Google Brings Rust into Chromium Project
Google is now supporting third-party Rust libraries from C++ in the Chromium project.
Dana Jansens, writing on the Google Security blog, writes that to start, the team is adding a production Rust toolchain to its build systems. Rust code will appear in the Chrome binary within the following year.
It’s a big deal for Google to add Rust libraries to Chromium. It follows deep investments by Microsoft and Amazon Web Services into Rust programming. A note that Jansens makes clear: Google is not necessarily supporting Rust itself, but third-party Rust libraries.
Playing it safe comes through in the tone of Jansen’s post. They are starting “slow” and will be selective about third-party libraries they will consider.
Mozilla originally developed Rust, a typesafe language. Microsoft and Amazon Web Services have invested in Rust. What this says about Mozilla is, in some respects, pretty straightforward. Rust is a success. But otherwise, there’s a certain degree of uncertainty about Firefox, with its dwindling market share.
Google is adopting Rust libraries for two significant reasons. The move to accept Rust libraries is expected to help speed development and improve security in Chromium. In terms of growth, Jansens cites less code to write, fewer design docs, and fewer security reviews. For protection: more specifically, it’s the opportunity to increase the number of lines of code without memory safety bugs and at the same time decrease the code’s bug density.
Some will remain skeptical of the shift due to, for example, the introduction of new bugs. Lolinder writes on Hacker News:
“Rewriting in Rust is not necessarily a good idea for any given project, and Google is almost certainly not going to be proactively rewriting large amounts of Chrome in Rust any more than Mozilla is.
The reason is that bugs exist primarily in new code, not code that has been untouched for a long time. While you may solve some latent memory issues by rewriting in Rust, you will likely introduce new regressions, which may be much worse. Focusing on writing your unique code in the safe language makes much more sense and gradually migrating things only when they require a substantial rewrite anyway.”
But other Hacker News commentators gave credit to the Chromium team. As one Google veteran stated: “This is a really good thing, and having been through this in other Google projects, a sincere congratulations to the folks who demonstrated the tenacity to keep pushing forward despite both I’m sure a lot of genuine hard questions being asked, and a lot of fud. This outcome will be good for users in the long run.”
Jansen writes that interop will be supported in just one direction “for now,” from C++ to Rust. Interestingly, Google is investing in Crubit, an “extremely” experimental C++/Rust bidirectional tool. The top contributors are Google engineers.
Rust and C++ draw on different concepts that affect interoperability. How these differences get remedied will depend in some respects on how the interop is modeled, so the two languages can at least understand their similarities or untenable differences.
Notably, most interop between Rust and C++ results from narrowly defined APIs, again showing how serious a challenge Google faces with interoperability. The narrowness is needed due to the differences in the languages.
Jansen writes: “For example, Rust guarantees temporal memory safety with static analysis that relies on two inputs: lifetimes (inferred or explicitly written) and exclusive mutability. The latter is incompatible with how the majority of Chromium’s C++ is written.”