Re: The Case for Rust (in the base system)

From: David Chisnall <theraven_at_FreeBSD.org>
Date: Wed, 31 Jul 2024 15:46:27 UTC
On 31 Jul 2024, at 16:40, Alan Somers <asomers@FreeBSD.org> wrote:
> 
> * ctld: while working on some bugs in ctld, I had trouble
> understanding the config file parsing.  So I rewrote that part in
> Rust, just to help my understanding.  Later, I rewrote the XML
> parsing, too.  Then I rewrote the LUN creation and deletion, just to
> see how hard it would be.  All of those parts take about 5x fewer SLOC
> in Rust than in C, and they're less buggy, too.  Config file parsing
> is more consistent, no memory leaks, etc.  Alas, I'm not planning to
> finish this project, since the base system doesn't allow Rust and ctld
> is too tightly coupled to ctl to live in ports.

C is absolutely terrible for parsing on any metric (even C++ lets you write parsers in a fraction of the code and fewer bugs).  It’s one of the places where Rust provides some very easy wins:

 - Lifetimes are easy to reason about in parsers, they fit well into Rust’s ownership model because the input is a stream and the output is a tree.
 - Parsers, by definition, are part of your attack surface because they’re taking data from outside.

Replacing parsers with Rust (or something like EverParse) has a very high security return relative to the investment of effort.

David