Re: The Case for Rust (in any system)
- Reply: Joe Schaefer : "Re: The Case for Rust (in any system)"
- In reply to: Pat Maddox: "Re: The Case for Rust (in any system)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 13 Sep 2024 00:18:18 UTC
-Werror, valgrind, coverity, fuzzers, etc. CI is a thing. On Thu, Sep 12, 2024 at 7:59 PM Pat Maddox <pat@patmaddox.com> wrote: > I think you have those reversed. > > I would say that a compiler that notifies you of errors is more empathetic > than one that doesn't, inasmuch as the compiler's designers' empathy is > expressed through the tool. > > Knowing that we will write errors and can benefit from automated checks > expresses humility to me. > > The safety net of such checks allows us to explore new ideas. > > C's "don't want memory errors? don't write none" approach is clearly more > hostile and requires strict adherence to the rules. > > Pat > > On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote: > > On the other hand, it is foolish to expect a programming language > > itself to be more thoughtful and wise than the engineers who need to > > solve a computational problem in the here and now. > > > > It’s like banking on building an empire based on process enforcement, > > civility, diversity of preferred quota stereotypes, and obedience; > > instead of empathy, humility, diversity of thought, and ingenuity. > > > > Rust is in the former camp; C the latter. All progress in this fad > > based universe leads to the same joy-free outcome of forever changing > > our toolchain to keep up with industry norms that treat professionalism > > in computer engineering as a market commodity. > > On Thu, Sep 12, 2024 at 3:52 AM David Chisnall <theraven@freebsd.org> > > wrote: > >> On 12 Sep 2024, at 00:14, Alan Somers <asomers@freebsd.org> wrote: > >> > > >> > "Memory safety == restrictive training wheels" is just a common > >> > misconception. > >> > >> It’s worth thinking about why programming languages exist. Any modern > language is Turing complete. In terms of what can be expressed, there is no > difference between Rust, C, and C++. The important thing is that there is > an infinite set of possible programs and a finite set of desirable > programs. The goal of a programming language is to make it easier to > express programs in the set of desirable programs than ones that are not in > that set. Sometimes this is skewed away from specific sets. > >> > >> The reason that we care so much about memory-safety bugs is that they > allow an attacker to step completely outside of the abstract machine of the > program. Unless you embed an interpreter/ compiler in your program, > memory-safety bugs are about the only way that an attacker can get > arbitrary code execution in your program. The kind of bug where an attacker > provides a specially crafted file / blob of network data and then runs code > on your machine is typically the worst thing that can happen. > >> > >> Rust, in particular, skews towards making programs with memory-safety > bugs much harder to represent. You can still do it, by using unsafe or > relying on unsoundness in the type system as cve-rs does, but you have to > try hard. > >> > >> I consider that a desirable property in a language. I don’t have to > think about whether I’ve made these bugs impossible (and, remember, > WannaCry cost billions of dollars and depended on a single memory-safety > bug), I get that for free and I can focus on other things. > >> > >> David > >> > >> >