The rust driver does read better. I like that the functions are organized as methods under a member less struct, as opposed to the C version where they are top level with_really_long_function_names that take a struct parameter.
>The next article in this series will look at the design of the interface between the C and Rust code in the kernel, as well as the process of adding new bindings when necessary.
This is the actual useful one since so little of the kernel has Rust bindings. When I tried to implement a filesystem driver in rust I spent most of my time trying to write bindings instead of trying to write a filesystem.
Rust (without use of `unsafe`) eliminates several entire classes of bugs (including bugs that comprise the majority of security related memory safety issues) while providing performance comparable to C/C++.
That is really all there is to it - it is just the better option for systems programming by almost all available metrics, and I say this as someone who has been coding C and C++ professionally for coming up on 25 years.
Safe Rust is actually safer than Java because Java still has data races (that happen when you don't use correct synchronization when doing multithreaded code). In Java data races aren't as catastrophic as C (that is, it's not UB), but they are still a very severe kind of bug.
In Safe Rust, data races can't happen because you can only share stuff between threads if they are either synchronized or read only - attempting to share data that can't be accessed by many threads results in a compile time error.
Also: Java depends heavily on the GC to have memory safety. There are probably some kernels that manage memory with GCs, but for most of them it's not appropriate.
And even for projects that are written in a language that uses a GC (like written in Python, or Java, or C#), having two GCs in the same project, sharing data between each other, is kind of catastrophic. Because of this, a project in a high level language either uses libraries written in the same language (or at least the same runtime), or languages written in C or C++. So Python programs use Python libraries or C libraries, C# programs use C#/.NET libraries or C libraries. But it's uncommon to use a Python library in a C# project, or a C# library in a Python project.
Just like C, Rust fills the niche of writing libraries that can be used in many ecosystems. Right now some Rust libraries are used in Javascript projects (either on node or on the web, with wasm), for example.
- Java's use of GC and a large runtime makes it inappropriate for many use cases
- Java had a pretty slow startup time, which makes it a poor fit for many CLI applications and similar
- Java has historically had pretty poor support for interoperating with c libraries (although this is improving with project panama)
- Rust has a richer, more powerful type system than Java (although scala's is more comparable)
- Rust's affine types (lifetimes) actually prevent certain types of bugs that occur in languages like Java as well. Things like using a connection or file handle after it is closed, forgetting to release a lock, not properly synchronizing access to memory between multiple threads, etc.
One reason I can think of is its memory management model gives programmers more control than a garbage collector. With the borrow checker, you know when your variables will get dropped/deallocated, but a garbage collector is not necessarily as controllable.
My interest in Rust comes from getting frustrated with C's type system. Rust has such a nice type system and I really enjoy the ownership semantics around concurrency. I think that C++ written "correctly" looks a lot like Rust and libkj [1] encourages this, but it is not enforced by the language.
Rust is interesting because it's the first language to really try to compete in the same space as C and C++ in quite a long time. Part of being a newer language is that it doesn't have to work around the baggage of horribly bad past decisions (e.g., null-terminated strings, or implicit integer promotion). Part of it is also that it can adopt newer language features (e.g., structured binding or pattern matching) and have it mesh well with the language rather than having some weird workarounds.
For many people, the most interesting aspect of Rust is that it builds into its type system a set of rules that makes it much more practical to avoid memory safety issues or concurrency issues--lifetimes and Send/Sync are an absolute godsend for such programming, especially because it means you get the compiler to kick you in the face when you screw it up. Rather famously, Mozilla attempted a couple of parallel layout engines in C++ but their attempts all failed, because it just wasn't feasible to shake out all of the concurrency issues; their first attempt at doing so in Rust had none of those issues. It's not that the rules are complicated or hard to follow, it's that in large codebases, the invariants you need to uphold are described only in comments and can be easy to forget.
Most of the interest I have seen is in pursuit of security.
A few sources have cited that something like 70% of vulnerabilities are rooted in memory safety issues.
A language that makes it impossible to introduce 70% of the security bugs is appealing.
As a person that occasionally daytrips into Rust and Zig, I'd imagine some number of us are coming from higher level languages (JS/TS, Python, etc) as our daily drivers and interested in what performance we could get closer to the metal.
In those cases we don't have a particular investment in C/C++, we don't know the differences between gcc or clang, we are used to package managers, don't manage header files, and things like comfy error messages and "if it compiles it's reasonably safe tm" are better than... Not having those things.
Meanwhile, outside of things like CUDA interop I don't know what the compelling case for C/C++ even is for someone who isn't invested.
Majority of cpp knowledge is not universal computer science, but cpp's quirks, issues, tricks, hacks and wasted life fighting lack of coherent building system and package manager alongside of long compile times
This is a very important point if the tool is used by millions of people. All you need to do is waste a few 10s of seconds with some weird quirk that doesn’t act as expected, and BAM, collectively easily a year of human life was wasted.
I think it aims to have the features of C++ that are required for modern safe systems programming, but not all the baggage that comes with such a large and historied language.
I do not even have CS degree or programming background. But Rust seemed easier to learn than C or C++. Well I've learned C syntax in a day but really using it is different story. Rust gave me confidence to contribute to existing (open-source) project pretty early.
Rust has more and nicer language features compared to c++ that you can use to make the code readable.
I wish rust had overloading and specialization though.
> I personally invested a lot of time and effort into learning C/C++ and the only new language with enough difference to come along that was worth learning was Python imho. Not sure what significant differences Rust brings that warrant throwing all that knowledge away and starting again.
Ive written a little c++ professionally along with rust. I really don't think rust is that hard to learn. Especially compared to c++, I'd be embarrassed to tell people i "know" c++ despite using it a bit. there's so much to writing c++.
I think you would be a competent rust programmer in a couple weeks, have a pretty good grasp on the language and be able to pretty much contribute to any in progress project.
You could spend a weekend going through the rust book and have a good idea of the language. I dont think I could say that to anyone about any c++ book lol
I mean I don't mind learning it if it solves problems and is reasonably enjoyable to program in (which I find C/C++ to be) but the rebel in me doesn't want to conform to what big business/politics wants I guess. I know thats a terrible metric to use in this field.
I think it's the rust folk who are the rebels. Status quo types would never advocate for something so tumultuous as a new systems programming language.
The general spike in interest from 2021 onwards (the language has been around for a while so it's not like people just found out) is due to a large hangover from crypto folks who become jobless after the bust. Super savvy in general being online and evangelism. The safety stuff is overblown (small subset of applications primarily OS and browsers) and full rewrite is not possible or advisable.
This is the sort of thing I suspected without proof. It seems people do find that Rust is useful in terms of specific types of bugs but why cant pre C/C++ 11 just do the same job.
In safe rust you cannot read uninitialized memory or variables, you cannot dereference a null or freed pointer, you can't concurrently mutate the same variable from multiple threads without locking primitives, you can't accidentally modify a variable after it has been moved out of scope - all of these things are enforced at compile time. If your code compiles, you are safe from all of these classes of bugs (outside the use of unsafe code).
In addition, you can't overflow a buffer nor unintentionally read outside the bounds of an array, that will cause a runtime panic and abort the program.
Doing this in C or C++ is possible, but the fact that even the best of the best programmers in these languages sometimes still make these mistakes shows the limitations of the paradigm.
Even the most novice Rust programmer who stays in the guardrails will produce programs free of these sorts of memory safety bugs. The same cannot be said about C or C++ programs.
> In safe rust you cannot read uninitialized memory or variables, you cannot dereference a null or freed pointer, you can't concurrently mutate the same variable from multiple threads without locking primitives, you can't accidentally modify a variable after it has been moved out of scope - all of these things are enforced at compile time. If your code compiles, you are safe from all of these classes of bugs (outside the use of unsafe code).
Aren't most of these issues caught in C++ code by static code analysis tools, and even just flipping switches on C++ compilers? I mean, check out tools like cppcheck and address sanitizer. They exist for ages.
Your blend of comments makes it sound like no one knew or cared about these issues other than Rust fanboys.
No, they aren't. C++ codebases, even those who make quite a big effort to use as many analysers and checkers and sanitizers as they can, are still plagued by memory safety issues. Rust has a measurably lower incidence of security bugs due to this (not zero, but lower). People have tried (and are still trying) to retrofit memory safety onto C++ and they have not in general been successful. There's too many sharp edges built into the current language and library design, and these tools cannot catch all the ways in which you can mess up.
(What's more, Rust is substantially nicer to use than C++. The language, package manager, and compiler are all so much more straightforward than C++ that I would use it for that alone)
> Even the most novice Rust programmer who stays in the guardrails
I think this part answers your question. A novice could produce reasonably safe Rust code by just reading a book. I’ve no experience with either language and I can safely say I’d have no idea which switches to “just flip” in the compiler and what tools I should look up to write safe C++ code.
I do know that “Learn Language X” books do not include this information so as to not overwhelm the novice.
> I think this part answers your question. A novice could produce reasonably safe Rust code by just reading a book.
That blend of comments is at best grasping at straws. How long do you think a developer stays a "novice"? Does Rust have any problem that prevents developers from learning and improving their skills as fast as any other developers do? Are all Rust projects maintained by novice and junior devs where no one at all can claim to have any senior level skills?
If that's the best argument, that's not an argument at all.
> Your blend of comments makes it sound like no one knew or cared about these issues other than Rust fanboys.
That is a strange takeaway from my post. Of course people care, but the difference is that one language and its toolchain was designed and built specifically to avoid these bugs and one wasn't.
I have been writing C++ professionally since around 2000-2001, and have been working with Rust for about 18 months. For single threaded code, the code I write in both is about equivalent in terms of robustness and stability, but for anything multithreaded, I trust my Rust code's correctness substantially more, even with all the checkers and sanitizers enabled on my C++ codebase.
Would I choose Rust for everything? Hell no, for evolutionary and fast moving code bases like in games, C++ is plenty good enough.
For anything systems related that requires parallelism and robustness, I will 100% stick with Rust.
It is entirely unclear to me what point you are trying to make. Is your mundane solution to just add more sanitization and analysis to C and C++? If so, that's great, more safety in any language is fantastic. My issue with that is that it is an optional addition to the language rather than the default behavior.
The point I am making is that safe Rust _by default_ straight up disallows compiling code that has the potential for the vast majority of memory safety issues. Code with those issues is just a plain invalid program, and will not compile. If you want to bypass those protections, you need to explicitly opt-in with the unsafe keyword.
C or C++ code with the same issues is perfectly valid, will compile and run, but it has the potential to be incorrect. You can (and should!) bolt on tools to fix that, but the issue is that the language allows that behavior by default. Until these tools are the defaults, the problem is only partially solved - you have to opt-in to a large chunk of safety features, and even if you do, you get fewer of them to boot.
I'm not saying you should use Rust by any means. If you like C++, continue using it. But the fact here is that Rust solves a bunch of problems here and now today that C and C++ cannot, so it is baffling to me that people have such a visceral negative reaction to it.
> mainstream compilers provide support to detect and throw warnings/errors for some of these issues
You cannot detect all of these issues with static analysis. Rust does it by requiring the programmer to annotate lifetime dependencies in the source code. Without this additional semantic information, static analysis cannot fully reason about the lifetimes of variables.
There are efforts by some to introduce lifetime annotations to C++ (https://news.ycombinator.com/item?id=30888172), but any changes to the core language face a very steep uphill battle with the C++ standards committee, so any movement on this is likely to be compiler-specific attribute-based systems, adopted largely by companies invested in a particular compiler ecosystem (such as Apple or Google) to annotate their proprietary code.
On top of this, Rust is a very expressive language, with its features (like enum sum-types, traits etc) making it very easy to implement patterns such as compiler-checked state machines and polymorphism that doesn't involve the recognized downsides of class hierarchies.
It is not for everyone, and not for every kind of project, but its features resonate positively with a lot of people in systems programming because of their experiences with other systems languages and their downsides.
This is why Rust is popular today, particularly in certain communities.
> You are claiming that static code analysis tools extensively used in C++ cannot detect all conceivable and hypothetical memory issues. The weasel words in here is that it is possible to detect them, but some can conceivably slip through.
No, there are entire classes of memory vulnerabilities that are impossible to check with static analysis because checking them is equivalent to the halting problem.
> To drive the point home, there are already a few CVEs even from use-after-free bugs in Rust code. What does that make out of the all assertion? Would this be a reasonable argument to reject Rust as an unsafe language?
The CVE that you referenced in the other comment was Rust calling into unsafe C code, as I pointed out. If you have a real example feel free to post it.
> The problem with these claims is that they rely on weak strawmen arguments and a very superficial analysis of the problem space. I get the need to do marketing, but if the audience is technical them don't you think arguments should stand on solid technical ground?
The views I have laid out here are the consensus among compiler engineers and in theoretical computer science. You only have to look at the compiler group at Apple:
- heavily invested in static analysis
- maintains the clang static analyzer
- maintains number of runtime memory analysis tools in Xcode
- not invested in rust at all and seemingly not interested
The reason for this is that static analysis simply cannot do it when the semantic information about lifetimes is lost, even for a group that knows how to write strong static analysis tools. Program flow is too ambiguous without it, so it becomes impossible to detect such memory vulnerabilities without running the program and fuzzing it – an expensive, time consuming, and probabilistic process.
> No, there are entire classes of memory vulnerabilities that are impossible to check with static analysis because checking them is equivalent to the halting problem.
This is the sort of goalpost-moving that lays bare how superficial and misleading these accusations are. You're trying to argue that some very specific types of memory vulnerabilities can't be detected with static code analysis tools. That is different than claiming that it's not possible to detect memory vulnerabilities in languages such as C or C++, isn't it? But somehow this strawman is used to imply that Rust is invulnerable whereas developers using any other language are prevented from ever learning that standard FLOSS compilers support out of the box things such as detecting use of uninitialized variables.
This is not a very good example, because this Rust code is a thin wrapper around pthread_mutex, which is an unsafe API that can cause undefined behavior (such as use after free) if used incorrectly. The Rust code in question is using the unsafe C API incorrectly.
One could say "Rust doesn't stop you from calling out into unsafe C code, so it's still possible to produce memory vulnerabilities in Rust", and it would be true, but it kind of misses the point and only really bolsters the Rust people when they say they want to rewrite everything in Rust.
In Rust, an API with a rule such as "you must check that the mutex is unlocked before you can destroy it" would be implemented using the type system in such a way as to make it impossible to drop it without checking its state. This is something that is not possible to do in C and cumbersome to do in C++.
This is the actual useful one since so little of the kernel has Rust bindings. When I tried to implement a filesystem driver in rust I spent most of my time trying to write bindings instead of trying to write a filesystem.
https://arxiv.org/abs/2506.03876
https://github.com/asterinas/asterinas
The reasons we encounter pattern issues forcing Linux into a polyglot is not a new phenomena:
https://en.wikipedia.org/wiki/Second-system_effect
Best regards =3
That is really all there is to it - it is just the better option for systems programming by almost all available metrics, and I say this as someone who has been coding C and C++ professionally for coming up on 25 years.
In Safe Rust, data races can't happen because you can only share stuff between threads if they are either synchronized or read only - attempting to share data that can't be accessed by many threads results in a compile time error.
Also: Java depends heavily on the GC to have memory safety. There are probably some kernels that manage memory with GCs, but for most of them it's not appropriate.
And even for projects that are written in a language that uses a GC (like written in Python, or Java, or C#), having two GCs in the same project, sharing data between each other, is kind of catastrophic. Because of this, a project in a high level language either uses libraries written in the same language (or at least the same runtime), or languages written in C or C++. So Python programs use Python libraries or C libraries, C# programs use C#/.NET libraries or C libraries. But it's uncommon to use a Python library in a C# project, or a C# library in a Python project.
Just like C, Rust fills the niche of writing libraries that can be used in many ecosystems. Right now some Rust libraries are used in Javascript projects (either on node or on the web, with wasm), for example.
- Java had a pretty slow startup time, which makes it a poor fit for many CLI applications and similar
- Java has historically had pretty poor support for interoperating with c libraries (although this is improving with project panama)
- Rust has a richer, more powerful type system than Java (although scala's is more comparable)
- Rust's affine types (lifetimes) actually prevent certain types of bugs that occur in languages like Java as well. Things like using a connection or file handle after it is closed, forgetting to release a lock, not properly synchronizing access to memory between multiple threads, etc.
[1] https://github.com/capnproto/capnproto/blob/v2/kjdoc/tour.md
For many people, the most interesting aspect of Rust is that it builds into its type system a set of rules that makes it much more practical to avoid memory safety issues or concurrency issues--lifetimes and Send/Sync are an absolute godsend for such programming, especially because it means you get the compiler to kick you in the face when you screw it up. Rather famously, Mozilla attempted a couple of parallel layout engines in C++ but their attempts all failed, because it just wasn't feasible to shake out all of the concurrency issues; their first attempt at doing so in Rust had none of those issues. It's not that the rules are complicated or hard to follow, it's that in large codebases, the invariants you need to uphold are described only in comments and can be easy to forget.
A language that makes it impossible to introduce 70% of the security bugs is appealing.
So why Rust then?
The interesting combination rust brings is a memory safe language that can compete with C and C++ for the speed crown.
In those cases we don't have a particular investment in C/C++, we don't know the differences between gcc or clang, we are used to package managers, don't manage header files, and things like comfy error messages and "if it compiles it's reasonably safe tm" are better than... Not having those things.
Meanwhile, outside of things like CUDA interop I don't know what the compelling case for C/C++ even is for someone who isn't invested.
This is a very important point if the tool is used by millions of people. All you need to do is waste a few 10s of seconds with some weird quirk that doesn’t act as expected, and BAM, collectively easily a year of human life was wasted.
Avoid surprising behavior.
when did that happen?
i thought it would take a long time for colleges to include rust as it has a high learning curve
This is not how learning programming languages works
I wish rust had overloading and specialization though.
> I personally invested a lot of time and effort into learning C/C++ and the only new language with enough difference to come along that was worth learning was Python imho. Not sure what significant differences Rust brings that warrant throwing all that knowledge away and starting again.
Ive written a little c++ professionally along with rust. I really don't think rust is that hard to learn. Especially compared to c++, I'd be embarrassed to tell people i "know" c++ despite using it a bit. there's so much to writing c++.
I think you would be a competent rust programmer in a couple weeks, have a pretty good grasp on the language and be able to pretty much contribute to any in progress project.
You could spend a weekend going through the rust book and have a good idea of the language. I dont think I could say that to anyone about any c++ book lol
In addition, you can't overflow a buffer nor unintentionally read outside the bounds of an array, that will cause a runtime panic and abort the program.
Doing this in C or C++ is possible, but the fact that even the best of the best programmers in these languages sometimes still make these mistakes shows the limitations of the paradigm.
Even the most novice Rust programmer who stays in the guardrails will produce programs free of these sorts of memory safety bugs. The same cannot be said about C or C++ programs.
Aren't most of these issues caught in C++ code by static code analysis tools, and even just flipping switches on C++ compilers? I mean, check out tools like cppcheck and address sanitizer. They exist for ages.
Your blend of comments makes it sound like no one knew or cared about these issues other than Rust fanboys.
(What's more, Rust is substantially nicer to use than C++. The language, package manager, and compiler are all so much more straightforward than C++ that I would use it for that alone)
I think this part answers your question. A novice could produce reasonably safe Rust code by just reading a book. I’ve no experience with either language and I can safely say I’d have no idea which switches to “just flip” in the compiler and what tools I should look up to write safe C++ code.
I do know that “Learn Language X” books do not include this information so as to not overwhelm the novice.
That blend of comments is at best grasping at straws. How long do you think a developer stays a "novice"? Does Rust have any problem that prevents developers from learning and improving their skills as fast as any other developers do? Are all Rust projects maintained by novice and junior devs where no one at all can claim to have any senior level skills?
If that's the best argument, that's not an argument at all.
That is a strange takeaway from my post. Of course people care, but the difference is that one language and its toolchain was designed and built specifically to avoid these bugs and one wasn't.
I have been writing C++ professionally since around 2000-2001, and have been working with Rust for about 18 months. For single threaded code, the code I write in both is about equivalent in terms of robustness and stability, but for anything multithreaded, I trust my Rust code's correctness substantially more, even with all the checkers and sanitizers enabled on my C++ codebase.
Would I choose Rust for everything? Hell no, for evolutionary and fast moving code bases like in games, C++ is plenty good enough.
For anything systems related that requires parallelism and robustness, I will 100% stick with Rust.
The point I am making is that safe Rust _by default_ straight up disallows compiling code that has the potential for the vast majority of memory safety issues. Code with those issues is just a plain invalid program, and will not compile. If you want to bypass those protections, you need to explicitly opt-in with the unsafe keyword.
C or C++ code with the same issues is perfectly valid, will compile and run, but it has the potential to be incorrect. You can (and should!) bolt on tools to fix that, but the issue is that the language allows that behavior by default. Until these tools are the defaults, the problem is only partially solved - you have to opt-in to a large chunk of safety features, and even if you do, you get fewer of them to boot.
I'm not saying you should use Rust by any means. If you like C++, continue using it. But the fact here is that Rust solves a bunch of problems here and now today that C and C++ cannot, so it is baffling to me that people have such a visceral negative reaction to it.
You cannot detect all of these issues with static analysis. Rust does it by requiring the programmer to annotate lifetime dependencies in the source code. Without this additional semantic information, static analysis cannot fully reason about the lifetimes of variables.
There are efforts by some to introduce lifetime annotations to C++ (https://news.ycombinator.com/item?id=30888172), but any changes to the core language face a very steep uphill battle with the C++ standards committee, so any movement on this is likely to be compiler-specific attribute-based systems, adopted largely by companies invested in a particular compiler ecosystem (such as Apple or Google) to annotate their proprietary code.
On top of this, Rust is a very expressive language, with its features (like enum sum-types, traits etc) making it very easy to implement patterns such as compiler-checked state machines and polymorphism that doesn't involve the recognized downsides of class hierarchies.
It is not for everyone, and not for every kind of project, but its features resonate positively with a lot of people in systems programming because of their experiences with other systems languages and their downsides.
This is why Rust is popular today, particularly in certain communities.
> You are claiming that static code analysis tools extensively used in C++ cannot detect all conceivable and hypothetical memory issues. The weasel words in here is that it is possible to detect them, but some can conceivably slip through.
No, there are entire classes of memory vulnerabilities that are impossible to check with static analysis because checking them is equivalent to the halting problem.
> To drive the point home, there are already a few CVEs even from use-after-free bugs in Rust code. What does that make out of the all assertion? Would this be a reasonable argument to reject Rust as an unsafe language?
The CVE that you referenced in the other comment was Rust calling into unsafe C code, as I pointed out. If you have a real example feel free to post it.
> The problem with these claims is that they rely on weak strawmen arguments and a very superficial analysis of the problem space. I get the need to do marketing, but if the audience is technical them don't you think arguments should stand on solid technical ground?
The views I have laid out here are the consensus among compiler engineers and in theoretical computer science. You only have to look at the compiler group at Apple:
- heavily invested in static analysis - maintains the clang static analyzer - maintains number of runtime memory analysis tools in Xcode - not invested in rust at all and seemingly not interested
Yet they are adding lifetime dependency annotations to Swift, making it more like Rust: https://github.com/swiftlang/swift-evolution/blob/ef71df4158...
The reason for this is that static analysis simply cannot do it when the semantic information about lifetimes is lost, even for a group that knows how to write strong static analysis tools. Program flow is too ambiguous without it, so it becomes impossible to detect such memory vulnerabilities without running the program and fuzzing it – an expensive, time consuming, and probabilistic process.
This is the sort of goalpost-moving that lays bare how superficial and misleading these accusations are. You're trying to argue that some very specific types of memory vulnerabilities can't be detected with static code analysis tools. That is different than claiming that it's not possible to detect memory vulnerabilities in languages such as C or C++, isn't it? But somehow this strawman is used to imply that Rust is invulnerable whereas developers using any other language are prevented from ever learning that standard FLOSS compilers support out of the box things such as detecting use of uninitialized variables.
So what is it then?
What definition of "doesn't" do you adhere to? Because there are use-after-free CVEs from Rust code.
https://nvd.nist.gov/vuln/detail/CVE-2025-48752
https://github.com/Forestryks/process-sync-rs/issues/3
One could say "Rust doesn't stop you from calling out into unsafe C code, so it's still possible to produce memory vulnerabilities in Rust", and it would be true, but it kind of misses the point and only really bolsters the Rust people when they say they want to rewrite everything in Rust.
In Rust, an API with a rule such as "you must check that the mutex is unlocked before you can destroy it" would be implemented using the type system in such a way as to make it impossible to drop it without checking its state. This is something that is not possible to do in C and cumbersome to do in C++.
Feel free to pick an example that tickles your fancy.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust