Smart pointers for the kernel

Original Article ↗ Hacker News Discussion ↗

Scope of unsafe in Rust vs C

  • Several commenters argue Rust’s big win is that only small, explicit unsafe regions can cause memory unsafety, whereas in C the entire codebase is effectively “unsafe.”
  • Others stress that this is still a social contract: you must trust that low-level libraries and unsafe blocks are written correctly, similar to C, but now the trust boundary is explicit and auditable.
  • There is pushback against marketing narratives like “Rust is perfectly safe” and “C is completely dangerous”; critics say Rust greatly reduces risk but does not eliminate it.

Auditing, invariants, and blast radius

  • Pro‑Rust comments say you can usually localize memory‑safety audits to unsafe blocks and the modules that encapsulate them, which is a massive reduction in surface area compared to C.
  • Skeptics emphasize that bugs can arise from interactions between unsafe and surrounding “safe” logic (e.g., integer overflow that violates invariants assumed by unsafe code), so you must also reason about the safe code that affects those invariants.
  • A recurring theme: the “bomb” may be planted in a tiny unsafe region, but its effects can surface far away; accountability still lies with the unsafe implementation.

Marker traits, Pin, and smart pointers

  • The Pin/smart-pointer discussion is framed as another example of using unsafe marker traits (like Send/Sync) to specify who is responsible for upholding invariants.
  • Making a trait unsafe to implement is described as a way to shift blame clearly: if a type lies about satisfying an invariant (e.g., a hypothetical “always indexable <100” trait), the bug is on the implementer, not the safe caller.

Limits of Rust’s guarantees

  • Commenters note Rust still allows memory leaks and logical race conditions; “no data races” is about a specific, formal definition.
  • Some mention that unsafe Rust can be harder to get right than C/C++, and soundness rules can evolve, implying occasional re‑audits.
  • There is curiosity and some concern about the status of formal soundness proofs for Rust’s type system, with references to ongoing research and roadmaps.

Kernel and embedded context

  • Some argue kernel developers should deeply understand low-level hardware, regardless of language, and worry about developers who rely on abstractions without that grounding.
  • Others counter that Rust is already useful in embedded and kernel contexts, and can mitigate the impact of the historically low quality of some C drivers.