Most active commenters
  • gpm(3)

←back to thread

OpenVMM – A New VMM for Windows and Linux, Written in Rust

(github.com)
171 points g0xA52A2A | 12 comments | 17 Oct 24 05:42 UTC | HN request time: 0.957s | source | bottom
Show context
low_tech_love ◴[17 Oct 24 09:40 UTC] No.41867927[source]
I find it interesting that every single piece of software that was ever written in Rust always mentions that very proudly in its title. It's not something I see often with other programming languages (most software is just software and doesn't necessarily advertise the language it was built with). I do not know anything about Rust, so I'm just curious, does this confer a kind of underlying trustworthiness or quality to the application?
replies(23): >>41867986 #>>41867995 #>>41868011 #>>41868016 #>>41868179 #>>41868202 #>>41868225 #>>41868314 #>>41868501 #>>41868526 #>>41868534 #>>41868587 #>>41868610 #>>41869045 #>>41869046 #>>41869095 #>>41869111 #>>41869302 #>>41869373 #>>41869409 #>>41869596 #>>41869606 #>>41869834 #
1. sirwhinesalot ◴[17 Oct 24 09:52 UTC] No.41867995[source]
Due to Rust's safety guarantees there's a perception that software written in Rust is automatically safer than software written in its direct competitors C and C++.

This is not necessarily true, you can write unsafe Rust code and you can write safe C++ code, but it does seem to hold in practice that the guardrails imposed by Rust help quite a bit in stopping devs from making really stupid mistakes.

That would be the "thrustworthiness" implied by the use of Rust.

replies(2): >>41869017 #>>41871340 #
2. bitexploder ◴[17 Oct 24 12:28 UTC] No.41869017[source]
And a VMM is going to require a lot of unsafe rust code. There are strategies to minimize it to make that surface easier to audit, but it is not a panacea for systems programming gremlins.
replies(4): >>41869197 #>>41869220 #>>41869321 #>>41869496 #
3. sirwhinesalot ◴[17 Oct 24 12:51 UTC] No.41869197[source]
No question, just pointing out where the *perceived* trustworthiness comes from. If it helps for something like a VMM it's a whole other story. Marketing gimmick.
4. monocasa ◴[17 Oct 24 12:53 UTC] No.41869220[source]
A paravisor actually doesn't really need that much.
5. nicce ◴[17 Oct 24 13:08 UTC] No.41869321[source]
It is manager, not runner. Does it require that much unsafe?
replies(1): >>41870291 #
6. Ygg2 ◴[17 Oct 24 13:30 UTC] No.41869496[source]
It's not unsafe that causes unsafety, it's how you wield it.

- Do you know your invariants?

- Have you documented them?

- If using unsafe block, have you asserted them or guaranteed that they hold for any input?

Granted, Rust is kind of mediocre at teaching you this. It raises warning for unsafe fn without safety documentation block, but not when omittin safety comments in unsafe blocks.

replies(1): >>41870384 #
7. gpm ◴[17 Oct 24 14:58 UTC] No.41870291{3}[source]
Out of 413,842 non-empty lines of rust code in the repository (including comments) there are 2006 instances of "unsafe", 255 of which are of the form "unsafe_" (definitely not unsafe blocks, mostly of the form #![forbid(unsafe_code)] which is an instruction to the linter to forbid unsafe blocks in the module) leaving slightly less than 1751 unsafe blocks. (Still counting comments, and type signature annotations on function pointers, and so on, but most of those 1751 will be actual unsafe blocks. A block can of course be multiple lines of code).

I don't really know what a VMM consists of, so I'm mostly surprised that this project is half a million lines of code.

replies(1): >>41870957 #
8. gpm ◴[17 Oct 24 15:08 UTC] No.41870384{3}[source]
For what it's worth, clippy has an optional lint to detect undocumented unsafe blocks: https://rust-lang.github.io/rust-clippy/master/index.html#un...

Edit: And it turns out it's enabled as a warning in this repo.

9. estebank ◴[17 Oct 24 16:08 UTC] No.41870957{4}[source]
For this kind of analysis, https://github.com/geiger-rs/cargo-geiger comes in handy.
replies(1): >>41871160 #
10. gpm ◴[17 Oct 24 16:30 UTC] No.41871160{5}[source]
Yeah, I tried that before resorting to just using `rg`, unfortunately this issue prevents it from working: https://github.com/geiger-rs/cargo-geiger/issues/523
11. kstrauser ◴[17 Oct 24 16:50 UTC] No.41871340[source]
For myself only, there's also an implication that perhaps the authors are a bit more concerned with safety and security in general. (Don't reply with counterexamples. I know them already. I mean that as a trend, not a solid rule.) That is, the sort of person who might pick Rust for its features might correlate with the sort of person who cares more about those properties in the first place. That doesn't mean they're experts who can execute the ideas flawlessly, or that someone slogging in C couldn't carefully built the same project. I do think it means they're more likely to prioritize safety (yes, it's not 100% safe; yes, you can write insecure code in Rust; don't "correct" me) as an inherent design goal than maybe someone cranking it out in assembler.
replies(1): >>41872593 #
12. hulitu ◴[17 Oct 24 18:50 UTC] No.41872593[source]
> For myself only, there's also an implication that perhaps the authors are a bit more concerned with safety and security in general. (Don't reply with counterexamples. I know them already. I mean that as a trend, not a solid rule.) That is, the sort of person who might pick Rust for its features might correlate with the sort of person who cares more about those properties in the first place

I haven't seen any causation between SW and their creator. A good example: Hans Reiser.