After writing 100000 lines of code, I sent a long article roast rust

Heart of machine compilation

Machine center editorial department

Is there a perfect programming language ？

Rust Language is deeply loved by many developers because of its concurrency security , It has been rated as the most popular programming language on several lists . However , Now someone spends a lot of time writing 10 Line ten thousand Rust After code , Write a blog to clarify Rust A series of shortcomings of language , The following is the main content of the blog .

I study it in depth Rust To improve by Xobs Compiling Xous operating system .Xous It's a pure Rust Micro kernel message passing operating system , It's for lightweight (IoT / Embedded scale ) Security priority platform （ for example Precursor） And I wrote , be used for MMU Hardware mandatory page level memory protection .

Over the past year , We are Xous The operating system adds many functions , Including the network (TCP/UDP/DNS)、 Middleware graphical abstraction for modal and multilingual text 、 Storage （ In the form of encryption ）、PDDB、 Trusted launch （trusted boot） And key management Library .

We decided to write our own operating system instead of using SeL4、Tock、QNX or Linux And other existing implementations , Because we really want to know what every line of code in the device is doing . Especially for Linux, Its source code base is very large and dynamic , Even open source , It is impossible to figure out every line of code in its kernel . therefore ,Xous Only our platform , To avoid unnecessary complexity of the kernel as much as possible .

Reducing the scope of application also means that we can make full use of CPU stay FPGA Advantages of running in . therefore ,Xous In an unusual RV32-IMAC Configure as target ： have MMU + AES Extended configuration .

FPGA It means that we have the ability to repair at the hardware level API error , Thus making the kernel more compact . This is for RAM Handle abstract corruption such as suspend and restore in （abstraction-busting） Process is particularly important .

We created Xous I studied a lot of system programming languages , Final Rust Stand out from the crowd . It was just beginning to support `no-std`, It is characterized by strong typing 、 Memory safety , With good tools and new ecosystems . Personally, I am a loyal supporter of strongly typed languages , And memory security is not only conducive to system programming , It also enables the optimizer to better generate code , also Rust For concurrency .

actually , I hope Precursor There is a function that supports marker pointer and memory CPU, Be similar to CHERI. So we and CHERI The R & D team had some discussions , But obviously they are very focused on C Language , There is not enough bandwidth to support Rust. Overall speaking ,C Than Rust need CHERI A lot more , Their choice is in line with the principle of resource priority . We don't use C Language , But for security reasons , I hope one day Rust There will be hardware enforced fat pointers in （fat pointer）.

However ,Rust Language is by no means perfect , It even brings many problems to our development . Let me enumerate Rust The shortcomings of .

The grammar is chaotic and complex

I find Rust Grammar intensive 、 Heavy and difficult to read , for example ：

Trying::to_read::<&'a heavy>(syntax, |like| { this. can_be( maddening ) }).map(|_| ())?;

Simply speaking , The above code is similar to that in the object （ It's actually `struct`） Call a name 「to_read」 Methods .

There is another kind of non-compliance Rust Macros and instructions of syntax rules can also run ：

#[cfg(all(not(baremetal), any(feature = “hazmat”, feature = “debug_print”)))]

What puzzles me most in the above sentence is the use of ‘=’ To represent equivalence rather than assignment , Because the content in the configuration instruction is not Rust Code , It's like a completely independent metalanguage .

Another example ,Rust There are also problems with the readability of macros —— Even some written by myself Rust Hongye 「 Just barely work 」.

A reliable language should not have these grammatical problems .

Rust It's really powerful , Its standard library contains HashMaps、Vecs and Threads And so on , Rich and highly available . However ,Rust Of 「std」 Library doesn't bring us any benefits in building an auditable code base .

Rust Not perfect enough

We write Xous When the code , A new one called 「const generic」 New type of . Before that ,Rust There is no native ability to handle more than 32 Array of elements , This restriction is maddening .

Writing Xous In the process of ,Rust The inline assembly of 、 Functions such as workspace gradually mature , This means that we need to re-examine the code we have written , In order to integrate the key initial startup code into the system we build .

Xous The first year of development is to use ’no-std’ Accomplished , The cost is to occupy a lot of memory space and high complexity . Although you can write one that has only pre assigned 、 Operating system with static size data structure , But in order to adapt to the number of elements in the worst case , So we have to introduce some of our own data structures .

About a year ago ,Xobs take Rust Of `std` Libraries migrating to Xous, This means that we can be stable Rust Accessing the heap , Now? Xous With a specific version Rust binding .

`std` The library fundamentally allocates memory 、 Thread creation, etc 「 unsafe 」 The hardware structure of has been transformed into 「 Security 」 Of Rust structure .

However , I must constantly remind myself , Have `std` Libraries do not eliminate the risk of security vulnerabilities in critical code —— It just moves a lot of key code into the standard library .

Rust There is a fixed update cycle , This means that we must also update regularly Xous , To maintain compatibility with the language .

But this may not be sustainable . Final , We need to lock the code base , But I don't have a clear exit strategy . Maybe we can consider still using `no-std` To obtain a stable `alloc` Function to access the heap . But then we need to use Vec、HashMap、Thread and Arc/Mutex/Rc/RefCell/Box Structure, etc , In order to make Xous Can be effectively encoded .

Rust Worrying about supply chain security

stay rustup.rs The installation file contains the following code ：

`curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh`

Users can download scripts and check them before running , It seems to be better than vscode Of Windows .MSI The installer is much better . however , This practice spreads throughout the construction ecosystem , Let me pass crates.io The possibility of software supply chain attacks launched by ecosystems is disturbing .

Crates.io There is also a spelling mistake , It's hard to determine which crate Is it good or bad ; Some are named exactly as the user wants crate Give up providing the required functions , And actively maintain crate A less intuitive name must be used . Of course , This is not Rust A unique question .

There's another fact , Dependencies are chained . That is to say, when you start from crates.io When pulling in something , You will also pull in the crate All dependent dependencies of , And all of them build.rs (http://build.rs/) Script , These will eventually run on your machine . therefore , Review only Cargo.toml Clearly specified in the document crate It's not enough. —— You must also review all relevant crate Is there a potential supply chain attack .

Fortunately, ,Rust You are indeed allowed to use Cargo.lock The file will be crate Fixed in a specific version , And you can completely specify dependencies crate . We tried to Xous By publishing Cargo.lock File and all our first-order correlations crate A strategy designated as a minor revision to alleviate this problem .

However , Most of our debugging and testing frameworks rely on some fairly fancy and complex crate, these crate Introduced a large number of dependencies , Even if I try to run build for our target hardware , Dependencies running on the host crate and build.rs The script is still built .

In response to this question , I wrote a book called 「crate-scraper」 Gadgets , It's for us Cargo.toml Download the source package for each source specified in the file , And store them locally , In this way, we can get the information for building Xous Code snapshot of version .

It also runs a fast 「 analysis 」 Program —— The search name is build.rs And organize them into one file , So I can pass faster grep Find obvious problems . Of course , Manual review is not to detect embedded build.rs (http://build.rs/) A practical way to cleverly disguise malware in files , But it at least let me know the scale of the attack surface we are dealing with . It's amazing , We reviewed about from various third parties 5700 Line code , For operating files 、 Directories and environment variables , And run other programs on my computer .

I'm not sure whether there is a better solution to this problem , however , If your goal is to build reliable firmware , Please be alert Rust Extensive software supply chain attack surface .

Cannot reproduce others Rust structure

I am right. Rust My last point is , A build on one computer cannot be replicated on another .

I think this is mainly because Rust Take the full path of the source code as part of the debug string built into the binary . This has led to some bad situations , For example, we are in Windows The work of building on was successful , But in Linux But I failed , Because their pathnames are very different , This will cause some memory objects to be transferred in the target memory .

To be fair , These failures are due to Xous There are mistakes in , These errors have been fixed . however , Eventually, some users will report to us that we cannot reproduce , Because their path in building the system is different from ours .

Last , I want to say that although all the complaints are listed here , But if we can do it again ,Rust It's still what we use to build Xous A strong competitor to the language used . I use C、Python and Java Completed many large projects , All these projects ultimately bear 「 Increasing technical debt 」, and Rust We can avoid these problems .

 Recommended reading :
 introduction :  The most complete zero Foundation Python The problem of   |  Zero Basics 8 Months Python  |  Actual project  | learn Python That's the shortcut 
 dried food : A short comment on crawling Douban , The movie 《 The rest of us 》 | 38 year NBA Best player analysis  |    From people's expectation to public praise ！ Tang Dynasty detective 3 disappointing   |  Laugh at the story of the new Yitian dragon slaying  |  Riddle answer King  ｜ use Python Make a massive sketch of my little sister  ｜ Mission impossible is so hot , I use machine learning to make a mini recommendation system movie 
 Interest : Pinball game   |  squared paper for practicing calligraphy   |  Beautiful flowers  |  Two hundred lines Python《 Cool run every day 》 game !
AI:  A robot that can write poetry  |  Color the picture  |  Forecast revenue  |  Mission impossible is so hot , I use machine learning to make a mini recommendation system movie 
 Gadget : Pdf turn Word, Easily handle forms and watermarks ！ |  One touch html Save the page as pdf！|   bye PDF Withdrawal charges ！ |  use 90 Lines of code create the strongest PDF converter ,word、PPT、excel、markdown、html One click conversion  |  Make a nail low-cost ticket reminder ！ ｜60 Line of code to do a voice wallpaper switcher, look at my little sister every day ！｜

Annual hot money copy

• 1). Oh my god ！Pdf turn Word use Python Easy to handle ！

• 2). learn Python It's delicious ！ I use 100 Line of code to make a website , Help people PS Travel pictures , Earn a chicken leg to eat

• 3). Premiere billions , Hot all over the net , I analyzed 《 My sister 》, Discovered the secrets  

• 4).80 Line code ！ use Python Make a dorai A Dream separation  

• 5). What you have to master 20 individual python Code , short , Useful  

• 6).30 individual Python Strange sexual skills Collection  

• 7). I summed up 80 page 《 Rookie Science Python Select dry goods .pdf》, Is dry  

• 8). bye Python！ I have to learn Go 了 ！2500 Word depth analysis ！

• 9). Found a licking dog welfare ！ This Python Reptile artifact is great , Automatically download sister pictures

Click to read the original , see B My station 20 A video ！