I'm already in bed so reading the code on my phone is really painful. That said, at first glance this looks really promising. This is great news on two fronts: on one hand this will drastically simplify supporting devices and would speed up development a lot. Also it's great news for rust: the fact that it's been used in a place where it can show it's potential and isn't another case of "let's use rust for the sake of using rust", which is a lot more common than I used to imagine.
Only on Linux due to Linus religious hate more specifically, C++ managed alright on Windows, macOS, BeOS, Symbian, GenodeOS, Mbed, Android Treble drivers, Arduino, AUTOSAR.
> Anything that uses 1% of C++ specific features is C++.
Technically correct and this raises an important point. How long would the kernel take to compile in C++ versus in C?
Though in practice if you think the kernel should support all the craziness of "modern" C++ you're going to have a big problem in making it work in kernel space. (things like heavy templates, etc)
And just to disagree with Linus I think the 'new' part is the least of our problems in making the kernel work with C++
Apple, Google and Microsoft do just fine without modern C++ craziness in kernel and drivers.
As for compilation times, it is all a matter of how the build system is architected.
Most of my C++ build pipelines compile faster than Rust, in make clean all scenarios.
There is no black magic in how to achieve it, just knowing what one is doing, making use of binary libraries, build caches, and be aware of how much craziness is allowed, most of which wouldn't be allowed on the kernel anyway.
All my rust projects (>1 million LOC at this point) compile 10x faster than our C++ code base ever did (300k LOC and shrinking, used to be 900k LOC c++ but over the last 4 years all new functionality has been rust, and every substantial fix of existing functionality has resulted in rewriting C++ code to Rust).
How to do this is surprisingly easy: write small crates that do 1 thing.
A Rust crate is a C++ TU, pretty much everybody that complains that Rust is slow is comparing Rust crates that are 10-100x larger than the size of the .cpp files they use in their C++ projects.
For some reason, people, and particularly C++ devs, like to write huge Rust crates (I’ve seen crates with 200k LOC). They’d never write a 200k LOC .cpp file, so I really don’t get why they do this.
Either way, if your Rust compile times are slow, it’s probably your and only your fault.
How to get blazing fast Rust compile times isn’t a secret.
We have a lot of data of the time it took to compile C++ TUs vs the equivalent Rust crate, and Rust reliably compiles at least one order of magnitude faster, sometimes two.
All our crates are less than 10kLOC, median is 1812 LOC.
Rust crate binary compatibility is also pretty awesome, so that in general a new hire does not need to compile anything at all (an unmodified build just fetches binary objects from sccache). When they start modifying the project, only those binary objects that actually changed have to be recompiled, the rest is just dynamically linked. This gives you <5s edit-compile cycle if you are working on a leaf crate.
Now go around and apply the same build optimizations to the C++ source base, including the use of incremental compilation, incremental linking, pre-compiled headers, export templates in TU, making use of lib files.
If your C++ compile times are slow, it’s probably your and only your fault.
Our C++ code base has been using Clang modules and all those optimizations (explicit template instantiations, incremental linking, dynamic libraries, etc.) since 2011..
It also supports unity builds, and C++ modules TS, so we can compare the performance of all 3 approaches
Rust consistently beats all of them by at least an order of magnitude in apples to apples comparisons, with at least an order of magnitude less fiddling in terms of modifying the source code, fiddling with build system and compiler options, etc.
So in our experience, Rust gives you 10x faster compile times with 10x less effort than C++ if you use similarly sized compilation units.
Rust makes it easy to write compilation units that are 10x-100x faster than C++ ones and still compile reasonably fast for their size, but we don’t allow this by convention (we have a clippy lint that rejects crates that are too large).
Pre Compiled Headers are 1:1 perf wise identical to Clang modules for our 1 million Loc C++ project modulo system noise. There was no difference in compilation speed, neither for clean nor incremental builds.
We supported them for a while (until 2015 or so; no perf difference over 3 years), but Clang modules gave the exact same perf and was easier to use, and unity builds were much faster for clean builds anyways, so there was no point in maintaining PCH in parallel to these two other options.
For people that are not aware, PCH, modules, etc. bought us 20-40% compile time reduction. I expect 30% or so to be typical for projects that are using TUs correctly.
A 30% compile time reduction or even a 2x compile time reduction is not “life changing”. It’s peanuts.
Particularly compared with the 10-100x compile time reductions that Rust gives you. From 100min to 1 min, that’s a huge difference. From 100 min to 50-70min? That’s an irrelevant difference.
One can endlessly discuss pros and cons of using C++ in the Kernel, but in the end it's about either making a bet on C++ or not; it's not that one can or has to formally prove that the bet is right to avoid being called religious. Linus listed cons that he finds important (which are real) and decided not to bet on C++.
Linus has a long history of successfully managing Kernel, I think this makes his bets worth something. So yes, passing Linus filter is a great success for Rust, and even greater given that C++ didn't pass.
Also, the fact that C++ succeeded somewhere doesn't disprove this claim.
At the least, it's failed to pique Linus's interest. He's re-affirmed his disinterest in C++ in this mailing thread again[1]:
> You'd have to get rid of some of the complete garbage from C++ for it to be usable.
> One of the trivial ones is "new" - not only is it a horribly stupid namespace violation, but it depends on exception handling that isn't viable for the kernel, so it's a namespace violation that has no upsides, only downsides.
> Could we fix it with some kind of "-Dnew=New" trickery? Yes, but considering all the other issues, it's just not worth the pain. C++ is simply not a good language. It doesn't fix any of the fundamental issues in C (ie no actual safety), and instead it introduces a lot of new problems due to bad designs.
The exception handling thing is a showstopper. Stroustrup is resolute that C++ style exception handling is the right error model. So even if a big fraction of C++ programmers disagree, the ISO C++ language standard, and the guidance for new developers, is going to keep saying Exceptions are the way forward for the foreseeable future.
Linus didn't like the panic-on-fail memory allocation handling from userspace Rust for the same reason and so the kernel Rust people had to be very clear early on that was temporary and wouldn't survive from a prototype into the actual kernel.
There are some edge cases where this is surprising and I expect Linus will ask for further work. e.g.
let x = "Clowns".to_owned();
let mut y = x + " are not welcome here";
y += " any more.";
The first variable ends up with a growable String, containing the word "Clowns" so that's an allocation and it might fail, in userspace it panics, in kernel Rust should this not compile? If it needs to "return an error" how?
The second line needs a concatenation operation, it won't end up with a new String, the old one gets moved instead (in Rust this means if you try to refer to x after this that won't compile, it was moved and the compiler knows that) but it also gets a concatenation to add this extra string to the end, probably allocating again. Thus it too might fail, in userspace that would panic, but in the kernel what happens this time? Does this Add operator have a Result type now?
The third line concatenates again, but this time the operation doesn't even have a return type, it's obliged to mutate y, so there is just no possible way it can result in an error. Either this mustn't happen in the Linux kernel, or it panics when it can't allocate.
Whereas these are all fine, they don't allocate and aren't writeable so they won't bother Linus:
let x = "Clowns"; // A str, definitely UTF-8 encoded
let y = b"\xf7\xf7\xf7"; // not Unicode, just some bytes
let z = r#"No need to "escape" the double quotes now."#;
Can't we just write some --hella-strict flag and refuse to compile any of these corner cases?
> Does this Add operator have a Result type now?
Essentially yes. There could be other APIs which accomplish the same results but have different constraints, such as not being able to mutate strings without also creating a Result to be handled. Yeah you lose some ergonomics but even that feels more ergonomic than C.
I think Rust is in a unique position in that zero / extremely few panics is actually achievable, and easier to achieve, with less manual discipline, than C.
Maybe you understood this as purely a rhetorical question, rather than I'm lazy and didn't take time to go read the source code yet when I wrote it. I apologise.
So, the implementation of Add for String in the kernel when it exists gives a String, it does not give a Result.
What is unclear to me still is the significance of no_global_oom_handling. If this is the intended final state of Rust for Linux, then in fact all these traits just go away, so, you can't concatenate Strings with the + operator, and in fact most ways to do stuff with Strings in Rust go away too†. Which is one way to approach it, it's not as though people were dying to do string manipulation inside the Linux kernel anyway.
† In Rust the String type is a growable heap allocated data structure you can change while str (mostly seen as the reference &str) is just a "slice", a length, plus a memory location, plus a promise that the series of bytes in the slice form valid UTF-8 encoded Unicode, but with no way to grow or change it.
Rust's String type is in the standard library [1], rather than in the language core where things like str live [2]. There's a lot of stuff in the standard library that assumes that it can allocate, and will panic on failure. The solution for now is simply to use Rust's `no_std` support [3] and not import the standard library into kernel code, since it's unsuitable for writing kernel code. In the longer term, Rust is investigating adding fallible variants for all of the standard library traits, so that kernel code could use the standard library with a compiler flag enabled that bans usage of any of the infallible standard library traits. There was a lot of discussion about this a few months ago in https://news.ycombinator.com/item?id=26812047.
> So even if a big fraction of C++ programmers disagree,
The percentage of c++ programmers using exceptions seems to increase in jetbrains survey - for the last one it's at 80%, it used to be close to 60% iirc. I wouldn't call 20% a big fraction.
There are no other ways to prevent an invalid object representation to exist unless one is willing to wrap literally everything in optionals, basically reimplementing an exception unwind stack by hand.
I suspect the answer is: those traits not implemented for String in no-panic mode. And instead you have to use fallible “try_extend” methods that return a result?
This is usually the right way to go. If you cannot implement the exact trait then you make a trait of your own with similar semantics instead. This one is a language item though, which complicates things.
To clear something up here, while the Add trait is a language item, String is not. The String type is just a normal type implemented in liballoc[0]. As far as the language is concerned, there's nothing separating it from any other random type a user might write[1]. If you're in a no_std environment, String doesn't even exist unless you depend on liballoc.
The reason you can use String with the + and += operators is because it implements the Add and AddAssign traits[2], and it looks like the implementations are already feature gated for OOM handling so might not be implemented for String.
Yes, that’s a good point. I suppose the compiler can parse «foo + "bar"» regardless of whether the Add language item is implemented for the types involved. It’ll only fail during type checking, which is a later step. Not so complex after all.
Oh, and good point about the existing feature gate; I debated going and looking to see if one existed yet or not, but I was hungry so I didn’t. Glad you were around to point it out.
We've cfg'd out all global OOM handling from alloc, so I think this example must be out of date. In the latest version you indeed would have to write it s different way.
Because this is all just library features from a library that isn't being used. They could use core::alloc and have panic on allocation failure, or they could implement their own library and that library presumably wouldn't have the explicit panics that core::alloc has.
Kernel rust isn't a matter of a variation of the language, it's just about not using the standard libraries
Even though neither Rust nor C++ are supported Kernel languages, Rust has passed a few iterations of trial and discussion, C++ on the other hand was filtered out at the first one. Linus refused to even take C++ seriously (and also mentioned trying it for Kernel in 1992) [1].
Some might argue this doesn't qualify as "C++ trying", but I think it does.
I've been programming on embedded with c++ for quite a while and I really can't agree with linus here.
Just the superior type checking, being able to use RAII and simple templates to replace macros completely transform the way you work on a fundamental level without doing anything fancy.
Although it's not as pleasant as it should be given its historical baggage (the bad rap is sadly well deserved), I still consider it to be miles ahead of C for embedded work to the point that while I do like Rust a lot, I still consider it to be overhyped in this area.
My main complaints about C++ are lack of a good way to catch all exceptions and mysterious copying/conversions. In Rust, it is very easy to catch all panics and conversion/cloning is explicit. Copy is only implemented for types where copying is actually cheap/free by convention.
Another good thing to look at is how disgusting std::move is and how straight forward the equivalent is in Rust. Additionally, there isn't anything to prevent you from using some variable where you used std::move (which invalidates the contents of said variable). Rust will not allow you to use some variable if ownership has moved.
Finally, I personally despise that you end up needing so many constructors in C++ just to do basic things like the assignment operator.
Agree on most points. I never truly liked how complex C++ was from day 1, and it definitely got more and more complex over time. I'm using cppreference all the time, which is something I feel I shouldn't need. I also think the C++ i/o library is utter garbage too.
However I also think how we got to the modern C++ standard, and how early we are with Rust.
I think of all the weird C++ features I had to use over time in embedded, and I'm glad I always had the option to have manual control over memory sizing, the ability to alias pointers and everything that you normally wouldn't want or consider unsafe.
I also think of Rust and this hell-bent approach to memory safety, and actually think that on embedded I basically never have dynamic memory allocation, and very rarely have issues with ownership that I could solve nicely (without fighting with the very limited lifetime constraints we can have) with Rust. On small targets there is no memory allocation. There's often no copying at all, because it's too expensive: ids and counters are often exchanged over shared buffers.
What I feel is a massive improvement in terms of safety in embedded are state machine compilers more than memory safety. Think "ragel", or similar compilers. Using these in embedded couple with wither C or C++ is a game-changer.
Memory safety and pointer lifetimes start to be an issue with much bigger targets. I don't have experience with kernel development, but if you can run linux on a platform I would hardly call it "embedded". Or at the very least, we're talking about the very high-end embedded platforms.
The way I see it, C heavily discourages powerful abstractions. Rust encourages them, but allows contracts between them to be tightly constrained and safe. C++ encourages them, but doesn't give you much help making them constrained or safe. When it comes to being careful and intentional, C++ is the worst of both worlds.
I think Linus was wise not to empower people to write shaky abstractions in one of the world's a) largest and b) most important low-level codebases.
A lot of the problems that tend to be ignored when talking about embedded C++ come from the fact that we have good C++ compilers for embedded targets now. This was certainly not the case just a few years ago, especially before ARM was the de-facto standard for embedded devices.
Most MCUs compilers had little if any support for most C++ "fanciness", which meant that trying out C++ ended almost always in some big catastrophe, either by hidden bugs being inserted by those compilers, or portability disasters (+80% your supposedly portable code uses this feature that compiler X doesn't have).
True. I'm old enough that I had these issues with C++ in the early 2000 even with _system_ compilers (AIX's C++ compiler was especially horrifying).
However times have changed. The features and C++ general coding style itself is quite different that what you'd write in '98.
If you're considering Rust, you should consider the modern available C++ with all the latest tooling to be fair. And it's _pretty_ good, all things considered.
I don't know about embedded, but I'm quite happy with Linus' decision and appreciate that I can compile kernel on my laptop in reasonable amount of time.
> Just wait until Rust starts being used across the kernel, if compilation speed is an issue.
I don't expect people to start (re)writing their drivers in Rust anytime soon. Maybe some PoC things and stray FAANG-devs aiming for promotions, but it is highly unlikely I will need to have those drivers enabled. Hope Rust compilation times improve by the time it becomes mainstream in systems.
> At least with C++ most corporations actually use binary libraries, we aren't doing Gentoo style across our codebases.
This is not relevant for the kernel development (Linus' case) and doesn't match my experience working with C++ code bases for ~10 years.
Yes, it grew 30+ new appendages. Jokes aside, it has improved quite a bit with lambdas, move semantics, type inference, standardized filesystem api, smart pointers, optional types, etc... Despite this, it still can't come close to offering the confidence that Rust gives you.
The most important trait of a language, especially when safety is a high concern, is what it doesn't let you do. And it's virtually impossible to improve on that axis down the line while maintaining backwards-compatibility, which means that ship has sailed for C++ no matter what new features get added.
True, yet despite all security talk, Google, Apple and Microsoft rather improve C and C++ instead of just throwing away 50 years of libraries, OS code and GPGPU tooling.
So while I enjoy doing toy applications in Rust, C++ is the language I have available on the IDE installer to write native code on our projects.
Until Rust manages to get a similar checkbox on the same installer, it isn't going to be an option for certain kinds of corporations.
A few years ago I tried out VC++ version 4 (??) for a bit of a laugh. And I felt no wonder as to why C++ got such a bad wrap. The MFC classes seemed to have suffered from gold-plating the specifications, and there was all sorts of casting stuff to cajole C++ into interfacing with the C windowing system.
Since then, C++ has gotten massively better. We now have strings and vectors as part of the standard library, so there's no need to use someone's quirky implementation.
As I said in a previous post, C++ gets you most of the way to Python, so there's really no point in not using it.
Still, it's taken us until C++17 to get sum-types (via variants), and it is amazing to think that it took so long to get such a basic idea included. The handling of variants could do with a bit of simplification, mind. And I'd do wish they could implement the equivalent of "typeclasses", enabling recursive data structures.
It's share of developers has been growing since early 2013, when C++11 began to be widely available, and more recent revisions have apparently boosted its growth.
Rooting for others to fail instead of one's own success is a recipe for always being miserable. In this case it's also logically dubious, because we have no idea how C++ would work in a Linux kernel - it was never tried.
