Date: Thu, 12 Sep 2024 21:33:59 -0400 From: Joe Schaefer <joesuf4@gmail.com> To: Pat Maddox <pat@patmaddox.com> Cc: David Chisnall <theraven@freebsd.org>, Alan Somers <asomers@freebsd.org>, Chris <bsd-lists@bsdforge.com>, Warner Losh <imp@bsdimp.com>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: The Case for Rust (in any system) Message-ID: <CAOzHqcJ0rOR4CoL84WgZQNcgY2G9vuiHccE4XT_otJ2R51KJ3Q@mail.gmail.com> In-Reply-To: <CAOzHqc%2BfakrYQkdPSORYvChFL1JNtLZAS3AQM0GpJ0Em0cCgpw@mail.gmail.com> References: <CAOtMX2g_om8mW-xB855LNOHa8C0T5X0WtgMPc0TTr6TwiMEicw@mail.gmail.com> <A9A99648-EA30-4C63-A88B-3E9CC7CCFF35@freebsd.org> <CAOzHqc%2By_NO9BG2ZAoKr9oA7iWU25nNFT1-y2Ug1%2BJZoCMpMSQ@mail.gmail.com> <b0d17cd4-e5af-41a1-8b50-df5f43989258@app.fastmail.com> <CAOzHqc%2BfakrYQkdPSORYvChFL1JNtLZAS3AQM0GpJ0Em0cCgpw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I just completed a month long project to port a C++ codebase that used vectors for array allocations back to using C‘s calloc. For a 15% increase in memory footprint, batch jobs that took three days to complete now finish in 10-12 hours. That’s what professional engineering is about- making tradeoffs to delight customers and save money on cloud compute. What you guys go on about is high school drama club debate. On Thu, Sep 12, 2024 at 8:18 PM Joe Schaefer <joesuf4@gmail.com> wrote: > -Werror, valgrind, coverity, fuzzers, etc. CI is a thing. > > On Thu, Sep 12, 2024 at 7:59 PM Pat Maddox <pat@patmaddox.com> wrote: > >> I think you have those reversed. >> >> I would say that a compiler that notifies you of errors is more >> empathetic than one that doesn't, inasmuch as the compiler's designers' >> empathy is expressed through the tool. >> >> Knowing that we will write errors and can benefit from automated checks >> expresses humility to me. >> >> The safety net of such checks allows us to explore new ideas. >> >> C's "don't want memory errors? don't write none" approach is clearly more >> hostile and requires strict adherence to the rules. >> >> Pat >> >> On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote: >> > On the other hand, it is foolish to expect a programming language >> > itself to be more thoughtful and wise than the engineers who need to >> > solve a computational problem in the here and now. >> > >> > It’s like banking on building an empire based on process enforcement, >> > civility, diversity of preferred quota stereotypes, and obedience; >> > instead of empathy, humility, diversity of thought, and ingenuity. >> > >> > Rust is in the former camp; C the latter. All progress in this fad >> > based universe leads to the same joy-free outcome of forever changing >> > our toolchain to keep up with industry norms that treat professionalism >> > in computer engineering as a market commodity. >> > On Thu, Sep 12, 2024 at 3:52 AM David Chisnall <theraven@freebsd.org> >> > wrote: >> >> On 12 Sep 2024, at 00:14, Alan Somers <asomers@freebsd.org> wrote: >> >> > >> >> > "Memory safety == restrictive training wheels" is just a common >> >> > misconception. >> >> >> >> It’s worth thinking about why programming languages exist. Any modern >> language is Turing complete. In terms of what can be expressed, there is no >> difference between Rust, C, and C++. The important thing is that there is >> an infinite set of possible programs and a finite set of desirable >> programs. The goal of a programming language is to make it easier to >> express programs in the set of desirable programs than ones that are not in >> that set. Sometimes this is skewed away from specific sets. >> >> >> >> The reason that we care so much about memory-safety bugs is that they >> allow an attacker to step completely outside of the abstract machine of the >> program. Unless you embed an interpreter/ compiler in your program, >> memory-safety bugs are about the only way that an attacker can get >> arbitrary code execution in your program. The kind of bug where an attacker >> provides a specially crafted file / blob of network data and then runs code >> on your machine is typically the worst thing that can happen. >> >> >> >> Rust, in particular, skews towards making programs with memory-safety >> bugs much harder to represent. You can still do it, by using unsafe or >> relying on unsoundness in the type system as cve-rs does, but you have to >> try hard. >> >> >> >> I consider that a desirable property in a language. I don’t have to >> think about whether I’ve made these bugs impossible (and, remember, >> WannaCry cost billions of dollars and depended on a single memory-safety >> bug), I get that for free and I can focus on other things. >> >> >> >> David >> >> >> >> >> > [-- Attachment #2 --] <div dir="auto">I just completed a month long project to port a C++ codebase that used vectors for array allocations back to using C‘s calloc. For a 15% increase in memory footprint, batch jobs that took three days to complete now finish in 10-12 hours.</div><div dir="auto"><br></div><div dir="auto">That’s what professional engineering is about- making tradeoffs to delight customers and save money on cloud compute.</div><div dir="auto"><br></div><div dir="auto">What you guys go on about is high school drama club debate.</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 12, 2024 at 8:18 PM Joe Schaefer <<a href="mailto:joesuf4@gmail.com">joesuf4@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div dir="auto">-Werror, valgrind, coverity, fuzzers, etc. CI is a thing.</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 12, 2024 at 7:59 PM Pat Maddox <<a href="mailto:pat@patmaddox.com" target="_blank">pat@patmaddox.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">I think you have those reversed.<br> <br> I would say that a compiler that notifies you of errors is more empathetic than one that doesn't, inasmuch as the compiler's designers' empathy is expressed through the tool.<br> <br> Knowing that we will write errors and can benefit from automated checks expresses humility to me.<br> <br> The safety net of such checks allows us to explore new ideas.<br> <br> C's "don't want memory errors? don't write none" approach is clearly more hostile and requires strict adherence to the rules.<br> <br> Pat<br> <br> On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote:<br> > On the other hand, it is foolish to expect a programming language <br> > itself to be more thoughtful and wise than the engineers who need to <br> > solve a computational problem in the here and now.<br> ><br> > It’s like banking on building an empire based on process enforcement, <br> > civility, diversity of preferred quota stereotypes, and obedience; <br> > instead of empathy, humility, diversity of thought, and ingenuity.<br> ><br> > Rust is in the former camp; C the latter. All progress in this fad <br> > based universe leads to the same joy-free outcome of forever changing <br> > our toolchain to keep up with industry norms that treat professionalism <br> > in computer engineering as a market commodity.<br> > On Thu, Sep 12, 2024 at 3:52 AM David Chisnall <<a href="mailto:theraven@freebsd.org" target="_blank">theraven@freebsd.org</a>> <br> > wrote:<br> >> On 12 Sep 2024, at 00:14, Alan Somers <<a href="mailto:asomers@freebsd.org" target="_blank">asomers@freebsd.org</a>> wrote:<br> >> > <br> >> > "Memory safety == restrictive training wheels" is just a common<br> >> > misconception.<br> >> <br> >> It’s worth thinking about why programming languages exist. Any modern language is Turing complete. In terms of what can be expressed, there is no difference between Rust, C, and C++. The important thing is that there is an infinite set of possible programs and a finite set of desirable programs. The goal of a programming language is to make it easier to express programs in the set of desirable programs than ones that are not in that set. Sometimes this is skewed away from specific sets.<br> >> <br> >> The reason that we care so much about memory-safety bugs is that they allow an attacker to step completely outside of the abstract machine of the program. Unless you embed an interpreter/ compiler in your program, memory-safety bugs are about the only way that an attacker can get arbitrary code execution in your program. The kind of bug where an attacker provides a specially crafted file / blob of network data and then runs code on your machine is typically the worst thing that can happen.<br> >> <br> >> Rust, in particular, skews towards making programs with memory-safety bugs much harder to represent. You can still do it, by using unsafe or relying on unsoundness in the type system as cve-rs does, but you have to try hard.<br> >> <br> >> I consider that a desirable property in a language. I don’t have to think about whether I’ve made these bugs impossible (and, remember, WannaCry cost billions of dollars and depended on a single memory-safety bug), I get that for free and I can focus on other things.<br> >> <br> >> David<br> >> <br> >><br> </blockquote></div></div> </blockquote></div></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOzHqcJ0rOR4CoL84WgZQNcgY2G9vuiHccE4XT_otJ2R51KJ3Q>