Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Programming Python

Why Modern C++ Still Isn't As Safe As Memory-Safe Languages Like Rust and Swift (alexgaynor.net) 463

Alex Gaynor is a software engineer at Mozilla working on Firefox, after previously serving as a director of both the Python Software Foundation and the Django Software Foundation.

In a new blog post today, he argues that memory unsafe languages, "principally C and C++," induce an exceptional number of security vulnerabilities, and that the industry needs to migrate to memory-safe languages like Rust and Swift by default. One of the responses I frequently receive is that the problem isn't C and C++ themselves, developers are simply holding them wrong. In particular, I often receive defenses of C++ of the form, "C++ is safe if you don't use any of the functionality inherited from C" or similarly that if you use modern C++ types and idioms you will be immune from the memory corruption vulnerabilities that plague other projects. I would like to credit C++'s smart pointer types, because they do significantly help. Unfortunately, my experience working on large C++ projects which use modern idioms is that these are not nearly sufficient to stop the flood of vulnerabilities...

Modern C++ idioms introduce many changes which have the potential to improve security: smart pointers better express expected lifetimes, std::span ensures you always have a correct length handy, std::variant provides a safer abstraction for unions. However modern C++ also introduces some incredible new sources of vulnerabilities: lambda capture use-after-free, uninitialized-value optionals, and un-bounds-checked span.

My professional experience writing relatively modern C++, and auditing Rust code (including Rust code that makes significant use of unsafe) is that the safety of modern C++ is simply no match for memory safe by default languages like Rust and Swift (or Python and JavaScript, though I find it rare in life to have a program that makes sense to write in either Python or C++). There are significant challenges to migrating existing, large, C and C++ codebases to a different language -- no one can deny this. Nonetheless, the question simply must be how we can accomplish it, rather than if we should try.

The post highlights what he describes as "completely modern C++ idioms which produce vulnerabilities" -- including an example of dangling pointers "despite our meticulous use of smart pointers throughout..."

"Even with the most modern C++ idioms available, the evidence is clear that, at scale, it's simply not possible to hold C++ right."
This discussion has been archived. No new comments can be posted.

Why Modern C++ Still Isn't As Safe As Memory-Safe Languages Like Rust and Swift

Comments Filter:
  • by Anonymous Coward on Sunday April 21, 2019 @06:41PM (#58468930)

    If these rust fanboys would actually work on making the language/runtime PORTABLE across operating systems and architectures, then maybe it could someday replace C/C++.

    I'm tired of hearing how great Rust is. it's not. It doesn't run on most *BSD operating systems. The ones that do have it have bugs/portability issues and upstream sucks. The language was written for win/mac/linux on x86 and ARM. Nothing else was seriously considered when it was designed.

    You can't replace C with a language that runs on one compiler, with only a few CPU architectures and operating systems.

    • by Anonymous Coward on Sunday April 21, 2019 @07:06PM (#58469008)

      Bingo.

      C will never be replaced, as it is the ONLY portable language to all CPU types, platforms and the only language libraries can be used as.

      As much as I hate the overuse of OOP for OOP-sakes, C++ and OBJC are still the only OOP languages that come with operating systems, but the C++ runtimes are often not as portable with each other due to compiler ABI bullshit.

      If Rust wants to get adopted:
      1) compile rust programs to the C runtime without requiring a shared platform- specific library

      2) Rebrand. Sorry, Rust is a terrible brand name. It makes people think the opposite of Swift.

      3) Donâ(TM)t version it. The quickest way to destroy adopting of a new language is depreciation of API between versions. Create one API, and then never change it in favor of safer, better, faster bullshit.

      People are abandoning Java and .NET tech because of this stupidity and C# has only persisted outside of Microsoftâ(TM)s control (eg Unity)

      • by Anonymous Coward

        C is inherently unsafe for obvious reasons. C++ is obviously unsafe when you use it like a dumbass. If you write in these languages you're basically making a handshake agreement with the future that you are competent. As disrespected as both are for different reasons, elegant code written in either is beautiful and defies any semblance of scorn.
        As a programmer, and I mean to use the term in the most extreme way a computer scientist or electrical engineer would, a great C++ programs pulls you in and shines.
        N

        • C++ is obviously unsafe when you use it like a dumbass.

          The article makes the argument that C++ can't be used smartly. He has some interesting reasons. What do you think about them?

          • Re: (Score:2, Insightful)

            by Joce640k ( 829181 )

            The article makes the argument that C++ can't be used smartly. He has some interesting reasons. What do you think about them?

            I think he's a dumbass.

            C++ can be used smartly, it just needs you to educate yourself to not do dumbass things.

            • by roca ( 43122 ) on Sunday April 21, 2019 @08:48PM (#58469300) Homepage

              The endless parade of CVEs due to memory unsafety in C/C++ software proves that "just be smarter" hasn't worked.

              I know a lot of really great C++ programmers working in top organizations (Mozilla, Google, Facebook, Apple, etc). None of them claim to be able to consistently write safe C++ code. I don't either:
              https://robert.ocallahan.org/2... [ocallahan.org]

              The only people I see claiming to be able to consistently write safe C++ code are random commenters on Internet forums. I'd genuinely appreciate some references to high-profile programmers who've worked on large, widely deployed systems in C++, who vow they can consistently write safe C++ code.

              • I often hear phrases like "vulnerabilities in C/C++ software". Since we're talking about modern C++ here and not C, this discussion is only meaningful if we categorize those into C, pre-C++11, and "modern C++" when discussing said vulnerabilities. Those are all significantly different languages.

                My guess is that the vast majority are going to be C code, not only because it's easiest to make memory-related mistakes in, but also because so much low-level system code is written in it (e.g. the entire Linux ke

                • by roca ( 43122 ) on Sunday April 21, 2019 @10:46PM (#58469602) Homepage

                  Treating "modern C++" as a separate language would be somewhat fair if we also separated out "modern C++" when talking about the popularity of C++, the projects using C++ and the number of people who "know C++". "Modern C++" is a much less popular language than "C++".

                  Talking about "modern C++" as a separate language also requires broad agreement on what "modern C++" actually is, and unfortunately no such agreement exists. For example a lot of people I see using that term seem to mean "C++14 and up", not C++11. And of course even more important than what's been added to "modern C++" is what has been deprecated. Are exceptions part of modern C++? Raw pointers? Some people even argue on this very comment thread that string_view and span should not be considered part of modern C++ because they're experimental!
                  The answers to these questions change over time too.

                  I think you're right that we don't yet have a ton of data to evaluate the safety of "late modern C++" in practice, but I think you should also acknowledge that the original article shows that at least there have been some significant backward steps.

                • The problem is that there is no such thing as âmodernâ(TM) C++. You canâ(TM)t throw a compiler switch that ensures that you canâ(TM)t just cast everything to a (char *) and screw everybody. Until then C++ will always be just as insecure as the portable assembler itâ(TM)s derived from.

                • by DrXym ( 126579 )
                  The problem with modern C++ is that it does nothing to change the "unsafe by default" situation. Yes it's vastly better for having smart pointers, mutexes etc. in the library but code is not compelled to use them or use them correctly and it's easy to make mistakes.

                  For example a mutex in C++ is not associated with the data it's protecting so it's easy to forget to lock it. A smart pointer won't care if you try to call it when it's been reset and contains a NULL. I recently had to fix code that created two

              • Google and Facebook are definitely not top organizations when it comes to software engineering, especially when it comes to C++.

                Google in particular decided to dumb down their coding standards because it cannot trust its own employees to understand real C++ code, and are pushing for Java and other code-monkey-type languages to be used throughout the firm instead.

            • The number of people capable of successfully using C/C++ in safe ways, while not zero, is far lower than those who think they can do so. This has lead to a lot of problems.

              The number of people with the necessary chops available to maintain and update code written by that small group of ultra-capable types without introducing problems is far smaller than the number necessary to support such individuals output as they move on from project to project and job to job. This has lead to a lot of problems.

              The numb

          • The article makes a very bad argument. The modern C++ features picked on are:
            • View objects (span/string_view) are unsafe. Yes, but only if used as return values, and only if you're not using static analysis, which you should be.
            • You can creation uninitialised memory with std::optional, IF, you go out of your way to do so! Well, you can format your hard-disk if you go out of your way to do so.

            The main problem with C++ is that it is a vast every-changing language. It may take 10 years of practical experience

            • by roca ( 43122 ) on Sunday April 21, 2019 @10:20PM (#58469534) Homepage

              Scott Meyer is an interesting example. He recently wrote http://scottmeyers.blogspot.co... [blogspot.com] :

              > As you may know, I retired from active involvement in C++ at the end of 2015, and in the ensuing two and a half years, Iâ(TM)ve forgotten enough details of the language that I am no longer able to properly evaluate bug reports regarding the technical aspects of my books. C++ is a large, intricate language with features that interact in complex and subtle ways, and I no longer trust myself to keep all the relevant facts in mind.

              Evaluating the correctness of his own C++ examples is too hard for Scott Meyer once he stopped using the language for a couple of years. And this isn't talking about new features he doesn't know about; it's about old code that should still work.

              No doubt C++ fans will dismiss Scott Meyer as someone who never really understood C++.

              > View objects (span/string_view) are unsafe. Yes, but only if used as return values,

              His very first example does not involve return values.

              > and only if you're not using static analysis, which you should be.

              Which static analysis? Is it guaranteed to catch all these safety bugs? Do all projects agree on which analysis to use? If everyone should be using static analysis why isn't it part of the language?

              > You can creation uninitialised memory with std::optional, IF, you go out of your way to do so! Well, you can format your hard-disk if you go out of your way to do so.

              It's a lot harder to accidentally format your disk than to accidentally leave a variable uninitialized. How many times have you done the former and the latter?

              What you're saying here is "people shouldn't make mistakes". Sure. The reality is that people do make mistakes and coping with that is important.

              > The main problem with C++ is that it is a vast every-changing language. It may take 10 years of practical experience to understand the best ways to use particular features.

              This is a damning indictment of C++.

          • by currently_awake ( 1248758 ) on Sunday April 21, 2019 @10:37PM (#58469578)
            C is a powerful language because it lets you do anything, even if it's a bad idea. C++ takes an unsafe language and adds complexity plus hides stuff from you. If you want safe code you need to limit programmers to safe coding practice, and elite programmers hate limits.
        • by DrXym ( 126579 ) on Monday April 22, 2019 @10:46AM (#58471684)
          Well that's fabulous. You're obviously in the rare situation of being able to write perfect code, code which only you develop, or which is only touched by the most highly trained programmers in the entire world. Code that people will write songs about long after you are dead. Truly I envy you.

          Back in the real world, every programmer makes mistakes. Even the most skilled programmer will write code that crashes, or races, or leaks, or does something dumb. Teams have developers at different levels of competence so the risk is higher again.

          Rust takes the view that it can stop a lot of these problems even happening through the design of its language. The result is safer, more stable code.

      • Re: (Score:3, Insightful)

        by roca ( 43122 )

        Deprecation is essential because language features and APIs inevitably have to evolve over time. Breaking backward compatibility DOES cause massive damage (see Python3) and indeed Rust is not doing that.

    • by roca ( 43122 ) on Sunday April 21, 2019 @07:52PM (#58469136) Homepage

      On the contrary, Rust developers put a lot of thought into portability, which is why Rust runs on targets that look nothing like x86/ARM, AVR for example. https://github.com/rust-lang/r... [github.com]

      It's true development efforts focus on x86 and ARM on Windows/Mac/Linux. That makes perfect sense, because that's where almost all users are.

      I don't know what issues you're having with Rust on BSD but FreeBSD and NetBSD are tier 2 Rust platforms (builds automatically produced, but automated tests aren't run) and there are reports of recent versions of Rust working, for example, on NetBSD/PowerPC and bugs being fixed to keep it working. https://github.com/rust-lang/r... [github.com]

      So when you say "Rust isn't portable" what you really mean is "Rust doesn't work on my particular combination of obscure hardware and OS". By that standard, C isn't portable either since gcc regularly drops support for rare CPU architectures.

      • by roca ( 43122 ) on Sunday April 21, 2019 @08:01PM (#58469170) Homepage

        Also, "Rust doesn't work" just means "no-one has fixed the bugs for my architecture yet", not "Rust *can't* work by design". (The story is different for other languages, e.g. Go, where the memory management and concurrent programming models simply can't be squeezed into tiny microcontrollers.) A systems programming language that aims to displace C/C++ does indeed need to be able to run everywhere, but it's OK, in fact necessary, for its platform support to expand over time.

    • by Pseudonym ( 62607 ) on Sunday April 21, 2019 @11:59PM (#58469784)

      Every time I have a question about Rust's "memory safety" features (and admittedly, this may be a measure of the kind of question that I ask), the answer is typically "rewrite your program so that it fits Rust's ownership model".

      That's precisely the reason why we moved away from C for data structure-heavy applications in the first place: so you don't have to structure your program around memory lifetimes or redesign algorithms/data structures so that they play nice with memory lifetimes.

    • by gweihir ( 88907 )

      I completely agree. All that this Rust-cheering shows is that the ones cheering do not get it.

    • Comment removed based on user account deletion
  • Better yet (Score:5, Funny)

    by ugen ( 93902 ) on Sunday April 21, 2019 @06:43PM (#58468936)

    Why modern knives are still not as safe as spoons or q-tips?

    • by ffkom ( 3519199 ) on Sunday April 21, 2019 @06:57PM (#58468978)
      Yes, I also wonder why they still allow surgeons to use these awfully sharp and dangerous scalpels! Clearly, blunt plastic Safety Scissors would be the much better choice! After all, no human can be trusted to ever use some potentially dangerous tool!

      But seriously, "Mozilla" is an organization implementing colorful fancy stuff, which endangers safety most by being abused as "sort of an operating system", executing stuff by default that was just downloaded from somewhere on the Internet (JavaScript). It's funny how they, with their endless list of 10+ years old unfixed bugs in their bug-tracker try to teach other people programming more safely. I'm sure that using plastic Safety Scissors is the right thing to do, though - for exactly the kind of programmers Mozilla employs.
    • Re:Better yet (Score:5, Interesting)

      by Dutch Gun ( 899105 ) on Sunday April 21, 2019 @07:03PM (#58468996)

      Did you see some of the examples he uses as "evidence" of C++'s pitfalls?


      std::unique_ptr<int> f() {
              std::optional<std::unique_ptr<int>> x(std::nullopt);
              return std::move(*x);
      }

      I mean, holy shit, who does this? Look, I'm not going to argue you can ever make C++ completely memory safe, but you need to at least find some examples someone out in the world might feasibly run into.

      And he complains about how std container's [] operators are unchecked. Um, yeah, because bounds checking every access at runtime has a very significant cost, and C++ is often chosen due to its performance characteristics. If you want checked access, that's what the at() function is for (which he acknowledges, but glosses over). There are many cases where it's feasible to perform these functions safely due to other bounds checks, so that the per-access cost of the bounds check is not needed. A simple example is a for loop that iterates over a vector from 0 to < size(). No bounds checking needed there.

      I'm not bagging on Rust. I think memory-safe languages are an important innovation, but I dislike how he seems to set up strawman arguments. C++ has a lot of legitimate issues without making up problems that don't really exist in most code I've seen.

      • > Did you see some of the examples he uses as "evidence" of C++'s pitfalls?

        I have never seen an article, post, or talk given by Rust nutters that hasn't been a contrived example that would never been seen in real world production code.

        The Rust techno babble scare tactics were never going to work on actual engineers who are the ones making the choice of languages to use for projects.

        • Obvious bias (Score:2, Insightful)

          by Anonymous Coward

          "Rust nutters", "techno babble", "scare tactics". You reveal terrible bias here. You won't be able to fairly evaluate Rust vs C/C++ if you retain this mindset.

          Rust solves some problems extremely well. I already prefer it over C and C++ for everything I would normally use C/C++ for.

          But it's very bad at some styles of programming. When I find that happening, I either adopt the Rust-centric style (even if I don't particularly like that flavour) or pick another language.

      • by roca ( 43122 )

        Obviously his examples are simplified to make it clear what's going on.

        You can easily see how a similar bug could happen in production code. All that has to happen is for the programmer to think "I know that at this point 'x' can't be null" and unconditionally dereference it, and be wrong. It's not much different from regular null pointer dereference bugs.

    • The biggest problem with C and C++ is that there are too many people using it for use cases where they shouldn't. A knife isn't as safe as a q-tip, but the issue is too many people are using a knife to clean their ears (Yes I know you shouldn't use q-tip to clean your ears), because they feel only nubs will use such a safe tool, where only someone really skilled will use the dangerous tool.

      This is the problem with programmers today. C/C++ shouldn't be safe languages, because they are low-level languages,

      • by roca ( 43122 )

        Before Rust it was true that you had a fundamental tradeoff between low-level control and safety. All generally useful safe languages required GC, and GC requires tradeoffs that take away some low-level control (see one of my other comments).

        Rust changed that. With Rust you get safety without GC. You can write code that doesn't do dynamic allocation, or does dynamic allocation and deallocation at times you control. You can control memory layout. Your code doesn't get interrupted to do bookkeeping outside yo

      • by mark-t ( 151149 )
        [quote]... you are already past your deadline because your C code is causing a segment fault, and you are not sure where it is.[/quote]Two words: address sanitization. One tool: gdb.
    • by gweihir ( 88907 )

      I hear that there are even people that prefer to use a knife for some tasks! Shocking, I tell you! These must be complete morons.

  • by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Sunday April 21, 2019 @06:54PM (#58468966) Homepage

    Every time I see Rust talked about, the only thing that gets mentioned is memory safety. C++ is unsafe, Rust is safe, so use Rust. It is borderline hyperbole with many of the people who parrot it the loudest obviously not having significant experience in these "unsafe" languages.

    I don't care about memory safety as much as you think I should. I've been using C++ for years, I'm good at it and am comfortable with its level of safety for what I use it for.

    I need more from a language. Talk to me about what features Rust will give me that C++ doesn't. How will it help me solve my problems faster, write more efficient code, or write easier to maintain code?

    • by aberglas ( 991072 ) on Sunday April 21, 2019 @07:31PM (#58469094)

      It was an obscure memory corruption due to a bad pointer in a large piece of code. Only happened occasionally, and was not picked up by Valgrind as it pointed into valid addresses. Symptoms did not suggest a corruption problem, which made it hard to track. (It did not just crash, which would be easy to diagnose.)

      Add that to the security issues and C/++ should have never been born.

      And it has been a long time since I have worked on a body of code that I wrote entirely myself. I take care to use very safe patterns, but still occasionally stuff up.

    • by roca ( 43122 ) on Sunday April 21, 2019 @08:40PM (#58469274) Homepage

      Sure. A few examples.

      1) The`cargo` package manager. Using third-party libraries in a C/C++ project is enormously painful if you can't rely on Linux distros packaging them for you (e.g. because you support non-Linux, or the library is not packaged or the wrong version is packaged). `cargo` makes it far easier in Rust and in practice this means you see a lot more library reuse. The C++ standards people are just starting to talk about this.

      2) Rust has pattern matching with built-in sum types. C+ doesn't have pattern matching yet and std::variant is hideous (and limited, e.g no references).

      3) Rust has a powerful hygenic macro system that lets you write Rust code to manipulate arbitrary source code token streams. Among other things this provides powerful metaprogramming. E.g. serializing a value to JSON, complete example:

      fn main() {
              #[derive(serde::Serialize)]
              struct Example { x: u32, y: u32 };
              println!("{}", serde_json::to_string(&Example { x: 1, y: 2}).unwrap());
      }
      https://play.rust-lang.org/?ve... [rust-lang.org]

      4) Easy parallelism. OK this is a kind of safety, but in Rust you can write parallel maps, reduces, etc and the compiler forbids data races. In C/C++, if you're sane, you're cautious about introducing parallelism because of the risk and the maintenance costs. In Rust you can write parallel code fearlessly.

    • The other thing Rust fanbois don't seem to understand is that MOST programming languages are memory safe. Their constant refrain of "you should use Rust because it's memory safe" is like you saying "you should buy a Ford because it has cupholders". But apparently they don't know that most languages are memory safe.

      There might be some good reasons to use Rust. The evidence suggests that the users are clueless, however.

      • by roca ( 43122 )

        The Rust fanboys I know understand that. There's a reason why the original article is about C/C++. As a Rust fanboy myself, I think Java is a considerably better language for many applications (we need a COBOL for the 21st century, and Java is a good fit). Even Python is a better language for some applications. Perl just sucks though.

        Rust has considerably more to offer than just memory safety though. See my other comment about that.

      • by garethjrowlands ( 694510 ) on Monday April 22, 2019 @04:05AM (#58470226)

        > The other thing Rust fanbois don't seem to understand is that MOST programming languages are memory safe.

        They absolutely understand that. Rust is for when you can't afford a runtime system and garbage collector, and the alternatives are C and C++. For example, a browser or OS kernel. They don't mention Java, Javascript, Python, Go and friends because *it's obvious* that if you can use them, you should.

      • by serviscope_minor ( 664417 ) on Monday April 22, 2019 @04:33AM (#58470264) Journal

        The other thing Rust fanbois...The evidence suggests that the users are clueless, however

        Can we not?

        Characterising something by only the most extreme examples you can find is what has poisioned political debate here. I found someone from $WING who said $BADTHING about $GROUP which makes them just like $DICTATOR so everyone from $WING is like $DICTATOR.

        Characterising the users of rust by it's most vocal and ignorant fanbois is on the same level.

        Rust is quite high on my list of things I'd like to learn but probably won't unless something changes. The combination of the machine model from C/C++[*] with memory safety sounds like an interesting combination, and its currently the only even vaguely mainstream language that offers it. Servo/Quantum has demonstrated it's not all hot air.

        But apparently they don't know that most languages are memory safe.

        Not all safety is buffer overflows. Some of it is threading problems, something that far fewer languages offer any help with. Bear in mind if you have to take a performance factor of, well, much of anything to get thread safety, you may as well write it single threaded and have the same performance with simpler code. What's interesting to me is Firefox Quantum, managing to parallelize something that 3 much better funded organisations (Apple, Google, Microsoft) failed to do (with Safari, Chrome, Edge). See here for a measured account including fixed C++ bugs that they reintroduced with the rewrite in Rust:

        https://hacks.mozilla.org/2019... [mozilla.org]

        I'm not likely to switch to Rust any time soon since it doesn't provide much compelling for me. My day job is a lot of computer vision code at the moment. Trusting user input isnt something I have to do, and the parallelism is of a much simpler sort that what Mozilla have to contend with. And Rust still doesn't provide some of the language facilities I find useful.

        [*] the one time such an expression is appropriate.

    • by Jeremi ( 14640 )

      Talk to me about what features Rust will give me that C++ doesn't. How will it help me solve my problems faster, write more efficient code, or write easier to maintain code?

      I'm a C++ programmer myself (I've never used Rust for more than compiling some tutorial examples to see what they were like), and the thing that appeals to me about Rust -- at least in principle -- is the emphasis on robust compile-time error checking. I try to write my C++ programs such that if they compile, they are very likely to be correct, and contrariwise, if they are incorrect, their error(s) are likely to be caught at compile-time. This saves considerable time, since compilation has only one "exec

  • by snikulin ( 889460 ) on Sunday April 21, 2019 @07:12PM (#58469028)

    The ISO does recommend certain subsets of C and C++, though.
    Namely MISRA C:2012 and MISRA C++:2008.

    • by roca ( 43122 )

      MISRA disallows dynamic memory allocation so you don't want to use it unless you're required to by law.

  • int x
    string msg = "The answer is " + x;

    (Would be nice if any of the modern compilers could warn about this sort of thing. In the rare case that I really want pointer arithmetic I will be explicit. &x[0].)

    Rust and Go boat that they are better than C++. That is not much to boat about.

    Back in the 1980s efficient garbage collection techniques were developed in the Lisp community, which eventually went mainstream via Java in the 2000s and later .Net. There are very few applications that should not be usi

    • Might add that RAII C++ typically involves lots of copying of string and other data structures rather than just moving pointers around. So not efficient at all.

    • by AReilly ( 9339 )

      Modern garbage collection, as found in ART, Go and V8 is very impressive. Threaded and time-bound collection sprints mean that there's never a "stop the world" collection as used to happen in old Lisps and similar systems. So you almost certainly could get away with using that sort of language for most user-interface and server-side code. There is still a cost though: on average it costs about twice the memory footprint of a non-garbage-collected system, and it's very difficult (mostly due to constructio

    • by roca ( 43122 )

      GC languages are great for many domains but there are important domains where they simply aren't suitable:

      1) All GCs require you to trade off between throughput, latency and memory overhead. For example Go optimizes throughput and latency but approximately doubles heap size. With Rust (and C/C++ manual memory management) you avoid having to make those tradeoffs.

      2) Sometimes you have memory overhead constraints or latency constraints that simply can't be met by GC in a realistic configuration. E.g. Go GC opt

      • by roca ( 43122 )

        Point 3 also means that GC languages create lock-in. Once you've written a component that depends on GC, everything above it in the dependency stack (in the same process at least) pretty much has to use the same GC, which means the same VM and often the same language.

      • For many, twice as much CPU is significantly cheaper than live-debugging production code.

  • by mveloso ( 325617 ) on Sunday April 21, 2019 @08:06PM (#58469186)

    Basically, what he's saying is that most software developers don't have the skill level to use C/C++ in a safe way.

    I'd probably agree with that.

    There's a fundamental problem between C/C++ and the idea of abstraction: abstraction means you don't have to worry about details, yet in C/C++ details are critical.

  • It's by design (Score:4, Insightful)

    by LynnwoodRooster ( 966895 ) on Sunday April 21, 2019 @08:08PM (#58469190) Journal
    C/C++ lets you do things you cannot do with Rust and Swift. It assumes you are adult enough to understand what you're doing. If you want safe memory, then don't use C/C++. If you want the type of functionality and memory-access that C/C++ grants - then you have to accept it's open to memory leaks.
    • It assumes you are adult enough to understand what you're doing

      I reckon people who use such language are an absolute menace on the codebase because you way overestimate your own abilities.

      If you want safe memory, then don't use C/C++.

      No, that's absolutely 100% wrong. Your "C/C++" programs should be memory safe otherwise you have at best UB and at worse a really bad security hole.

      If you want the type of functionality and memory-access that C/C++ grants - then you have to accept it's open to memory leaks.

      Wait

  • If you go out of your way to create objects with uninitialised memory, and you get: uninitialized memory!!! That's a dumb criticism. Also, the problems with std::string_view are well known. Sure it's modern, but it's also experimental to create these "view" like objects. (Span has even more issues.) They're on the radar of static analysis tools. You can always use them as parameters, and have a rule to never return a view object, which is fine.

    Overall, I'd give the article a C+ for trying, but overly peda
  • ...but at least you can use C++ without using microsoft platforms. Rustc seems to be custom designed to depend entirely on the microsoft ecosystem. Where are your Cargo files pointing, where are they downloading what from? Microsoft. I can imagine no way in which rust could be considered anywhere remotely close to safe, as long as that's the case.
  • I have been writing software for over 30 years, and dammit I have yet to forget to free after I malloc in released code!

    There are a plethora of tools to check that for you! Use them!

    It seems that people want to write the most insipid, stupid code they can, and they cant seem to be bothered to look at and check to make sure memory is freed after they are done using it!

    Or they want to write arrays that are endless because they are to lazy to examine, or even estimate how much memory any operation will use

    Ever

    • by gweihir ( 88907 )

      Also C is the language that does run anywhere and is efficient anywhere. It is not some posh project made for looks and style. It is a hardcore engineering tool that expects you to know what you are doing.

    • > I have been writing software for over 30 years, and dammit I have yet to forget to free after I malloc in released code!

      You don't know that. Or can you offer me a machine-checked proof?

      > Everyone loves to think that there will be plenty of memory, you can never run out!

      Not everyone. In particular, not the designers or users of Rust. Are you sure you've been paying attention?

      > C is the smallest, most efficient, most elegant language ever built

      It isn't the smallest and it's only your opinion that i

    • I have been writing software for over 30 years, and dammit I have yet to forget to free after I malloc in released code!

      Either you write in a domain where this sort of thing is pretty easy (scientific programming is a good example) or you're full of shit. Given the colossal chip on your shoulder I reckon it's the latter.

      Which makes you, like many others here, an absolute menace on the codebase. Actual engineers, not coders or hackers, accept that humans are a thing and they are imperfect anf falliable. Tha

The opossum is a very sophisticated animal. It doesn't even get up until 5 or 6 PM.

Working...