On Fri, Apr 16, 2021 at 04:03:07PM +0100, Matthew Wilcox wrote:
> Well, we could do that in C too.
>
> struct unlocked_inode {
> spinlock_t i_lock;
> };
>
> struct locked_inode {
> spinlock_t i_lock;
> unsigned short i_bytes;
> blkcnt_t i_blocks;
> };
>
> struct locked_inode *lock_inode(struct unlocked_inode *inode)
> {
> spin_lock(&inode->i_lock);
> return (struct locked_inode *)inode;
> }
Indeed you can do this kind of thing in C, but as I said before (apologies if
I'm too repetitive on this) Rust forces you to do it the right way, whereas the
lack of enforcement in C leaves room for mistakes.
If you do add extensions to C to add some of these restrictions (and I encourage
you to pursue such extensions as we all benefit from better C), it is likely not
sufficient to reach the level of compile-time guarantee that Rust offers because
you need a whole slew of restrictions/enforcements.
I also note that academics have a formalisation of [a subset of] Rust that show
the soundness of these guarantees and the requirements on unsafe to compose
safely. So we're not talking about guesswork, there are formal machine-checked
proofs published about this (see for example
https://people.mpi-sws.org/~dreyer/papers/safe-sysprog-rust/paper.pdf).
