Boqun Feng <boqun.feng@xxxxxxxxx> writes: > On Wed, Mar 13, 2024 at 11:02:23AM -0700, Bart Van Assche wrote: >> On 3/13/24 04:05, Andreas Hindborg wrote: >> > This is the second version of the Rust block device driver API and the Rust null >> > block driver. The context and motivation can be seen in cover letter of the RFC >> > v1 [1]. If more context is required, a talk about this effort was recorded at >> > LPC [2]. I hope to be able to discuss this series at LSF this year [3]. >> >> Memory safety may land in C++ in the near future (see also >> https://herbsutter.com/2024/03/). If memory-safe C++ or memory-safe C >> would be adopted in the kernel, it would allow writing memory-safe >> drivers without having to add complicated bindings between existing C > > I honestly doubt it, memory-safe is not free, basically you will still > want unsafe part for the performance reason (or interacting with > hardware), and provide a safe API for driver development. I don't think > that part will be gone with a memory-safe C++. So the complication still > exists. But I'm happy to be proved wrong ;-) I think it is great that people are starting to realize that bringing memory safety to other systems languages is a good idea. But from one person blogging about it to things being ready for production is a long journey. Language designers have to design ways to express the new semantics, standards committees has to agree, compiler engineers have to build and test their compilers. Probably we need a few cycles of this to get things right. At any rate, it is going to take a while. Second, as Boqun is saying, interfacing the unsafe C part of the kernel with memory safe C++ is going to require the same complicated abstraction logic as the safe Rust APIs are bringing. The complexity in bringing Rust to the kernel is not coming from interfacing a foreign language. It stems from the inherent difficulty in designing memory safe wrappers around unsafe C APIs. Best regards, Andreas
