cqwrteur (euloanty.delete@this.live.com) on July 10, 2021 1:32 pm wrote:
> You do not just copy paste from rust std to linux kernel. You add code for dual error
> reporting. Those code are completely unverified due to "panic not allowed policy".

You keep claiming that but bring zero data to back your claim. So here's some data regarding the code in question: the changes between rust/alloc in the Rust-for-Linux tree compared to rust's library/alloc/src sources are a few hundred lines, most of which are attributes to disable things like OOM handling. I'm pretty sure that a few hundred lines can be verified in a reasonable amount of time, especially given that most of them aren't even unsafe code.

> Also. Entire project is unsafe hell. No just the std crates part but other parts too.
> https://github.com/Rust-for-Linux/linux/blob/rust/rust/kernel/allocator.rs

I'm presenting here a piece of what you call "unsafe hell" from that code you pointed out:

unsafe {
bindings::kfree(ptr as *const c_types::c_void);
}

That's calling kfree() on a pointer that undergoes a cast to void *. Is that what you call "unsafe hell"? I'm sorry but you'll have to do a more thorough analysis than grepping for "unsafe" if you want to convince anybody that this is a significant problem because right now you're just reinforcing my point that the unsafe code being introduced is as harmless as it can be.

> You are arguing C and C++ are same languages? No. C clearly has much more CVEs than C++ in general.
> You said C and C++ "combined" that does not make any sense. They are not the same language.

Go back and read what I wrote again. I said that the Rust standard library is vastly larger than both the C standard library and the C++ standard library combined, is much younger than both and yet suffers from a surprisingly small number of reported issues.

> https://www.cvedetails.com/vendor/15519/Cryptopp.html
>
> What about cryptopp?? No memory safety CVEs at all compared to OpenSSL.
>
> If using Rust does not bring any benefit over modern C++, there is no point
> due to all the troubles Rust would introduce (like no panic policy whatever).

No advantages? Let's bring another data point: http://www.vegardno.net/2018/06/compiler-fuzzing.html

From the article:

From the end of February until some time in April I ran the fuzzer on and off and reported just over 100 distinct gcc bugs in total [...] First, these bugs are mostly crashes: internal compiler errors ("ICEs"), assertion failures, and segfaults.

And then

However, I still think there is value in fuzzing compilers. Personally I find it very interesting that the same technique on rustc, the Rust compiler, only found 8 bugs in a couple of weeks of fuzzing, and not a single one of them was an actual segfault. I think it does say something about the nature of the code base, code quality, and the relative dangers of different programming languages, in case it was not clear already.