zlacker

[return to "“Rust is safe” is not some kind of absolute guarantee of code safety"]
1. dureui+Jg[view] [source] 2022-10-02 16:02:55
>>rvz+(OP)
Hmmm, the linked email is not providing a lot of context, so surely I'm missing something, but there's something I definitely don't understand: is there not a third option between stopping the whole kernel on an error or allowing an incorrect result?

Maybe my misunderstanding comes from my ignorance of the kernel's architecture, but surely there's a way to segregate operations in logical fallible tasks, so that a failure inside of a task aborts the task but doesn't put down the entire thing, and in particular not a sensitive part like kernel error reporting? Or are we talking about panics in this sensitive part?

Bubbling up errors in fallible tasks can be implemented using panic by unwrapping up to the fallible task's boundary.

To my understanding this is exactly what any modern OS does with user space processes?

I always have the hardest of time in discussions with people advocating for or against that "you should stop computations on an incorrect result". Which computations should you stop? Surely, we're not advocating for bursting the entire computer into flames. There has to be a boundary. So, my take is to start defining the boundaries, and yes, to stop computations up to these boundaries.

◧◩
2. garaet+1x[view] [source] 2022-10-02 17:28:44
>>dureui+Jg
>and in particular not a sensitive part like kernel error reporting

Things like "kernel error reporting" doesn't exist as discrete element. Sure, you might decide to stop everything and only dump log onto earlycon, but running with serial cable to every system that crashed would be rather annoying. For all kernel knows, the only way to get something to the outside world might be through USB Ethernet adapter and connection that is tunneled by userspace TUN device, at which point essentialy whole kernel must continue to run.

◧◩◪
3. dureui+vG[view] [source] 2022-10-02 18:22:31
>>garaet+1x
> Things like "kernel error reporting" doesn't exist as discrete element.

I'm not familiar with kernel development in general or Linux in particular. I would have expected there to be an error reporting subsystem, so that if a given subsystem fails the failure is reported to the error reporting subsystem (which hopefully exposes a more modern interface than serial cable), but this might be naive on my part.

> For all kernel knows, the only way to get something to the outside world might be through USB Ethernet adapter and connection that is tunneled by userspace TUN device, at which point essentialy whole kernel must continue to run

Again I'm missing context on this discussion. For all I know this could be an error originating with a driver, since rust support for Linux is for driver development now. It would make sense to me that an error in the GPU driver doesn't prevent the ethernet driver to report the bug

◧◩◪◨
4. wtalli+yM[view] [source] 2022-10-02 19:01:16
>>dureui+vG
There are plenty of platforms for which the available logging options are to either keep the whole network stack running, or get out the soldering iron to attach a serial port to unpopulated headers. So a "more modern interface" often isn't available, or has enough dependencies on the rest of the kernel that it's impossible to encapsulate into an error reporting subsystem that is at all self-contained.
[go to top]