[HN Gopher] The quantum state of Linux kernel garbage collection ___________________________________________________________________ The quantum state of Linux kernel garbage collection Author : mfrw Score : 57 points Date : 2022-09-03 02:26 UTC (1 days ago) (HTM) web link (googleprojectzero.blogspot.com) (TXT) w3m dump (googleprojectzero.blogspot.com) | faisal_ksa wrote: | I wish that we had Rust 30 years ago. Many of these problems | would have been solved by the ownership system. | robocat wrote: | This is not a standard memory leak, and would not have been | avoided by using rust. | | Edited twice: I was too quick to presume commenter was just | spouting the common "rust is a panacea" theme. Kernels are all | about "unsafe" concurrent access and reentrant code, so rust is | not a panacea. For this case of multi-threaded access, using | rust primitives to prevent race conditions would make sense, | because the code is unlikely to be performance sensitive (no | need for unsafe) and the feature is there to protect against a | fairly extreme corner case. Reliable discussion on rust for | kernel drivers here: | https://security.googleblog.com/2021/04/rust-in-linux-kernel... | tsimionescu wrote: | By my understanding, Rust's ownership model would prevent | concurrent access to the socket buffer garbage collector data | structures without proper synchronization, which was the | source of this bug. | | This is in fact an example of a class of bug that Rust's | compiler is uniquely able to protect from - other memory safe | languages don't make guarantees about concurrent accesses at | all - at least not Java, C#, Go, Python, Haskell, OCaml etc. | Perhaps Ada does have something? | mhh__ wrote: | D sort of does. We have a type qualifier for shared data | that is picky about accesses but it's not completely there | yet i.e. still requires some knowledge. | azakai wrote: | > By my understanding, Rust's ownership model would prevent | concurrent access to the socket buffer garbage collector | data structures without proper synchronization | | Possibly. But the first question is whether the person | writing this in Rust would have used unsafe. Without | knowing more details here, it's hard for me to guess. | | > other memory safe languages don't make guarantees about | concurrent accesses at all - at least not Java | | Well, Java does have synchronized methods. Those lock the | entire class. You can imagine writing a "manager" class | that encapsulates all the GC data structures here, and that | would have made this perfectly safe in Java using existing | language features. | | Of course, that would have been slower - so, again, it is | tempting to use unsafe approaches, even in a memory-safe | language like Java, but then you do risk bugs like this. | | But of course I do agree that Rust, even with some amount | of unsafe, would be a far safer language than C! | elcritch wrote: | Robocat is probably correct. Rust doesn't prevent race | conditions, just data races. For example a Rust CVE due to | a race condition: https://www.cybersecurity- | help.cz/vdb/SB2022012101 | | This CVE appears to be due to a race condition despite | using atomics, so likely this could've happened in Rust | code. Really to implement this sort of GC I'd wager that | unsafe rust would also be required unless an entirely | different algorithm was used. | azakai wrote: | That's my guess too. These GC data structures need to be | accessed from multiple threads, if I understood TFA, | which means they won't compile normally in Rust. That is | exactly Rust doing its job and preventing bugs, but it | means that the developer then needs to use unsafe (or | find a workaround with runtime checks, at the cost of | overhead). | 2OEH8eoCRo0 wrote: | We had Ada in 1980. | wudangmonk wrote: | Amen brother. Most people will claim that Rust would probably | take years to compile on 30 yrd old hardware but I say to them | "why is your heart so full of doubt?". You have to believe. | | The more you believe and trust Rust, the more limitless your | possibilities become for your family, your career and your | life!. | klabb3 wrote: | It would be impossible to say because it depends on the | hypothetical Rust implementation. A kernel needs a huge amount | of unsafe, all of which is surface area for these types of | bugs. | targ65 wrote: | " This issue was initially discovered in 2016 by a RedHat kernel | developer and disclosed in a public email thread, but the Linux | kernel community did not patch the issue until it was re-reported | in 2021." | | Insane. ___________________________________________________________________ (page generated 2022-09-04 23:00 UTC)