Most systems developers are proficient with C. Code isn't going to be safer in language XYZ if developer isn't proficient with it, no matter how awesome XYZ is. This also ties into the legacy: there's a lot of code in C out there that you can't simply replace. Also keep in mind that most of the "safe" languages depend on runtime which isn't written in a safe language. So you're just pushing the problem somewhere else.
Even pretty bare metal languages like Rust aren't very well suited for OS development (yet) since they come with certain assumptions about memory subsystem. Which has to be implemented to be used. This is also true for C - there's some stuff in every C standard library that has to be written in asm, once for each supported platform.
So the bottom line is: there's always something underneath. You can get to a safer place by minimizing these pieces of "unsafe" code and writing code in something else above or, what OpenBSD does, you can abstract and isolate things away and use the tiniest possible solution for each problem and achieve safer environment by proper separation of concerns.
Code isn't going to be safer in language XYZ if developer isn't proficient with it, no matter how awesome XYZ is.
There are safe languages that are similar enough to C that it is not hard to pick them up for a C programmer. I agree if the replacement is ML or Haskell. But e.g. Rust, Cyclone, or Go (if a GC is acceptable) are not going to be hard for most C programmers.
Also keep in mind that most of the "safe" languages depend on runtime which isn't written in a safe language.
Rust is almost runtime-less. The Go runtime is mostly Go since 1.4.
This is also true for C - there's some stuff in every C standard library that has to be written in asm, once for each supported platform.
I didn't say it's not going to be work :).
So you're just pushing the problem somewhere else. [...] So the bottom line is: there's always something underneath.
That does not mean that, say, Haskell is not tremendously much safer than C. First, because you only have to implement the icky parts once. Second, because a better type system and abolishment of undefined behaviour gives you more safety for a very small cost (if at all, the extra compile time for a better type system is probably negated by the cost of headers).
Rust is a very large language with an equally large set of standard library functions. It also requires changing how you structure your programs to work within the constraints of the borrow checker.
Rust also relies on LLVM, which has a limited set of target architectures when compared to C.
"There are safe languages that are similar enough to C that it is not hard to pick them up for a C programmer."
It's not about similarity, it's about differences. System code is all about subtleties in language, UBs in C for example. Just because Rust syntax is similar doesn't mean it can be easily picked up by a C dev.
"Rust is almost runtime-less."
Almost is the key. Even FAQ mentions that it's not suitable for low level code exactly because of its assumptions about how memory allocator works. You'd have to implement it. And you still assume that compiler output is flawless (which is very unlikely given Rust's age).
"I didn't say it's not going to be work :)"
But that's exactly what you're implying ;P "Oh come on, it can be done, why not?!" I'm giving you reasons why. These aren't superficial, I worked on OS, OS drivers, I'm currently working on hardware simulators. If your aim is safer systems, switching from C to Rust (which I happen to love) isn't the answer yet. And probably not for the next 10+ years.
"That does not mean that, say, Haskell is not tremendously much safer than C."
I'm not saying that there are no languages inherently safer than C. I'm saying that a) people can't switch just like that, b) familiar syntax isn't enough, c) legacy matters, d) there's always something that will still be "unsafe". As a pragmatic I'm claiming that you can spend time better than switching languages.
"First, because you only have to implement the icky parts once."
How is this not true in C?
"Second, because a better type system and abolishment of undefined behaviour gives you more safety for a very small cost (if at all, the extra compile time for a better type system is probably negated by the cost of headers)."
No, again, cost associated with new language is massive, especially if you care about quality.
zamalek got it correct above. Those languages above only cover 2 or 3 architectures that the project works with. There is no Rust or Go compiler for vax, alpha, macppc, sparc64. There are C/C++ compilers though.
Yes, I know, that's what I mentioned in my original post: it requires portability work.
There is no Rust or Go compiler for vax, alpha, macppc, sparc64. There are C/C++ compilers though.
Well, I think compilers for some of these architectures (e.g. VAX and Alpha) still exist in gcc largely because OpenBSD and NetBSD have put so much effort in keeping them alive (yes, I know that OpenBSD is using an older version). So, it's not as if you get C compilers for these platforms for free.
I confess! ;) No, seriously, I'm parroting what was said by the developers on the group some time ago. My understanding at the time was that core allocation library is part of std, so if you get rid of std (which is what you'd do writing OS - things like printing on the screen have no place in kernel) you'd have to recreate this. But I never bothered to dig deeper since OS development is not what I want to use Rust for.
My feeling though is that you need to be able to allocate memory to write code in Rust (duh!) and memory allocation is something that OS provides. So if you write OS in Rust... you get the idea. My understanding of Rust isn't deep enough to state whether you'd have to reimplement internals of Arc, Box and what not or you'd just have to provide something they piggy back on. But there's an explicit assumption in most of the code that you can allocate memory (in a thread safe fashion no less) which isn't there if you have no OS underneath.
It's all good, that's exactly why I was curious. Your understanding isn't exactly wrong, but basically, all that code relies on there being an 'alloc' and 'free' symbol, so you can swap that out with whatever you want, so you wouldn't actually need to re-write all that code. Also worth noting, there's a clear line between libraries with no allocation (libcore) and the rest, so even if you did throw it all away, you'd still have a chunk of the library.
That interface is super unstable at the moment, and we're working on stabilizing it, but yeah, that's what you'd have to do: write your own allocator and hook it up.
Cool, thanks for the details. I guess I should check who's asking before I respond the next time around. ;) It wasn't clear whether you're pulling my leg or you're interested in deep dive I can't provide. But you can. :] So, question then - wasn't it the case (at one point) that you had dependency on stack unwinding library or some external implementation of TLS? My feeling is that what I read about OS development at that point had also something to do with one of these two. Maybe. Unwind is native to Rust right now and is no longer a problem (on platforms supported), no?
:) It's all good, I was a little bit terse... I should consider that in the future.
We do use gcc's unwinding library, last I recall, but if you're writing an OS, you can implement the language items to do whatever you want, including just abort.
There's no inherent TLS implementation that I'm aware of.
Sure, and I'm glad they do, it's a great language. But you're not going to go beyond hobby projects for the next I-don't-know-how-many-years. And not because there isn't enough love for Rust (which was the case e.g. with D). :)
I don't see any major reason why Rust couldnt be used for a new "real" OS. The "stdlib doesn't report failure on allocation" stuff isn't really relevant; it's not like people use libc malloc in the Linux kernel. Lack of intrinsic exposure on stable doesn't matter, people will just use the nightlies. Intrusive lists are useful, but they don't require that much unsafe code. Likely / unlikely will be in the nightlies any day now. Performance is already on par with C++ if you care enough; removing drop zeroing will help, though. Only big thing I see missing is unsafe unions.
(If you're arguing that drivers will still need some inline assembly, well, yeah. But the assembly required for hardware interop is pretty straightforward, at least compared to code written in assembly for performance).
"I don't see any major reason why Rust couldnt be used for a new "real" OS."
I'm not saying it can't in principle, I'm saying it would take years to get to a usable point. But then again - I wouldn't mind being wrong here! :]
"I'd be interesting in knowing what their thinking is as well."
OpenBSD is proudly exploiting quirks of various platforms to stress test the code and find cases where differences break the code and expose bugs. Change from C won't happen just because Rust is here to stay. Especially not until LLVM (and preferably musl) runs on most of the platforms OpenBSD runs on. the official stance for LLVM in general is that it'd have to get to the parity with gcc WRT platforms that OpenBSD finds interesting but reality is that a platform or two out of ~15 could be dropped if LLVM provided benefits over gcc. LTS compiler is something OpenBSD (and not only them) would appreciate greatly. But it's not going to happen, I'm afraid.
Even pretty bare metal languages like Rust aren't very well suited for OS development (yet) since they come with certain assumptions about memory subsystem. Which has to be implemented to be used. This is also true for C - there's some stuff in every C standard library that has to be written in asm, once for each supported platform.
So the bottom line is: there's always something underneath. You can get to a safer place by minimizing these pieces of "unsafe" code and writing code in something else above or, what OpenBSD does, you can abstract and isolate things away and use the tiniest possible solution for each problem and achieve safer environment by proper separation of concerns.