• LiveLM
    link
    fedilink
    English
    arrow-up
    72
    arrow-down
    2
    ·
    3 months ago

    Full text of the post by Asahi Lina (@[email protected]):

    I regretfully completely understand Wedson’s frustrations.

    A subset of C kernel developers just seem determined to make the lives of the Rust maintainers as difficult as possible. They don’t see Rust as having value and would rather it just goes away.

    When I tried to upstream the DRM abstractions last year, that all was blocked on basic support for the concept of a “Device” in Rust. Even just a stub wrapper for struct device would be enough.

    That simple concept only recently finally got merged, over one year later.

    When I wrote the DRM scheduler abstractions, I ran into many memory safety issues caused by bad design of the underlying C code. The lifetime requirements were undocumented and boiled down to “design your driver like amdgpu to make it work, or else”.

    My driver is not like amdgpu, it fundamentally can’t work the same way. When I tried to upstream minor fixes to the C code to make the behavior more robust and the lifetime requirements sensible, the maintainer blocked it and said I should just do “what other drivers do”.

    Even when I pointed out that other C drivers also triggered the same bugs because the API is just bad and unintuitive and there are many secret hidden lifetime requirements, he wouldn’t budge.

    One C driver works, so Rust drivers must work the same way.

    Making the Rust bindings safe would have required duplicating much of the functionality of the C code just to track things to uphold the lifetime requirements. It made no sense. It would have been easier to just rewrite the whole thing in Rust (I might end up doing that).

    To this day, bugs in the DRM scheduler have been the only causes of kernel panics triggered via my Apple GPU driver in production.

    The design of that component is just bad. But because I come from the Rust world, the maintainer didn’t want to listen to my suggestions.

    If it takes a whole year to get a concept as simple as a trivial “device” wrapper upstreamed (not any device model functionality, literally just an object wrapping a struct device so we can pass it around) then how is Rust for Linux ever going to take off?

    Rust works. I’m pretty sure I’m the only person ever to single handedly write a complex GPU kernel driver that has never had a memory safety kernel panic bug (itself) in production, running on thousands of users’ systems for 1.5 years now.

    Because I wrote it in Rust.

    But I get the feeling that some Linux kernel maintainers just don’t care about future code quality, or about stability or security any more. They just want to keep their C code and wish us Rust folks would go away. And that’s really sad… and isn’t helping make Linux better.