1. 28

  2. 30

    Splitting code into crates is very useful for enforcing separation of concerns and designing clean interfaces between modules.

    However, as much as I like crates.io crates for userland application development I would not suggest to use them in the kernel, at least not directly. Fork and vendor if you must.

    Rust in the kernel is already controversial, and a new dependency philosophy is likely changing too much at once. Rust should first prove itself to be a good fit for the kernel at all before bringing in dependencies.

    1. 10

      Even in userland I would like to at least know “can this panic” or “does this allocate” and things like that without having to recursively read docs/code.

      1. 3

        It seems like something that could be automated by analyzing a call graph.

        1. 2

          One difficulty with this is that Rust relies on optimization to remove panics, e.g.

          let a = [1,2,3];
          for i in 0..3 { a[i]; }

          Can’t panic, won’t have any panicking code in the release binary, but does have panicking index call in its call graph.

          1. 1

            I can’t think of a reason why this is bad, but it is remarkable to see a compiler that actually corrects code.

        2. 1

          I wonder if this could be enforced or checked at compile time.

          1. 4

            There are some truly awful hacks to do it as a library: https://docs.rs/no-panic/latest/no_panic/ I don’t think there’s any inherent reason it couldn’t be in the compiler, it’s just that it’s a language addition and no one has written an RFC for it.

            1. 3

              It would be really nice.

              For example, there’s std::thread::spawn() → JoinHandle<T> which can panic, so instead you use .spawn() → Result<JoinHandle<T>> on a thread::Builder, like the docs suggest.

              The docs for that one say it can panic "if a thread name was set and it contained null bytes", but is that really the only condition? No, it can panic for other recoverable errors as well; the Result doesn’t capture all of them.

              So it gets hard quickly.

              1. 1

                Maybe there’s a flipside that’s easier. Crates do declare where they do (or to guarantee they never do it). Obviously this will be easier snd More reasons for special crates that will be (or have been) build with those use cases in mind.