Experiences Building an OS in Rust

117 pointsby jaxonduover 9 years ago

9 comments

zokierover 9 years ago

I haven't yet read the paper proper but this statement surprised me a little:> In particular, ownership has forced us to avoid concurrency in the kernel and include more code than we would have liked in the TCB.One of the strong points of Rust and its owenership system is that it allows writing concurrent code with greater confidence. I would have hoped that it'd encourage rather than discourage using concurrency.

评论 #10323257 未加载

评论 #10323358 未加载

steveklabnikover 9 years ago

The Reddit thread and the users.r-l.o thread have insightful posts: <a href="https://www.reddit.com/r/rust/comments/3nauhy/experiences_building_an_os_in_rust_feedback/" rel="nofollow">https://www.reddit.com/r/rust/comments/3nauhy/experiences_bu...</a> <a href="https://users.rust-lang.org/t/rfc-and-paper-experiences-building-an-os-in-rust/3110/2" rel="nofollow">https://users.rust-lang.org/t/rfc-and-paper-experiences-buil...</a>

twicover 9 years ago

The "new hardware protection mechanism called MPU available on some new ARM Cortex-M microcontrollers" is a device which lets the operating system define up to eight memory regions (sixteen on the M7), optionally with holes in them. In each region, permissions can be set for read, write, and execute, and the policy for cacheing and sharing between cores can be controlled (although this is presumably not really relevant for single-core microcontrollers).<a href="http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0553a/BIHJJABA.html" rel="nofollow">http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc....</a><a href="https://blog.feabhas.com/2013/02/setting-up-the-cortex-m34-armv7-m-memory-protection-unit-mpu/" rel="nofollow">https://blog.feabhas.com/2013/02/setting-up-the-cortex-m34-a...</a>It's a bit like a normal MMU bit without virtual memory.

评论 #10325108 未加载

评论 #10324702 未加载

kibwenover 9 years ago

Quoting the great feedback from Gankro on Reddit:Discussing this on Twitter/IRC:* Wants const size_of closures (for statically allocating that many bytes). We just need RFC #1245 to get implemented (it has been accepted), and for someone to mark the size_of intrinsic as a const fn. However this might get into the weeds pretty bad since "size" is handled by trans (LLVM even). Dunno those details.* Shared mutability of hardware registers should be able to be soundly handled by Cell.This leaves the big issue:The kernel has been architected as a single "main" thread, and a bunch of interrupt handling threads. All the interrupt-handling threads do is enqueue a message for the main thread to handle. The main thread then drives all the drivers off of this queue, so they all run on one thread. However they want to do some shared mutable stuff. In particular, I think they want closures that close over the same value mutably? RefCell isn't particularly acceptable because crashing is Super Bad, and they would like to avoid runtime checks anyway. They just found out about Cell, so it might work, but they seem to think this wouldn't be right.You can make Cells pretty fine-grained. You can also consider /u/SimonSapin's proposed extension to Cell which has a replace method for non-Copy types so you could replace (say) an arbitrary Cell<Option<T>> with None temporarily through a shared reference.Alternatively, it might be possible to manually thread the shared mutable state since it's all being driven by some top-level event-loop (as far as I can tell). This was actually an old std pattern: <a href="https://doc.rust-lang.org/0.11.0/std/collections/hashmap/struct.HashMap.html#method.find_with_or_insert_with" rel="nofollow">https://doc.rust-lang.org/0.11.0/std/collections/hashmap/str...</a> (the A is "shared" closed state).Interested to hear more about the finer details of the shared mutable state!

f_over 9 years ago

There was a recent HN topic here on the redox-os[0] which is written in Rust (and heavy WIP). It did actually use a lot of unsafe, though.[0] <a href="https://github.com/redox-os/redox" rel="nofollow">https://github.com/redox-os/redox</a>

com2kidover 9 years ago

As someone who works on the innards of a cooperative multitasking embedded OS for a living, I am sick and tired of C and C++.Closures is a huge one. Everything is async in HW land, an interrupt fires and calls you when data is ready, so doing a read looks like<pre><code> MyOpInitialFunction() { // Business Logic AsyncReadFromFlash(sDataBuffer, sizeOfBuff, sizeToRead MyOpFirstCallback, contextVar); } MyOpFirstCallback(byte* dataBuf, size_t sizeRead, void* context) { //Business logic, use data read in some how AsyncReadFromFlash(sDataBuffer, sizeOfBuff, sizeToRead MyOpSecondCallback, contextVar); } MyOpSecondCallback(byte* dataBuf, size_t sizeRead, void* context) // and so on and so forth </code></pre> It gets boring really fast. The system has a nice DMA controller that we use a lot, so a similar pattern exists for copying large chunks of data around.You can actually implement a variant of closures in C using Macros, and right now the entire team wishes we had done that! (It isn't hard, in embedded land you have complete memory control, you can just memcopy the entire stack down to a given known location and memcopy it back to resume!)Rust has a lot of features that are really useful for embedded, the problem is that it is going to be a long time, if ever, that the embedded world switches over.Embedded systems tend to have very little code space, so efficiency of generated code is a must. LLVM and even GCC aren't as efficient as ARM's (horribly overpriced, feature lacking) compilers. The one thing ARM's compilers do though is minimize code space, and they do a very good job at it.The other issue is that any sort of language run time is questionable. Even the C Run Time is typically not included in embedded (teams opt out of using it), if you want printf you typically write whatever subset of printf functionality you want!Oddly enough memory safety is not a real issue, though slightly better buffer overrun protection than what we get from static analysis would be nice!Consumers hand over a destination buffer to Producers, who return it in a callback. Because of the above async pattern, the consumer isn't even running until the data is ready.That's solved 99% of our issues. :) (If you want someone else's data, you ask for it and get it passed in a buffer you provide!)

评论 #10325284 未加载

评论 #10325262 未加载

wyldfireover 9 years ago

This is valuable feedback. It's great that Rust has been so receptive, making changes where appropriate.

评论 #10324293 未加载

nickpsecurityover 9 years ago

There's been quite a bit of work at securing embedded systems with safer languages (esp Java) or MPU's (esp smartcards). Gemalto's EAL7 JavaCard work, MULTOS, IBM's Caernarvon... all made stuff to enforce strong protection w/ similarly, rough constraints. Usually no MPU although some smartcards had them with some public data on design or proper usage. I recommend the authors dig up stuff on systems like that to find strategies for countering various issues.Most that I saw handle resource and security decisions via type system, safe transformations to bytecode, and safe handling of that. Fast paths are sometimes implemented in assembler with safety put into HLL or VM interface to that... if vendor felt like it. (shakes head) Where this didn't work, there were coding rules or frameworks for carefully designing and decomposing the system to manually prevent/catch issues. Most do all of this on development machine with target system just blindly accepting or trusted booting a signed binary representing system or apps. Cuz what else can you do with such constraints... (shrugs)Far as specific hardware or Rust issues, I can't help as I don't work with those.

acconstaover 9 years ago

Basic question — when you're writing a kernel in Rust with its own threading implementation, how does the rust compiler even know what threads are? It has to identify thread boundaries for send/sync, right?

评论 #10325619 未加载