Re: [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation

From: Robert O'Callahan
Date: Thu May 02 2019 - 17:08:17 EST

On Fri, May 3, 2019 at 3:20 AM Ingo Molnar <mingo@xxxxxxxxxx> wrote:
> So what might work better is if we defined a Rust dialect that used C
> syntax. I.e. the end result would be something like the 'c2rust' or
> 'citrus' projects, where code like this would be directly translatable to
> Rust:
> void gz_compress(FILE * in, gzFile out)
> {
> char buf[BUFLEN];
> int len;
> int err;
> for (;;) {
> len = fread(buf, 1, sizeof(buf), in);
> if (ferror(in)) {
> perror("fread");
> exit(1);
> }
> if (len == 0)
> break;
> if (gzwrite(out, buf, (unsigned)len) != len)
> error(gzerror(out, &err));
> }
> fclose(in);
> if (gzclose(out) != Z_OK)
> error("failed gzclose");
> }
> #[no_mangle]
> pub unsafe extern "C" fn gz_compress(mut in_: *mut FILE, mut out: gzFile) {
> let mut buf: [i8; 16384];
> let mut len;
> let mut err;
> loop {
> len = fread(buf, 1, std::mem::size_of_val(&buf), in_);
> if ferror(in_) != 0 { perror("fread"); exit(1); }
> if len == 0 { break ; }
> if gzwrite(out, buf, len as c_uint) != len {
> error(gzerror(out, &mut err));
> };
> }
> fclose(in_);
> if gzclose(out) != Z_OK { error("failed gzclose"); };
> }
> Example taken from:
> Does this make sense?

Are you saying you want a tool like c2rust/citrus that translates some
new "looks like C, but really Rust" language into actual Rust at build
time? I guess that might work, but I suspect your "looks like C"
language isn't going to end up being much like C (e.g. it's going to
need Rust-style enums-with-fields, Rust polymorphism, Rust traits, and
Rust lifetimes), so it may not be beneficial, because you've just
created a new language no-one knows, and that has some real downsides.

If you're inspired by the dream of transitioning to safer languages,
then I think the first practical step would be to identify some part
of the kernel where the payoff of converting code would be highest.
This is probably something small, relatively isolated, that's not well
tested, generally suspicious, but still in use. Then do an experiment,
converting it to Rust (or something else) using off-the-shelf tools
and manual labor, and see where the pain points are and what benefits
accrue, if any. (Work like might be
a helpful starting point.) Then you'd have some data to start thinking
about how to reduce the costs, increase the benefits, and sell it to
the kernel community. If you reached out to the Rust community you
might find some volunteers to help with this.

Su ot deraeppa sah dna Rehtaf eht htiw saw hcihw, efil lanrete eht uoy
ot mialcorp ew dna, ti ot yfitset dna ti nees evah ew; deraeppa efil
eht. Efil fo Drow eht gninrecnoc mialcorp ew siht - dehcuot evah sdnah
ruo dna ta dekool evah ew hcihw, seye ruo htiw nees evah ew hcihw,
draeh evah ew hcihw, gninnigeb eht morf saw hcihw taht.