this post was submitted on 19 Mar 2024
145 points (92.9% liked)

Programming

17454 readers
139 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
145
submitted 8 months ago* (last edited 8 months ago) by [email protected] to c/[email protected]
 

Python is memory safe? Can't you access/address memory with C bindings?

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 108 points 8 months ago (3 children)

Python is memory safe? Can't you access/address memory with C bindings?

You can do that in basically any language. Rust even has the ability to break out of its safeguards and write unsafe Rust code.

"Memory safety" in this context is more about the defaults and how easy it is to write unsafe code accidentally.

[–] [email protected] 32 points 8 months ago

Obligatory link to the Rustonomicon.

Should you wish a long and happy career of writing Rust programs, you should turn back now and forget you ever saw this book.

[–] [email protected] 31 points 8 months ago (6 children)

Unsafe Rust really just let's you play with pointers

This is the entirety of what Unsafe Rust allows

  • Dereference a raw pointer
  • Call an unsafe function or method
  • Access or modify a mutable static variable
  • Implement an unsafe trait
  • Access fields of unions
[–] [email protected] 17 points 8 months ago* (last edited 8 months ago) (3 children)

I'm still onboard with rust as being better than C, however...

My understanding is that it is considerably harder to correctly write unsafe rust than it is to correctly write c, because if you accidentally violate any of safe rust's guaranteed invariants in an unsafe block, things go bananas.

[–] [email protected] 22 points 8 months ago

That's true in C as well, though. This is what people mean when they say things like "undefined behavior can result in time travel".

The difference is twofold:

  • Rust's rules for valid unsafe code are not completely formalized yet. This means that there are open questions about whether particularly complex patterns in unsafe code will be guaranteed by future versions of the compiler to be sound. Conversely, the C and C++ spec are generally sufficient to determine whether any particular piece of code has undefined behavior, even if actually analyzing it to find out is not possible automatically using existing static analysis tools.
  • Because safe Rust is so strict about what it permits, the compiler is able to make more aggressive optimizations; in theory, this could indeed cause undefined behavior to be "worse" at runtime than a comparable situation in a globally-unsafe language. I'm unaware of any actual examples of that phenomenon, though.
[–] [email protected] 9 points 8 months ago* (last edited 8 months ago) (12 children)

Yes Rust is harder to write than C, that's basically by design as it's due to the statically guaranteed memory safety. That's pretty magical. C doesn't have that and neither does C++ even with smart pointers and such. Rusts unsafe keyword is poorly named, what it actually does is tell the compiler that you the programmer guarantee Rusts rules are upheld within the unsafe block.

For example

Access or modify a mutable static variable

That is a global, that's incredibly hard to impossible to statically prove it's safely done, so you have to do it in an unsafe block. So you violating Rusts rules within an unsafe block is actually using the unsafe block wrong. That's not what it's for

load more comments (12 replies)
[–] [email protected] 8 points 8 months ago

That depends a lot on how you define "correct C".

It is harder to write rust code than C code that the compiler will accept. It is IMHO easier to write rust code than to write correct C code, in the sense it only uses well defined constructs defined in the C standard.

The difference is that the rust compiler is much stricter, so you need to know a lot about details in the memory model, etc. to get your code past the compiler. In C you need the same knowledge to debug the program later.

load more comments (5 replies)
[–] [email protected] 57 points 8 months ago (4 children)

Mr Stroustrup can spin it however he likes, but 70% of CVEs are caused by memory errors in unsafe languages like C and C++. That isn't happening because the majority of their devs are idiots. The language is the problem.

Talking about "but there are tools" and "hold on a minute, there a ways to write safe C++" is missing. It's way too easy to write memory unsafe code in C++. The opposite is true of other languages and that's why they are being recommended (dare I say pushed) over C++. To write memory unsafe Rust for example, you really, really have to want to.

C++ is his baby, Of course he won't acknowledge it and it was entirely predictable he would blame the programmers. The language will be the equivalent of COBOL in a decade or two.

CC BY-NC-SA 4.0

[–] [email protected] 36 points 8 months ago

If "just don't be an idiot" worked in the real world we wouldn't have any need for laws or safety regulations or certifications. It's not and never has been a compelling argument.

Writing C++ is like walking around a construction site without a hard hat and going "ah I don't need it, I'll just make sure nothing falls on my head." Yeah sure, buddy, we'll make sure that's written on your tombstone.

load more comments (3 replies)
[–] [email protected] 49 points 8 months ago* (last edited 8 months ago) (4 children)

$100 says his response boils down to "just don't write unsafe code"

Edit: It did. He also said C++ is working to implement optional safety features, but tl;dr:

Of the billions of lines of C++, few completely follow modern guidelines

And the modern guidelines are mostly an unenforced list of things not to do.

[–] [email protected] 22 points 8 months ago

doesnt enforce memory safety damn all these stupid devs dont know how to write memory-safe code!!!

[–] [email protected] 19 points 8 months ago (3 children)

Even following the guidelines, modern C++ is just a huge pile of half-finished ideas. It goes pretty well for the first few hundred lines of code, and then you hit a very basic problem where the solution is "yes this will work great in C++26, if the proposal doesn't get delayed again".

load more comments (3 replies)
[–] [email protected] 8 points 8 months ago

$100 says his response boils down to "just don't write unsafe code"

Edit: It did. He also said C++ is working to implement optional safety features, but tl;dr:

Of the billions of lines of C++, few completely follow modern guidelines

Pretty sure this is a No true Scotsman moment. (I've always wanted to bring this fallacy up but I never knew when lol)

load more comments (1 replies)
[–] [email protected] 38 points 8 months ago (1 children)

I'm not a Rust developer (yet), but I understand its strength in this regard as: Rust is statically memory safe by default, and code which isn't statically memory safe must be declared with the unsafe keyword. Whereas C++ has not deprecated C-style pointers, and so a C engineer can easily write unsafe C code that's valid in a C++ compiler, and no declaration of its unsafeness is readily apparent to trigger an audit.

It's nice and all that C++ pioneered a fair number of memory safety techniques like SBRM, but the debate now is about safety by default, not optional bolt-on safety. All agree that the overall process to achieve correct code is paramount, not just the language constructs.

[–] [email protected] 38 points 8 months ago (5 children)

It's also just a huge fallacy. He's saying that people just choose to not write memory safe code, not that writing memory safe code in C/C++ is almost impossible. Just look at NASA's manual for writing safe C++ code. It's insanity. No one except them can write code that's safe and they've stripped out half the language to do so. No matter how hard you try, you're going to let memory bugs through with C/C++, while Rust and other memory safe languages have all but nullified a lot of that.

[–] [email protected] 21 points 8 months ago* (last edited 8 months ago) (4 children)

As someone who is in the aerospace industry and has dealt with safety critical code with NASA oversight, it's a little disingenuous to pin NASA's coding standards entirely on attempting to make things memory safe. It's part of it, yeah, but it's a very small part. There are a ton of other things that NASA is trying to protect for.

Plus, Rust doesn't solve the underlying problem that NASA is looking to prevent in banning the C++ standard library. Part of it is DO-178 compliance (or lack thereof) the other part is that dynamic memory has the potential to cause all sorts of problems on resource constrained embedded systems. Statically analyzing dynamic memory usage is virtually impossible, testing for it gets cost prohibitive real quick, it's just easier to blanket statement ban the STL.

Also, writing memory safe code honestly isn't that hard. It just requires a different approach to problem solving, that just like any other design pattern, once you learn and get used to it, is easy.

load more comments (4 replies)
[–] [email protected] 9 points 8 months ago (1 children)
[–] [email protected] 24 points 8 months ago* (last edited 8 months ago) (2 children)
[–] [email protected] 9 points 8 months ago (5 children)

That first link is about a document from 2006, while C++ became a lot safer with C++11 in 2011. It's much easier to write safe C++ now, if you follow current guidelines:

https://isocpp.github.io/CppCoreGuidelines/

load more comments (5 replies)
load more comments (1 replies)
load more comments (3 replies)
[–] [email protected] 37 points 8 months ago (1 children)

Why wait and hope for C++ to get where modern languages are now? I know there's value in the shared experience in C++ that if adapted would make it stronger, but I can only see a development of C++ having to force a drop of a lot of outdated stuff to even get started on being more suitable.

But the language is just not comfortable to me. From large amounts of anything creating undefined behavior, the god awful header files which I hate with a passion, tough error messages and such. I also met a fun collision of C++ in Visual Studio and using it with CMake in CLion.

I've just started looking at rust for fun, and outside not understanding all the errors messages with the bounded stuff yet, figuring out what type of string I should use or pass, and the slow climb up the skill curve, it's pretty nice. Installing stuff is as easy as copy pasting the name into the cargo file!

Rust is just the prospective replacement of C++ though, people act like the White house said that C++ should be replaced by rust now. But the just recommend it and other languages, C# will do for a lot of people that does not need the performance and detail that the aforementioned languages target. Python is targeting a whole different use, but often combined with the faster ones.

C++ will live a long time, and if the popularity dies down it will surely be very profitable to be a developer on the critical systems that use it many years from now. I just don't think an evolution of C++ is going to bring what the world needs, particularly because of the large amount of existing memory related security vulnerabilities. If things were good as they are now, this recommendation would not be made to begin with.

[–] [email protected] 15 points 8 months ago

I totally agree with this comment, and on top of that I would recommend anyone who really cares about the current state of affairs regarding safety in C++ to read this overview: https://accu.org/journals/overload/32/179/teodorescu/

Quote:

Personally, I am not convinced that in the near future, C++ can do something to stop this trend. C++ will leak talent to other languages (currently Rust, but perhaps in the future to Cppfront, Carbon, Hylo or Swift). If the progress towards safety started in 2015 as Bjarne suggested, the last 8 years have seen very little progress in safety improvements. Even with accelerated efforts, the three-year release cycle and slow adoption of new standards will keep C++ a decade away from addressing major safety concerns.

[–] [email protected] 31 points 8 months ago (1 children)

He can get mad all he likes but there's a reason the Linux kernel's experiment with rust is going much smoother than C++ (which only lasted a literal week btw)

[–] [email protected] 28 points 8 months ago (5 children)

Biden administration seems oblivious of the strengths of contemporary C++

Well ok, but the concern is about the weaknesses, Mr. Stroustrup.

[–] [email protected] 5 points 8 months ago* (last edited 8 months ago)

Stroustrup to congress: "You expect me to talk?"
Congress: "No, Mr Stroustup, we expect your language to DIE!"

load more comments (4 replies)
[–] [email protected] 14 points 8 months ago

I'd love to see Bjarne Stroustrup being grilled by Congress about this, and have to explain shared pointers and reference counting to the same people who didn't understand how Facebook made money.

[–] [email protected] 12 points 8 months ago* (last edited 8 months ago) (1 children)

TLDR: But-hurt C++ dev has a hard time accepting that his favorite language is not memory safe.

[–] [email protected] 15 points 8 months ago (2 children)

C++ is leagues above C in this regard. He's rightly upset that they're lumping the two together.

Bjarne's work for safety profiles could indeed manifest in a solution that guarantees memory safety; time will tell. C++ is a moving target.

[–] [email protected] 13 points 8 months ago (1 children)

C++ is leagues above C in this regard.

It's really not. It has the same flaws, some libraries that promise to avoid them (as long as you don't hold them wrong - what every single programmer does), and lots and lots of new flaws that may come from anywhere.

load more comments (1 replies)
[–] [email protected] 9 points 8 months ago* (last edited 8 months ago)

That depends on how you decide which bucket something gets thrown into.

The C++ community values things like the RAII and other features that developers can use to prevent classes of bugs. When that is you yard-stick, then C and C++ are not in one bucket.

These papers are about memory safety guarantees and not much else. C and C++ are firmly in the same bucket according to this metric. So they get grouped together in these papers.

[–] [email protected] 7 points 8 months ago (6 children)

So how fucked am I for starting to learn cpp as my first language, or is this a later down the road thing to worry about?

[–] [email protected] 9 points 8 months ago

If you can write correct C++ you'll be able to write Rust code that compiles first time. Don't stress, you're learning the good stuff.

[–] [email protected] 8 points 8 months ago

So how fucked am I for starting to learn cpp as my first language, or is this a later down the road thing to worry about?

I don't see why you should be concerned, except that no professional software developer is limited to use one specific programming language.

Even if you pay attention to the disaster prophets in the crowd, which are mainly comprised of fanboys implicitly and explicitly promoting their pet language/frameworks, C++ dominates all aspects of the computing ecosystem, which means that in the very least the whole world needs to maintain existing C++ projects to continue to work. See COBOL for reference.

[–] [email protected] 5 points 8 months ago

Ah that's an easy one - what would you like to do?

My first uh... "language" was bourne shell. Not because I thought it was a cool language, but because that's what let me do things I wanted to do at the time: automate heaps of Linux, BSD stuff.

There are heaps of libraries and applications where C++ is the choice e.g. video games. My friend is great at Javascript because he loves web browser tech.

Don't stress - have fun! :)

load more comments (2 replies)
[–] [email protected] 7 points 8 months ago

The Rust lobby has reached the white house. In other news...

load more comments
view more: next ›