Rust Translation
Imported from
_research/manual-study-linux/rust-translation.md.
Rust Translation Guide
This document captures Linux implementation lessons that can shape a Rust-first operating system or runtime. Every claim should point back to a source note once the related file is reviewed.
Translation Rules
- Prefer Rust ownership and lifetime boundaries over direct C pattern copying.
- Translate operation tables into traits only when dynamic dispatch is actually part of the model.
- Keep unsafe boundaries narrow, named, and documented.
- Treat Linux locking and RCU patterns as concurrency contracts before choosing Rust primitives.
- Preserve subsystem separations even if Rust modules make tighter coupling convenient.
Initial Translation Questions
- Which Linux objects map to
Arc, owned handles, borrowed guards, or arenas? - Which Linux operation tables should become traits, enums, or explicit command dispatch?
- Where does a Rust kernel need pinning, intrusive collections, or custom allocators?
- Which C global registries should become typed registries with capability checks?
- How should async/deferred work interact with scheduler and interrupt boundaries?
Pending Track Notes
Kernel API Boundary
Use a single Rust kernel/runtime crate as the membrane around raw platform bindings. New low-level capabilities should enter through audited wrappers, not direct FFI calls from product subsystems.
Evidence: file-notes/linux__rust__kernel__lib.rs.md.
Initialization Typestates
Keep ordinary initialization separate from pinned in-place initialization. For kernel objects, model states such as uninitialized allocation, unique initialized object, pinned unique object, and shared pinned object as distinct types where practical.
Evidence: file-notes/linux__rust__kernel__lib.rs.md,
file-notes/linux__rust__kernel__sync__arc.rs.md.
Ownership Handle Set
A Rust kernel needs at least three ownership surfaces for shared objects:
shared pinned ownership, borrowed refcount-capable access, and unique
pre-publication ownership. Arc, ArcBorrow, and UniqueArc provide the
pattern.
Evidence: file-notes/linux__rust__kernel__sync__arc.rs.md.
Context-Sensitive Task APIs
Separate ambient/current task access from durable task references. A
CurrentTask-style type should be non-thread-safe and scoped to the active
task context, while durable handles should explicitly hold a reference.
Evidence: file-notes/linux__rust__kernel__task.rs.md.
Process Creation Builder
Translate copy_process into a staged Rust builder with RAII cleanup guards
and explicit commit points. Avoid a direct line-by-line port of the C function;
preserve the staged validation/copy/publish/wake lifecycle.
Evidence: file-notes/linux__kernel__fork.c.md.
Typed Runqueue Guards
Model per-CPU runqueues as typed objects whose access requires a lock guard. The guard should encode whether the runqueue is locked, pinned, and operating with interrupts/preemption disabled. Scheduler methods should accept the guard type they require instead of relying on comments.
Evidence: file-notes/linux__kernel__sched__sched.h.md,
file-notes/linux__kernel__sched__core.c.md.
Scheduler Class Traits
Translate struct sched_class into a sealed trait or static vtable only where
runtime class dispatch is needed. The trait surface should preserve Linux’s
events: enqueue, dequeue, wakeup preemption, balance, pick, put previous, set
next, CPU selection, migration, tick, fork, death, and class-change hooks.
Evidence: file-notes/linux__kernel__sched__sched.h.md,
file-notes/linux__Documentation__scheduler__sched-design-CFS.rst.md.
Fair Scheduler Data Structures
A Rust fair scheduler needs scheduling entities with virtual runtime, lag, deadline, and slice state. EEVDF requires an ordered/augmented queue; use an arena-backed or intrusive tree deliberately rather than ordinary collections that hide lifetime and pointer stability costs.
Evidence: file-notes/linux__kernel__sched__fair.c.md,
file-notes/linux__Documentation__scheduler__sched-eevdf.rst.md.
RT And Deadline Admission Types
Static-priority RT scheduling should pair priority queues with explicit runtime budget state. Deadline scheduling should construct validated reservation types where runtime, deadline, and period invariants are checked before admission. Throttled and replenishment states should be part of the entity model.
Evidence: file-notes/linux__kernel__sched__rt.c.md,
file-notes/linux__kernel__sched__deadline.c.md,
file-notes/linux__Documentation__scheduler__sched-rt-group.rst.md,
file-notes/linux__Documentation__scheduler__sched-deadline.rst.md.
Context Switch Unsafe Boundary
Keep the architecture register/stack switch as a narrow unsafe boundary. The surrounding phases should remain typed and auditable: pre-switch accounting, memory-map switching, barrier obligations, lock handoff, post-switch cleanup, and dead-task reference release.
Evidence: file-notes/linux__kernel__sched__core.c.md.
Address Space And VMA Types
Translate Linux memory state into separate Rust types: AddressSpace,
Vma, FaultContext, FaultResult, PageTableWalker, and PteLocked.
VMA flags should be opaque bitflags with controlled mutation APIs. A fault
handler should not be able to mutate page tables unless it holds the typed
page-table lock guard.
Evidence: file-notes/linux__include__linux__mm_types.h.md,
file-notes/linux__include__linux__mm.h.md.
Fault Handling State Machine
The fault path should be a state machine rather than a monolithic unsafe function. States should encode VMA locked, page-table level allocated, PTE locked, folio locked, COW page allocated, and PTE installed. Retry and drop-lock outcomes must invalidate borrowed VMA handles.
Evidence: file-notes/linux__mm__memory.c.md.
Typed Slab Caches
Use validated SlabCache<T> handles for repeated kernel objects. Creation
should encode size, alignment, accounting, usercopy region, merge policy, and
RCU teardown behavior. Destruction should require proof that no live objects
remain or be explicitly unsafe.
Evidence: file-notes/linux__mm__slab_common.c.md,
file-notes/linux__Documentation__core-api__memory-allocation.rst.md.
AI Contribution Metadata
Treat AI provenance as structured metadata separate from human certification. Do not let tool-generated changes forge human sign-off.
Evidence: file-notes/linux__Documentation__process__coding-assistants.rst.md.