Re: The Case for Rust (in any system)

From: Steffen Nurpmeso <steffen_at_sdaoden.eu>
Date: Fri, 06 Sep 2024 21:07:11 UTC
Alan Somers wrote in
 <CAOtMX2gK23KxBXyFFFWt09sV00D8+HHui3tX4chtACi+OmzVaw@mail.gmail.com>:
 |On Thu, Sep 5, 2024 at 4:51 PM Steffen Nurpmeso <steffen@sdaoden.eu> wrote:
 ..
 |> ske-89@pkmab.se wrote in
 |>  <202409052313.aa18097@berenice.pkmab.se>:
 |>|Alan Somers <asomers@freebsd.org> wrote:
 |>|> In fact, of all the C bug fixes that I've been involved with (as
 |>|> either author or reviewer) since May, about three quarters could've
 |>|> been avoided just by using a better language.
 |>|...
 |>|> To summarize, here's the list of this week's security advisories, and
 |>|> also some other recent C bug fixes of my own involvement:
 |>|
 |>|After checking several of these examples, I'm wondering what the code
 |>|would have looked like in some "better language", where those bugs would
 |>|have been avoided?
 |>
 |> Examples.  I find the absolute opposite after checking four.
 ...
 |I'm having trouble following your English, but you seem to be missing
 |the point.  The point is not whether the bugs can be fixed in C; of
 |course they can, after all we just did.  The point is that safe
 |programming languages make it nearly impossible to create the bugs in
 |the first place.  For example, a language that uses RAII everywhere
 |makes it nearly impossible to allocate a structure without
 |initializing it.  Nearly impossible to leak memory, too.

C++ also has automatic constructors.  Scoped instances get
automatically destructed, too.  (To me this is all horrors,
including Stroustrup's very own, iirc, first-time-init-switch
injection (aka inject instances of a class via .h into each
compilation unit where they are used), as you then get those
linker sections dtor and fini etc etc.   You know all that.)
Yes, you know all that.

No, so no, and then, i have not looked, a lot of the errors stem
from optimization away things until you really really know, and
this then leads to logical errors.  That of course goes away with
"RAII" (referring to that commit "of yours").  But i note that
RAII can require more object states, possibly new object members
even to be able to differentiate them, even though that could be
not more than a bit.  (And that possibly all the way up to a super
object in case of "real object" hierarchies.)  More data all along
the path, i have definetely seen that.  In C++ .. and plain C, but
not automatically there, of course.

*I* am happy that i do not have to go Rust, i do not like it;
then rather C# (i had to go JAVA ~26 years ago).
But in fact i do like the blood sweat and tears of raw C without
any help, no automatic ctors, dtors, etc etc.  I only feel sorry
for things like what PHK just said, or what Dennis Ritchie
famously said in 1988.  The ISO C standard is a real mess, despite
all the misses (struct aligning, packing, even endian layout
(oh!); bit enumerations (henceforth totally shot to death since
members of different enums may no longer be used together in | etc
operators, leaving you with only preprocessor possibilities for
bit flags .. or a tremendous number of casts) noted already,
desasters like static_assert pre-C23; ISO C++ should always simply
have been built upon ISO C imho, and the C++ static_assert was
sane from the start.  And so forth.  But some basic types could be
mentioned as well, now that you have mentioned Vec<u8>.

Ie, monks have to (work work work and) carefully and consciously
rake the sea into the gravel as a kind of contemplation.  Slow
food and such that is.  And that is a goal i like.
Ok business is the other thing, they will finally abolish life on
earth for sure, that was known 170 years ago already, but *you*
have to make a living, i understand that.  And in a rapid
application development environment, surely already or soon also
AI-assisted, with module-drag-and-plug and live-compilation, this
seems strange .. and surely is.  Yet -- in such an environment,
there are plenty of hints and tools to prevent errors like surely
that strnlen() thing.  You do not need Rust for that, in my
opinion, i would think you need a good utility library with
graceful test coverage, and strictly stick to usage of such tested
utilities when you program your own thing.

New ISO C23 even has integer overflow functions.  Today the new TZ
came into FreeBSD, which introduced bugs because it replaced its
built-in functions which provided the same facilities (correctly)
with usage of those.

 |>|/Kristoffer Eriksson
 |>  --End of <202409052313.aa18097@berenice.pkmab.se>
 |>
 |> In support for that swedish hm virgin, yes, sweden is not a clean
 |> country for sure.
 |
 |Again, I don't know what you mean.  But it looks like a personal
 |attack to me.  Please try to keep your discourse on the public mailing
 |lists respectful.

I cannot understand how you come to the conclusion the above was
addressed to you; it referred for example to the attached picture.

 |-Alan
 --End of <CAOtMX2gK23KxBXyFFFWt09sV00D8+HHui3tX4chtACi+OmzVaw@mail.gmail\
 .com>

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)