Date: Thu, 12 Sep 2024 21:33:59 -0400 From: Joe Schaefer <joesuf4@gmail.com> To: Pat Maddox <pat@patmaddox.com> Cc: David Chisnall <theraven@freebsd.org>, Alan Somers <asomers@freebsd.org>, Chris <bsd-lists@bsdforge.com>, Warner Losh <imp@bsdimp.com>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: The Case for Rust (in any system) Message-ID: <CAOzHqcJ0rOR4CoL84WgZQNcgY2G9vuiHccE4XT_otJ2R51KJ3Q@mail.gmail.com> In-Reply-To: <CAOzHqc%2BfakrYQkdPSORYvChFL1JNtLZAS3AQM0GpJ0Em0cCgpw@mail.gmail.com> References: <CAOtMX2g_om8mW-xB855LNOHa8C0T5X0WtgMPc0TTr6TwiMEicw@mail.gmail.com> <A9A99648-EA30-4C63-A88B-3E9CC7CCFF35@freebsd.org> <CAOzHqc%2By_NO9BG2ZAoKr9oA7iWU25nNFT1-y2Ug1%2BJZoCMpMSQ@mail.gmail.com> <b0d17cd4-e5af-41a1-8b50-df5f43989258@app.fastmail.com> <CAOzHqc%2BfakrYQkdPSORYvChFL1JNtLZAS3AQM0GpJ0Em0cCgpw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000446ca50621f63859 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I just completed a month long project to port a C++ codebase that used vectors for array allocations back to using C=E2=80=98s calloc. For a 15% i= ncrease in memory footprint, batch jobs that took three days to complete now finish in 10-12 hours. That=E2=80=99s what professional engineering is about- making tradeoffs to = delight customers and save money on cloud compute. What you guys go on about is high school drama club debate. On Thu, Sep 12, 2024 at 8:18=E2=80=AFPM Joe Schaefer <joesuf4@gmail.com> wr= ote: > -Werror, valgrind, coverity, fuzzers, etc. CI is a thing. > > On Thu, Sep 12, 2024 at 7:59=E2=80=AFPM Pat Maddox <pat@patmaddox.com> wr= ote: > >> I think you have those reversed. >> >> I would say that a compiler that notifies you of errors is more >> empathetic than one that doesn't, inasmuch as the compiler's designers' >> empathy is expressed through the tool. >> >> Knowing that we will write errors and can benefit from automated checks >> expresses humility to me. >> >> The safety net of such checks allows us to explore new ideas. >> >> C's "don't want memory errors? don't write none" approach is clearly mor= e >> hostile and requires strict adherence to the rules. >> >> Pat >> >> On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote: >> > On the other hand, it is foolish to expect a programming language >> > itself to be more thoughtful and wise than the engineers who need to >> > solve a computational problem in the here and now. >> > >> > It=E2=80=99s like banking on building an empire based on process enfor= cement, >> > civility, diversity of preferred quota stereotypes, and obedience; >> > instead of empathy, humility, diversity of thought, and ingenuity. >> > >> > Rust is in the former camp; C the latter. All progress in this fad >> > based universe leads to the same joy-free outcome of forever changing >> > our toolchain to keep up with industry norms that treat professionalis= m >> > in computer engineering as a market commodity. >> > On Thu, Sep 12, 2024 at 3:52=E2=80=AFAM David Chisnall <theraven@freeb= sd.org> >> > wrote: >> >> On 12 Sep 2024, at 00:14, Alan Somers <asomers@freebsd.org> wrote: >> >> > >> >> > "Memory safety =3D=3D restrictive training wheels" is just a common >> >> > misconception. >> >> >> >> It=E2=80=99s worth thinking about why programming languages exist. An= y modern >> language is Turing complete. In terms of what can be expressed, there is= no >> difference between Rust, C, and C++. The important thing is that there i= s >> an infinite set of possible programs and a finite set of desirable >> programs. The goal of a programming language is to make it easier to >> express programs in the set of desirable programs than ones that are not= in >> that set. Sometimes this is skewed away from specific sets. >> >> >> >> The reason that we care so much about memory-safety bugs is that they >> allow an attacker to step completely outside of the abstract machine of = the >> program. Unless you embed an interpreter/ compiler in your program, >> memory-safety bugs are about the only way that an attacker can get >> arbitrary code execution in your program. The kind of bug where an attac= ker >> provides a specially crafted file / blob of network data and then runs c= ode >> on your machine is typically the worst thing that can happen. >> >> >> >> Rust, in particular, skews towards making programs with memory-safety >> bugs much harder to represent. You can still do it, by using unsafe or >> relying on unsoundness in the type system as cve-rs does, but you have t= o >> try hard. >> >> >> >> I consider that a desirable property in a language. I don=E2=80=99t h= ave to >> think about whether I=E2=80=99ve made these bugs impossible (and, rememb= er, >> WannaCry cost billions of dollars and depended on a single memory-safety >> bug), I get that for free and I can focus on other things. >> >> >> >> David >> >> >> >> >> > --000000000000446ca50621f63859 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"auto">I just completed a month long project to port a C++ codeb= ase that used vectors for array allocations back to using C=E2=80=98s callo= c. For a 15% increase in memory footprint, batch jobs that took three days = to complete now finish in 10-12 hours.</div><div dir=3D"auto"><br></div><di= v dir=3D"auto">That=E2=80=99s what professional engineering is about- makin= g tradeoffs to delight customers and save money on cloud compute.</div><div= dir=3D"auto"><br></div><div dir=3D"auto">What you guys go on about is high= school drama club debate.</div><div><br><div class=3D"gmail_quote"><div di= r=3D"ltr" class=3D"gmail_attr">On Thu, Sep 12, 2024 at 8:18=E2=80=AFPM Joe = Schaefer <<a href=3D"mailto:joesuf4@gmail.com">joesuf4@gmail.com</a>>= wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px = 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;bo= rder-left-color:rgb(204,204,204)"><div dir=3D"auto">-Werror, valgrind, cove= rity, fuzzers, etc. CI is a thing.</div><div><br><div class=3D"gmail_quote"= ><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Sep 12, 2024 at 7:59=E2=80= =AFPM Pat Maddox <<a href=3D"mailto:pat@patmaddox.com" target=3D"_blank"= >pat@patmaddox.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote= " style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style= :solid;padding-left:1ex;border-left-color:rgb(204,204,204)">I think you hav= e those reversed.<br> <br> I would say that a compiler that notifies you of errors is more empathetic = than one that doesn't, inasmuch as the compiler's designers' em= pathy is expressed through the tool.<br> <br> Knowing that we will write errors and can benefit from automated checks exp= resses humility to me.<br> <br> The safety net of such checks allows us to explore new ideas.<br> <br> C's "don't want memory errors? don't write none" appr= oach is clearly more hostile and requires strict adherence to the rules.<br= > <br> Pat<br> <br> On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote:<br> > On the other hand, it is foolish to expect a programming language <br> > itself to be more thoughtful and wise than the engineers who need to <= br> > solve a computational problem in the here and now.<br> ><br> > It=E2=80=99s like banking on building an empire based on process enfor= cement, <br> > civility, diversity of preferred quota stereotypes, and obedience; <br= > > instead of empathy, humility, diversity of thought, and ingenuity.<br> ><br> > Rust is in the former camp; C the latter.=C2=A0 All progress in this f= ad <br> > based universe leads to the same joy-free outcome of forever changing = <br> > our toolchain to keep up with industry norms that treat professionalis= m <br> > in computer engineering as a market commodity.<br> > On Thu, Sep 12, 2024 at 3:52=E2=80=AFAM David Chisnall <<a href=3D"= mailto:theraven@freebsd.org" target=3D"_blank">theraven@freebsd.org</a>>= <br> > wrote:<br> >> On 12 Sep 2024, at 00:14, Alan Somers <<a href=3D"mailto:asomer= s@freebsd.org" target=3D"_blank">asomers@freebsd.org</a>> wrote:<br> >> > <br> >> > "Memory safety =3D=3D restrictive training wheels" = is just a common<br> >> > misconception.<br> >> <br> >> It=E2=80=99s worth thinking about why programming languages exist.= Any modern language is Turing complete. In terms of what can be expressed,= there is no difference between Rust, C, and C++. The important thing is th= at there is an infinite set of possible programs and a finite set of desira= ble programs. The goal of a programming language is to make it easier to ex= press programs in the set of desirable programs than ones that are not in t= hat set. Sometimes this is skewed away from specific sets.<br> >> <br> >> The reason that we care so much about memory-safety bugs is that t= hey allow an attacker to step completely outside of the abstract machine of= the program. Unless you embed an interpreter/ compiler in your program, me= mory-safety bugs are about the only way that an attacker can get arbitrary = code execution in your program. The kind of bug where an attacker provides = a specially crafted file / blob of network data and then runs code on your = machine is typically the worst thing that can happen.<br> >> <br> >> Rust, in particular, skews towards making programs with memory-saf= ety bugs much harder to represent. You can still do it, by using unsafe or = relying on unsoundness in the type system as cve-rs does, but you have to t= ry hard.<br> >> <br> >> I consider that a desirable property in a language. I don=E2=80=99= t have to think about whether I=E2=80=99ve made these bugs impossible (and,= remember, WannaCry cost billions of dollars and depended on a single memor= y-safety bug), I get that for free and I can focus on other things.<br> >> <br> >> David<br> >> <br> >><br> </blockquote></div></div> </blockquote></div></div> --000000000000446ca50621f63859--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOzHqcJ0rOR4CoL84WgZQNcgY2G9vuiHccE4XT_otJ2R51KJ3Q>