago | parent [-] | | There's a "point of no return" when you start to struggle to hire anyone on your teams because no one knows the language and no one is willing to learn. But C++ is very far from it. |
| |
| ▲ | pjmlp 43 minutes ago | parent | prev | next [-] | | Game development, graphics and VFX industry, AI tooling infrastructure, embedded development, Maker tools like Arduino and ESP32, compiler development. | |
| ▲ | ottah 5 hours ago | parent | prev | next [-] | | https://github.com/tigerbeetle/tigerbeetle | | |
| ▲ | lmm 5 hours ago | parent [-] | | Zig at least claims some level of memory safety in their marketing. How real that is I don't know. | | |
| ▲ | vlovich123 3 hours ago | parent | next [-] | | About as real as claiming that C/C++ is memory safe because of sanitizers IMHO. | |
| ▲ | gjajric an hour ago | parent | prev | next [-] | | I have heard different arguments, such as https://zackoverflow.dev/writing/unsafe-rust-vs-zig/ . | |
| ▲ | tomnipotent 2 hours ago | parent | prev [-] | | I'm unaware of any such marketing. | | |
| ▲ | dwattttt 2 hours ago | parent [-] | | Zig does claim that it > ... has a debug allocator that maintains memory safety in the face of use-after-free and double-free which is probably true (in that it's not possible to violate memory safety on the debug allocator, although it's still a strong claim). But beyond that there isn't really any current marketing for Zig claiming safety, beyond a heading in an overview of "Performance and Safety: Choose Two". | | |
| ▲ | tomnipotent an hour ago | parent [-] | | That's a library feature (not intended for release builds), not a language feature. |
|
|
|
| |
| ▲ | mmooss 5 hours ago | parent | prev [-] | | Out of curiosity, do the LLMs all use memory safe languages? | | |
| ▲ | lmm 4 hours ago | parent | next [-] | | Whenever the public has heard about the language it's always been Python. | | | |
| ▲ | einr 3 hours ago | parent | prev [-] | | Llama.cpp is called Llama.cpp, so there’s that… |
|
|
| |
| ▲ | keyle 3 hours ago | parent | prev | next [-] | | C is fun to write. I can write Rust, but I prefer writing C. I prefer compiling C, I prefer debugging C. I prefer C. It's a bit like asking with the new mustang on the market, with airbags and traction control, why would you ever want to drive a classic mustang? | | |
| ▲ | speedgoose 2 hours ago | parent | next [-] | | It’s okay to enjoy driving an outdated and dangerous car for the thrill because it makes pleasing noise, as long as you don’t annoy too much other people with it. | |
| ▲ | IshKebab 3 hours ago | parent | prev [-] | | > I prefer debugging C I prefer not having to debug... I think most people would agree with that. | | |
| ▲ | ykonstant 32 minutes ago | parent | next [-] | | I prefer a billion dallars tax free, but here we are:( | |
| ▲ | gjajric an hour ago | parent | prev [-] | | Didn't save Cloudflare. Memory safety is necessary, and memory safety guard rails can be helpful depending on what the guard rails cost in different ways, but memory safety is in no way, shape or form sufficient. | | |
|
| |
| ▲ | stingraycharles 6 hours ago | parent | prev | next [-] | | It’s available on more obscure platforms than Rust, and more people are familiar with it. I wouldn’t say it’s inevitable that everything will be rewritten in Rust, at the very least this will this decades. C has been with us for more than half a century and is the foundation of pretty much everything, it will take a long time to migrate all that. More likely is that they will live next to each other for a very, very long time. | |
| ▲ | QuiEgo 5 hours ago | parent | prev | next [-] | | Apple handled this problem by adding memory safety to C (Firebloom). It seems unlikely they would throw away that investment and move to Rust. I’m sure lots of other companies don’t want to throw away their existing code, and when they write new code there will always be a desire to draw on prior art. | | |
| ▲ | goku12 2 hours ago | parent | next [-] | | That's a rather pessimistic take compared to what's actually happening. What you say should apply to the big players like Amazon, Google, Microsoft, etc the most, because they arguably have massive C codebases. Yet, they're also some of the most enthusiastic adopters and promoters of Rust. A lot of other adopters also have legacy C codebases. I'm not trying to hype up Rust or disparage C. I learned C first and then Rust, even before Rust 1.0 was released. And I have an idea why Rust finds acceptance, which is also what some of these companies have officially mentioned. C is a nice little language that's easy to learn and understand. But the price you pay for it is in large applications where you have to handle resources like heap allocations. C doesn't offer any help there when you make such mistakes, though some linters might catch them. The reason for this, I think, is that C was developed in an era when they didn't have so much computing power to do such complicated analysis in the compiler. People have been writing C for ages, but let me tell you - writing correct C is a whole different skill that's hard and takes ages to learn. If you think I'm saying this because I'm a bad programmer, then you would be wrong. I'm not a programmer at all (by qualification), but rather a hardware engineer who is more comfortable with assembly, registers, Bus, DRAM, DMA, etc. I still used to get widespread memory errors, because all it takes is a lapse in attention while coding. That strain is what Rust alleviates. | | |
| ▲ | Surac 2 hours ago | parent [-] | | So you try to say c is for good programmers only and rust let also the idiots Programm? I think that’s the wrong way to argue for rust. Rust catches one kind of common problem but but does not magically make logic errors away. | | |
| |
| ▲ | AceJohnny2 2 hours ago | parent | prev | next [-] | | > It seems unlikely [Apple] would throw away that investment and move to Rust. Apple has invested in Swift, another high level language with safety guarantees, which happens to have been created under Chris Lattner, otherwise known for creating LLVM. Swift's huge advantage over Rust, for application and system programming is that it supports an ABI [1] which Rust, famously, does not (other than falling back to a C ABI, which degrades its promises). [1] for more on that topic, I recommend this excellent article: https://faultlore.com/blah/swift-abi/ Side note, the author of that article wrote Rust's std::collections API. | | |
| ▲ | gjajric an hour ago | parent [-] | | Swift does not seem suitable for OS development, at least not as much as C or C++.[0] Swift handles by default a lot of memory by using reference counting, as I understand it, which is not always suitable for OS development. [0]: Rust, while no longer officially experimental in the Linux kernel, does not yet have major OSs written purely in it. | | |
| ▲ | saagarjha a minute ago | parent | next [-] | | Nothing wrong with using reference counting for OS development. | |
| ▲ | pjmlp 38 minutes ago | parent | prev [-] | | What matters is what Apple thinks, and officially it is, to the point it is explicitly written on the documentation. |
|
| |
| ▲ | pjmlp 39 minutes ago | parent | prev [-] | | Also, Swift Embedded came out of the effort to eventually use Swift instead for such use cases at Apple. |
| |
| ▲ | QuiEgo 5 hours ago | parent | prev | next [-] | | Rust still compiles into bigger binary sizes than C, by a small amount. Although it’s such a complex thing depending on your code that it really depends case-by-case, and you can get pretty close. On embedded systems with small amounts of ram (think on the order of 64kbytes), a few extra kb still hurts a lot. | |
| ▲ | otikik an hour ago | parent | prev | next [-] | | Ubiquity is still a big one. There's many, many places where C exists that Rust has not reached yet. | |
| ▲ | greesil 4 hours ago | parent | prev | next [-] | | Shitloads of already existing libraries. For example I'm not going to start using it for Arduino-y things until all the peripherals I want have drivers written in Rust. | | | |
| ▲ | scottyah 6 hours ago | parent | prev | next [-] | | I think it'll be less like telegram lines- which were replaced fully for a major upgrade in functionality, and more like rail lines- which were standardized and ubiquitous, still hold some benefit but mainly only exist in areas people don't venture nearly as much. | |
| ▲ | stabbles 2 hours ago | parent | prev | next [-] | | A C compiler is easier to bootstrap than a Rust compiler. | |
| ▲ | s_ting765 3 hours ago | parent | prev | next [-] | | You mean safer languages like Fil-C. | |
| ▲ | StopDisinfo910 an hour ago | parent | prev | next [-] | | Depends of what you do. Rust has a nice compiler-provided static analyzer using annotation to do life time analysis and borrow checking. I believe borrow checking to be a local optima trap when it comes to static analysis and finds it often more annoying to use than I would like but I won't argue it's miles better than nothing. C has better static analysers available. They can use annotations too. Still, all of that is optional when it's part of Rust core language. You know that Rust code has been successfully analysed. Most C code won't give you this. But if it's your code base, you can reach this point in C too. C also has a fully proven and certified compiler. That might be a requirement if you work in some niche safety critical applications. Rust has no equivalent there. The discussion is more interesting when you look at other languages. Ada/Spark is for me ahead of Rust both in term of features and user experience regarding the core language. Rust currently still have what I consider significant flaws: a very slow compiler, no standard, support for a limited number of architectures (it's growing), it's less stable that I consider it should be given its age, and most Rust code tends to use more small libraries than I would personaly like. Rust is very trendy however and I don't mean that in a bad way. That gives it a lot of leverage. I doubt we will ever see Ada in the kernel but here we are with Rust. | |
| ▲ | antioxide 2 hours ago | parent | prev | next [-] | | you can look at rust sources of real system programs like framekernel or such things. uefi-rs etc. there u can likely explore well the boundaries where rust does and does not work. people have all kind of opinions. mine is this: if you need unsafe peppered around, the only thing rust offers is being very unergonomic. its hard to write and hard to debug for no reason. Writing memory-safe C code is easy. The problems rust solves arent bad, just solved in a way thats way more complicated than writing same (safe) C code. a language is not unsafe. you can write perfectly shit code in rust. and you can write perfectly safe code in C. people need to stop calling a language safe and then reimplementing other peoples hard work in a bad way creating whole new vulnerabilities. | | |
| ▲ | herni 2 hours ago | parent [-] | | I disagree. Rust shines when you need perform "unsafe" operations. It forces programmers to be explicit and isolate their use of unsafe memory operations. This makes it significantly more feasible to keep track of invariants. It is completely besides the point that you can also write "shit code" in Rust. Just because you are fed up with the "reimplement the world in Rust" culture does not mean that the tool itself is bad. | | |
| ▲ | gjajric an hour ago | parent [-] | | You have made two major mistakes, which is common among Rust proponents, and which is disconcerting, because some of those mistakes can help lead to memory safety bugs in real life Rust programs. And thus, ironically, by Rust proponents spreading and propagating those mistakes and misconceptions about Rust, Rust developers mislearn aspects, that then in turn make Rust less safe and secure than it otherwise would have been. 1: The portions of the code that have to be checked of unsafe blocks are not limited to just those blocks. In fact, in some cases, the whole module that tiny unsafe blocks resides in have to be checked. The Rustonomicon makes this clear. Did you read and understand the Rustonomicon? 2: Unsafe Rust is significantly harder than C and C++. This is extra unfortunate for the cases where Rust is used for the more difficult code, like some performance-oriented code, compounding the difficulty of the code. Unsafe Rust is sometimes used for the sake of performance as well. Large parts of the Rust community and several blog posts agree with this. Rust proponents, conversely, often try to argue the opposite, thus lulling Rust developers into believing that unsafe Rust is fine, and thus ironically making unsafe Rust less safe and secure. Maybe Rust proponents should spend more time on making unsafe Rust easier and more ergonomic, instead of effectively undermining safety and security. Unless the strategy is to trick as many other people as possible into using Rust, and then hope those people fix the issues for you, a common strategy normally used for some open source projects, not languages. | | |
| ▲ | K0nserv 21 minutes ago | parent [-] | | 1. This doesn't really matter for the argument. Most of the time you can audit unsafe blocks, in some instances the invariants you are upholding require you to consider more code. The benefit is still that you can design safe interfaces around these smaller bits of audited code. 2. I agree it's harder, I feel like most of the community knows and recognises this. > Maybe Rust proponents should spend more time on making unsafe Rust easier and more ergonomic, instead of effectively *undermining safety and security*. Unless the strategy is to trick as many other people as possible into using Rust, and then hope those people fix the issues for you, a common strategy normally used for some open source projects, not languages. I don't think there is any evidence that Rust is undermining safety and security. In fact all evidence shows it's massively improving these metrics wherever Rust replaces C and C++ code. If you have evidence to the contrary let's see it. |
|
|
| |
| ▲ | qsera 2 hours ago | parent | prev | next [-] | | >does C hold any significant advantage over Rust Yes, it's lots of fun. rust is Boring. If I want to implement something and have fun doing it, I ll always do it in C. | |
| ▲ | vbezhenar 4 hours ago | parent | prev | next [-] | | For my hobby code, I'm not going to start writing Rust anytime soon. My code is safe enough and I like C as it is. I don't write software for martian rovers, and for ordinary tasks, C is more ergonomic than Rust, especially for embedded tasks. For my work code, it all comes down to SDKs and stuff. For example I'm going to write firmware for Nordic ARM chip. Nordic SDK uses C, so I'm not going to jump through infinite number of hoops and incomplete rust ports, I'll just use official SDK and C. If it would be the opposite, I would be using Rust, but I don't think that would happen in the next 10 years. Just like C++ never killed C, despite being perfect replacement for it, I don't believe that Rust would kill C, or C++, because it's even less convenient replacement. It'll dilute the market, for sure. | | |
| ▲ | anticrymactic 2 hours ago | parent [-] | | > Just like C++ never killed C, despite being perfect replacement for it I think c++ didn't replace C because it is a bad language. It did not offer any improvements on the core advantages of C. Rust however does. It's not perfect, but it has a substantially larger chance of "replacing" C, if that ever happens. |
| |
| ▲ | 0xbadcafebee 3 hours ago | parent | prev | next [-] | | It's a bit like asking if there is any significant advantage to ICE motors over electric motors. They both have advantages and disadvantages. Every person who uses one or the other, will tell you about their own use case, and why nobody could possibly need to use the alternative. There's already applications out there for the "old thing" that need to be maintained, and they're way too old for anyone to bother with re-creating it with the "new thing". And the "old thing" has some advantages the "new thing" doesn't have. So some very specific applications will keep using the "old thing". Other applications will use the "new thing" as it is convenient. To answer your second question, nothing is inevitable, except death, taxes, and the obsolescence of machines. Rust is the new kid on the block now, but in 20 years, everybody will be rewriting all the Rust software in something else (if we even have source code in the future; anyone you know read machine code or punch cards?). C'est la vie. | |
| ▲ | obviouslynotme 5 hours ago | parent | prev [-] | | A lot of C's popularity is with how standard and simple it is. I doubt Rust will be the safe language of the future, simply because of its complexity. The true future of "safe" software is already here, JavaScript. There will be small niches leftover: * Embedded - This will always be C. No memory allocation means no Rust benefits. Rust is also too complex for smaller systems to write compilers. * OS / Kernel - Nearly all of the relevant code is unsafe. There aren't many real benefits. It will happen anyways due to grant funding requirements. This will take decades, maybe a century. A better alternative would be a verified kernel with formal methods and a Linux compatibility layer, but that is pie in the sky. * Game Engines - Rust screwed up its standard library by not putting custom allocation at the center of it. Until we get a Rust version of the EASTL, adoption will be slow at best. * High Frequency Traders - They would care about the standard library except they are moving on from C++ to VHDL for their time-sensitive stuff. I would bet they move to a garbage-collected language for everything else, either Java or Go. * Browsers - Despite being born in a browser, Rust is unlikely to make any inroads. Mozilla lost their ability to make effective change and already killed their Rust project once. Google has probably the largest C++ codebase in the world. Migrating to Rust would be so expensive that the board would squash it. * High-Throughput Services - This is where I see the bulk of Rust adoption. I would be surprised if major rewrites aren't already underway. | | |
| ▲ | aw1621107 4 hours ago | parent | next [-] | | > No memory allocation means no Rust benefits. This isn't really true; otherwise, there would be no reason for no_std to exist. Data race safety is independent of whether you allocate or not, lifetimes can be handy even for fixed-size arenas, you still get bounds checks, you still get other niceties like sum types/an expressive type system, etc. > OS / Kernel - Nearly all of the relevant code is unsafe. I think that characterization is rather exaggerated. IIRC the proportion of unsafe code in Redox OS is somewhere around 10%, and Steve Klabnik said that Oxide's Hubris has a similarly small proportion of unsafe code (~3% as of a year or two ago) [0] > Browsers - Despite being born in a browser, Rust is unlikely to make any inroads. Technically speaking, Rust already has. There has been Rust in Firefox for quite a while now, and Chromium has started allowing Rust for third-party components. [0]: https://news.ycombinator.com/item?id=42312699 [1]: https://old.reddit.com/r/rust/comments/bhtuah/production_dep... | | |
| ▲ | jitl 3 hours ago | parent [-] | | The Temporal API in Chrome is implemented in Rust. We’re definitely seeing more Rust in browsers including beyond Firefox. |
| |
| ▲ | johncolanduoni 3 hours ago | parent | prev | next [-] | | > Google has probably the largest C++ codebase in the world. Migrating to Rust would be so expensive that the board would squash it. Google is transitioning large parts of Android to Rust and there is now first-party code in Chromium and V8 in Rust. I’m sure they’ll continue to write new C++ code for a good while, but they’ve made substantial investments to enable using Rust in these projects going forward. Also, if you’re imagining the board of a multi-trillion dollar market cap company is making direct decisions about what languages get used, you may want to check what else in this list you are imagining. | | |
| ▲ | pjmlp 29 minutes ago | parent [-] | | Unless rules have changed Rust is only allowed a minor role in Chrome. > Based on our research, we landed on two outcomes for Chromium. > We will support interop in only a single direction, from C++ to Rust, for now. Chromium is written in C++, and the majority of stack frames are in C++ code, right from main() until exit(), which is why we chose this direction. By limiting interop to a single direction, we control the shape of the dependency tree. Rust can not depend on C++ so it cannot know about C++ types and functions, except through dependency injection. In this way, Rust can not land in arbitrary C++ code, only in functions passed through the API from C++. > We will only support third-party libraries for now. Third-party libraries are written as standalone components, they don’t hold implicit knowledge about the implementation of Chromium. This means they have APIs that are simpler and focused on their single task. Or, put another way, they typically have a narrow interface, without complex pointer graphs and shared ownership. We will be reviewing libraries that we bring in for C++ use to ensure they fit this expectation. -- https://security.googleblog.com/2023/01/supporting-use-of-ru... Also even though Rust would be a safer alternative to using C and C++ on the Android NDK, that isn't part of the roadmap, nor the Android team provides any support to those that go down that route. They only see Rust for Android internals, not app developers If anything, they seem more likely to eventually support Kotlin Native for such cases than Rust. | | |
| ▲ | johncolanduoni 18 minutes ago | parent [-] | | > Unless rules have changed Rust is only allowed a minor role in Chrome. I believe the Chromium policy has changed, though I may be misinterpreting: https://chromium.googlesource.com/chromium/src/+/refs/heads/... The V8 developers seem more excited to use it going forward, and I’m interested to see how it turns out. A big open question about the Rust safety model for me is how useful it is for reducing the kind of bugs you see in a SOTA JIT runtime. > They only see Rust for Android internals, not app developers I’m sure, if only because ~nobody actually wants to write Android apps in Rust. Which I think is a rational choice for the vast majority of apps - Android NDK was already an ugly duckling, and a Rust version would be taken even less seriously by the platform. | | |
| ▲ | pjmlp 13 minutes ago | parent [-] | | That looks only to be the guidelines on how to integrate Rust projects, not that the policy has changed. The NDK officially it isn't to write apps anyway, people try to do that due to some not wanting to touch Java or Kotlin, but that has never been the official point of view from Android team since it was introduced in version 2, rather: > The Native Development Kit (NDK) is a set of tools that allows you to use C and C++ code with Android, and provides platform libraries you can use to manage native activities and access physical device components, such as sensors and touch input. The NDK may not be appropriate for most novice Android programmers who need to use only Java code and framework APIs to develop their apps. However, the NDK can be useful for cases in which you need to do one or more of the following: > Squeeze extra performance out of a device to achieve low latency or run computationally intensive applications, such as games or physics simulations. > Reuse your own or other developers' C or C++ libraries. So it would be expected that at least for the first scenario, Rust would be a welcomed addition, however as mentioned they seem to be more keen into supporting Kotlin Native for it. |
|
|
| |
| ▲ | saghm 3 hours ago | parent | prev | next [-] | | > No memory allocation means no Rust benefits There are memory safety issues that literally only apply to memory on the stack, like returning dangling pointers to local variables. Not touching the heap doesn't magically avoid all of the potential issues in C. | |
| ▲ | scq 4 hours ago | parent | prev | next [-] | | Rust is already making substantial inroads in browsers, especially for things like codecs. Chrome also recently replaced FreeType with Skrifa (Rust), and the JS Temporal API in V8 is implemented in Rust. | |
| ▲ | qalmakka 3 hours ago | parent | prev | next [-] | | > Embedded - This will always be C. No memory allocation means no Rust benefits. Rust is also too complex for smaller systems to write compilers. Modern embedded isn't your grandpa's embedded anymore. Modern embedded chips have multiple KiB of ram, some even above 1MiB and have been like that for almost a decade (look at ESP32 for instance). I once worked on embedded projects based on ESP32 that used full C++, with allocators, exceptions, ... using SPI RAM and worked great. There's a fantastic port of ESP-IDF on Rust that Espressif themselves is maintaining nowadays, too. | |
| ▲ | Aurornis 4 hours ago | parent | prev | next [-] | | > No memory allocation means no Rust benefits. Memory safety applies to all memory. Not just heap allocated memory. This is a strange claim because it's so obviously false. Was this comment supposed to be satire and I just missed it? Anyway, Rust has benefits beyond memory safety. > Rust is also too complex for smaller systems to write compilers. Rust uses LLVM as the compiler backend. There are already a lot of embedded targets for Rust and a growing number of libraries. Some vendors have started adopting it with first-class support. Again, it's weird to make this claim. > Nearly all of the relevant code is unsafe. There aren't many real benefits. Unsafe sections do not make the entire usage of Rust unsafe. That's a common misconception from people who don't know much about Rust, but it's not like the unsafe keyword instantly obliterates any Rust advantages, or even all of its safety guarantees. It's also strange to see this claim under an article about the kernel developers choosing to move forward with Rust. > High Frequency Traders - They would care about the standard library except they are moving on from C++ to VHDL for their time-sensitive stuff. I would bet they move to a garbage-collected language for everything else, either Java or Go. C++ and VHDL aren't interchangeable. They serve different purposes for different layers of the system. They aren't moving everything to FPGAs. Betting on a garbage collected language is strange. Tail latencies matter a lot. This entire comment is so weird and misinformed that I had to re-read it to make sure it wasn't satire or something. | | |
| ▲ | goku12 3 hours ago | parent [-] | | > Memory safety applies to all memory. Not just heap allocated memory. > Anyway, Rust has benefits beyond memory safety. I want to elaborate on this a little bit. Rust uses some basic patterns to ensure memory safety. They are 1. RAII, 2. the move semantics, and 3. the borrow validation semantics. This combination however, is useful for compile-time-verified management of any 'resource', not just heap memory. Think of 'resources' as something unique and useful, that you acquire when you need it and release/free it when you're done. For regular applications, it can be heap memory allocations, file handles, sockets, resource locks, remote session objects, TCP connections, etc. For OS and embedded systems, that could be a device buffer, bus ownership, config objects, etc. > > Nearly all of the relevant code is unsafe. There aren't many real benefits. Yes. This part is a bit weird. The fundamental idea of 'unsafe' is to limit the scope of unsafe operations to as few lines as possible (The same concept can be expressed in different ways. So don't get offended if it doesn't match what you've heard earlier exactly.) Parts that go inside these unsafe blocks are surprisingly small in practice. An entire kernel isn't all unsafe by any measure. |
| |
| ▲ | throwaway2037 3 hours ago | parent | prev | next [-] | | > Rust is also too complex for smaller systems to write compilers.
I am not a compiler engineer, but I want to tease apart this statement. As I understand, the main Rust compiler uses LLVM framework which uses an intermediate language that is somewhat like platform independent assembly code. As long as you can write a lexer/parser to generate the intermediate language, there will be a separate backend to generate machine code from the intermediate language. In my (non-compiler-engineer) mind, separates the concern of front-end language (Rust) from target platform (embedded). Do you agree? Or do I misunderstand? | |
| ▲ | j16sdiz 4 hours ago | parent | prev | next [-] | | > The true future of "safe" software is already here, JavaScript. only in interpreter mode. | |
| ▲ | tayo42 5 hours ago | parent | prev [-] | | Rust isn't that complex unless your pulling in magical macro libraries or dealing with things like pin and that stuff,which you really don't need to. It's like saying python is complex becasue you have metaclasses, but you'll never need to reach for them. |
|
|
