Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I always wondered if in practice it really checks out, is rust code really safer? Did the bugs just shift to different ones? Is there anyone who wrote about that already?


It's probably not quite equivalent but I believe Frederico & al found & fixed a number of issues when they converted librsvg to rust. You may want to check the archives on their blogs (IIRC it's split between Frederico's own and the librsvg one) for more, or specifics.

But "safe" rust at least intrinsically protects from use-after-free, double free, dangling pointers, null-pointer dereferences, out-of-bounds accesses, … You may still have logic bugs of course (though the richer type system expressivity also allows better static encoding of application & domain logic), but these baseline memory-safety issues will only be a problem in specific and tagged `unsafe` blocks rather than throughout the application.


While I do believe that rust will prevent many memory safety issues. I think you would probably catch a bunch of safety issues rewriting any code.


I think you would probably catch a bunch of safety issues rewriting any code.

As well as introduce new ones.


That's only if you rewrite "from the design" in a fresh repo.

If, on the other hand, you rewrite the code line by line from C to Rust (which Rust is actually quite amenable to!), faithfully translating the semantics of the C code into the Rust code (and thereby having to use lots of unsafe{} blocks) then you can avoid most of the problems—what you'll end up with will essentially be the same as what a hypothetical C-to-Rust transpiler would output.

Importantly, you can also translate the test suite in this same way.

After that step is done, you can just refactor the resulting code, replacing unsafe{} blocks with Rust idioms, and then rerunning the tests (which you can leave un-idiomatized) as regression tests.


Of course. I would suspect that with Rust you would introduce less new ones but I just wanted to point out that finding bugs isn't evidence that the language helped you out.

Even though I am a believer I would love to see some solid evidence of Rust making code safer.


All of the pointer issues you mentioned have already been solved in C++ by unique_ptr.


Good, now try to enforce developers to actually use it on their code and all third party libraries they link to.

Ah, and not passing it around by address or reference, instead of actually moving ownership.

C++17 is a great improvement, but for it to work out in this context, developers need to actually write C++ instead of "C with C++ compiler".


This is a silly argument. When evaluating whether to use a tool, you should consider how /you/ would use the tool, not how someone else does.


Yeah, it kind of works out in the ideal world where one works alone, writing 100% of the source code.


Right up until the moment you have third-party dependencies.


Pretty much only use-after-free and double-free of that list is truly solved by unique_ptr, which is great, but nothing like what you say:

- std::move out of a unique_ptr x and "*x" is a null pointer dereference,

- take a reference into a unique_ptr, and it becomes dangling if it is held after the pointer is deallocated,

- an T[N] array doesn't get bounds-checked whether or not it is stored in a std::unique_ptr (it is nice that it reduces the number of raw pointers flying around, which likely does reduce the number of out-of-bounds accesses, but it doesn't solve them)


Clang does a good number of warnings/errors on unique_ptr, and I'm not sure your first point is actually right - it tends to be pretty hard to use after move.

If you want to pay the cost of runtime array checking every time, an impl in operator[] is just a few lines long. Thankfully it is becoming more common to run programs under ASAN in dev mode.


It is trivial to use-after-move. The following compiles completely without warnings with the clang on my system (even with -Wall -Weverything), and segfaults:

  #include <memory>
  
  int main() {
    std::unique_ptr<int> p = std::make_unique<int>(0);
  
    std::unique_ptr<int> q(std::move(p));
  
    return *p;
  }
Maybe you mean it doesn't happen much in practice, which might be true (although, we need to be comparing use-after-move with use-after-free etc., which also don't happen that much, per line-of-code), but is a different point. The fact remains that unique_ptr doesn't solve use-after-move.

> If you want to pay the cost of runtime array checking every time, an impl in operator[] is just a few lines long

This is also a different point, and moving the goal posts.

In any case, which operator[] exactly? AFAIK, neither T[N] nor T* can have a custom operator[] (and getting the bounds of a raw pointer is essentially impossible), and none of the operator[]s of std::array nor std::vector nor std::span do bounds checking (sure, you can use ...::at for the first two, but you have to remember to do that everywhere, going against the default that pretty much every programming language uses).

> Thankfully it is becoming more common to run programs under ASAN in dev mode.

Yes, this is great! However, this is yet another different point, and it is orthogonal to modern C++ and its fancy new features like std::unique_ptr: C++98 code, and even C code benefit from ASan.


> I'm not sure your first point is actually right - it tends to be pretty hard to use after move.

    std::unique_ptr<int> foo(new int(10));
    
    void bar(int& x);
    
    int main() {
        bar(*foo);
        return 0;
    }
    
    void bar(int& x) {
        foo = std::unique_ptr<int>(new int(20));
        std::cout << x; // use after free
    }
No warnings on any warning level.


unique_ptr helps with one thing and one thing only: memory leaks.

The list you were responding to didn't include memory leaks.


The "safest" comment is mostly tongue-in-cheek, but the advantages are real. I enjoyed this comment from someone contributing to the project for the first time:

< barrbrain> atomnuker: I felt good when my patch was done and I had exactly what I set out to write.

< barrbrain> I didn't enjoy the compiler forcing me to fix all my bugs upfront.

There are also advantages other than safety to using a modern systems language that has learned something from the last 30 years of programming language design but doesn't come with all of the baggage of C++.


Having coded full-time in Swift for 2 years now, I can attest that strongly-typed languages really do a lot for code quality and especially reliability. Sure, you still have semantic bugs all over (that's what tests are for), but whole classes of bugs (null-pointer refs, dangling pointers) are at least greatly reduced. As long as I stay away from the no-nos (like implicitly unwrapped optionals) and use the goodies (immutable models; enums with attached values; generics), my apps hardly ever crash now, once out in the store.


>I always wondered if in practice it really checks out, is rust code really safer? Did the bugs just shift to different ones?

Bugs don't magically "shift". If you eliminate a class of bugs, it's gone (e.g. memory bugs).

Whether you can still have other bugs (e.g. logic bugs) that's irrelevant, you could still have those in C as well.


Or, the way you eliminated one class opens up or makes more likely a different class. Maybe avoiding pointers makes it more likely to introduce logic bugs. It could also make some algorithm too slow, which one could call a performance bug.

I don't think it's particular likely, but there are always trade-offs.


As proven by Ada, Modula-2 and a few other systems languages, you don't need to scatter pointer arithmetic all over your code to achieve the same machine language output.


>Bugs don't magically "shift".

It depends... You can’t have dangling pointers in Java - instead, you can “leak” memory by holding onto your objects even when they’re not needed anymore.


I don't think you are using "instead" correctly in that sentence.

You are implying that not being able to have dangling pointers in Java (and thus eliminating an entire category of bugs) inevitably leads to the new category of bugs of leaking memory by holding on to references. But that is the case in any language that allows dynamic memory allocation. You can leak memory in Rust, C++ and VB if you don't dealloc.


A program with more memory controlled by GC is generally going to have more leaks like that.

The switch reduces bugs some, and definitely reduces the severity, but I would largely put the bugs in the same category and say it hasn't been eliminated.


Part of my point would be that you can have that in C as well.


Yes, but not only Rust, rather any memory safe system programming language all the way back to ESPOL in 1961.

In those languages you have "Logic errors" to debug, in C and its direct descendants you have "Logic errors" + "UB errors" + "Memory corruption errors" to debug.

Also having the use of unsafe explicit in the type system, means that it is relatively easy to track down where such issues might occur, whereas in C every line of code can be a source of problems, depending on which compiler and flags are being used.

Again, this applies to all memory safe system programming language, not just Rust.

EDIT: Fixed the NEWP reference, as ESPOL came first and NEWP only replaced it in 1976.


>Yes, but not only Rust, rather any memory safe system programming language all the way back to ESPOL in 1961.

Yes, but now we're discussing only those that practically matter to more than 5 people today.


I bet Unisys MCP deployments still matter to more than 5 people.

Plus the point was to talk about safe systems programming languages in general.

Or should we ignore history just because UNIX won on the server?


What’s this “UNIX”? A Linux distribution?



His point is probably UNIX didn't won -- Linux did.


Linux is non-certified copy of UNIX, without POSIX it wouldn't matter in the marketplace, ergo UNIX won.


As you can see in the wild, nobody really cares about UNIX certification. Ergo, UNIX didn't win.


The fact is that the Linux kernel without the APIs copied from POSIX/UNIX and the userspace copied from UNIX is useless on the server space.

Of course we can play semantic games about the use of UNIX word, and GNU/Linux not sharing any code from either BSD or AT&T linage, it doesn't make it any less UNIX.

Had Linux not copied UNIX, and provided a playground for UNIX vendors kind of outsource their development costs, it would have turned out to yet another hobby OS.


NT had POSIX subsystem too.

What Linux (and NT POSIX to certain degree) allowed, was to move the existing investment in software from hodge-podge of mutually incompatible, but expensive UNIX systems, to somewhere else.


NT isn't a copy of UNIX, just because it had support for the first edition of POSIX, it goes beyond than that.

Starting by wanting to copy Minix, an educational OS that copied UNIX, getting the GNU tools on board (which goal was to copy UNIX), kernel architecture, device drivers subsystems, userland, culture, ....

My old stack of Linux Journal editions at home are pretty clear what the ongoing story was.

If NT was a copy of anything, it was VMS given Dave Cutler's contribution to its design.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: