Re: The Case for Rust (in any system)
- Reply: Alan Somers : "Re: The Case for Rust (in any system)"
- In reply to: Alan Somers : "Re: The Case for Rust (in any system)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 06 Sep 2024 21:07:11 UTC
Alan Somers wrote in <CAOtMX2gK23KxBXyFFFWt09sV00D8+HHui3tX4chtACi+OmzVaw@mail.gmail.com>: |On Thu, Sep 5, 2024 at 4:51 PM Steffen Nurpmeso <steffen@sdaoden.eu> wrote: .. |> ske-89@pkmab.se wrote in |> <202409052313.aa18097@berenice.pkmab.se>: |>|Alan Somers <asomers@freebsd.org> wrote: |>|> In fact, of all the C bug fixes that I've been involved with (as |>|> either author or reviewer) since May, about three quarters could've |>|> been avoided just by using a better language. |>|... |>|> To summarize, here's the list of this week's security advisories, and |>|> also some other recent C bug fixes of my own involvement: |>| |>|After checking several of these examples, I'm wondering what the code |>|would have looked like in some "better language", where those bugs would |>|have been avoided? |> |> Examples. I find the absolute opposite after checking four. ... |I'm having trouble following your English, but you seem to be missing |the point. The point is not whether the bugs can be fixed in C; of |course they can, after all we just did. The point is that safe |programming languages make it nearly impossible to create the bugs in |the first place. For example, a language that uses RAII everywhere |makes it nearly impossible to allocate a structure without |initializing it. Nearly impossible to leak memory, too. C++ also has automatic constructors. Scoped instances get automatically destructed, too. (To me this is all horrors, including Stroustrup's very own, iirc, first-time-init-switch injection (aka inject instances of a class via .h into each compilation unit where they are used), as you then get those linker sections dtor and fini etc etc. You know all that.) Yes, you know all that. No, so no, and then, i have not looked, a lot of the errors stem from optimization away things until you really really know, and this then leads to logical errors. That of course goes away with "RAII" (referring to that commit "of yours"). But i note that RAII can require more object states, possibly new object members even to be able to differentiate them, even though that could be not more than a bit. (And that possibly all the way up to a super object in case of "real object" hierarchies.) More data all along the path, i have definetely seen that. In C++ .. and plain C, but not automatically there, of course. *I* am happy that i do not have to go Rust, i do not like it; then rather C# (i had to go JAVA ~26 years ago). But in fact i do like the blood sweat and tears of raw C without any help, no automatic ctors, dtors, etc etc. I only feel sorry for things like what PHK just said, or what Dennis Ritchie famously said in 1988. The ISO C standard is a real mess, despite all the misses (struct aligning, packing, even endian layout (oh!); bit enumerations (henceforth totally shot to death since members of different enums may no longer be used together in | etc operators, leaving you with only preprocessor possibilities for bit flags .. or a tremendous number of casts) noted already, desasters like static_assert pre-C23; ISO C++ should always simply have been built upon ISO C imho, and the C++ static_assert was sane from the start. And so forth. But some basic types could be mentioned as well, now that you have mentioned Vec<u8>. Ie, monks have to (work work work and) carefully and consciously rake the sea into the gravel as a kind of contemplation. Slow food and such that is. And that is a goal i like. Ok business is the other thing, they will finally abolish life on earth for sure, that was known 170 years ago already, but *you* have to make a living, i understand that. And in a rapid application development environment, surely already or soon also AI-assisted, with module-drag-and-plug and live-compilation, this seems strange .. and surely is. Yet -- in such an environment, there are plenty of hints and tools to prevent errors like surely that strnlen() thing. You do not need Rust for that, in my opinion, i would think you need a good utility library with graceful test coverage, and strictly stick to usage of such tested utilities when you program your own thing. New ISO C23 even has integer overflow functions. Today the new TZ came into FreeBSD, which introduced bugs because it replaced its built-in functions which provided the same facilities (correctly) with usage of those. |>|/Kristoffer Eriksson |> --End of <202409052313.aa18097@berenice.pkmab.se> |> |> In support for that swedish hm virgin, yes, sweden is not a clean |> country for sure. | |Again, I don't know what you mean. But it looks like a personal |attack to me. Please try to keep your discourse on the public mailing |lists respectful. I cannot understand how you come to the conclusion the above was addressed to you; it referred for example to the attached picture. |-Alan --End of <CAOtMX2gK23KxBXyFFFWt09sV00D8+HHui3tX4chtACi+OmzVaw@mail.gmail\ .com> --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)