From nobody Fri Sep 13 00:18:18 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X4ZfL2PyFz5V2kb for ; Fri, 13 Sep 2024 00:18:34 +0000 (UTC) (envelope-from joesuf4@gmail.com) Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X4ZfK67sTz4XHp; Fri, 13 Sep 2024 00:18:33 +0000 (UTC) (envelope-from joesuf4@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-42cae4eb026so14727805e9.0; Thu, 12 Sep 2024 17:18:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726186710; x=1726791510; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Z2bowsI3LGK/N9K7MuCgi41F8zwI6EmXTLjmxtKDR0k=; b=XLJ1afQjq0LkbLKvhB03t+xLuJQK4+sQOqEbWAWPRStJabCkxqjsLQKn1pHz1VS/L6 7NbnXpnmH+xU2uIRsPl58TXOUQWxeo6vtZXVd/JtzKDqioUwyTAFy+xPgCO3XktKKhC+ ZhFFuJUzlBcKMZ0EY4W4UxRTS0S69KwU9VpN/4iY9O0zPDpyhna/PY1RZmlMwcUDYAMq ZPiFIvN9/0sRKAmJllAnELAc2qzhON1QzAwVWn05uzDNstWeINwz3oqYdjxhj5CzdUUI AYlfaRjJ05CXYslpajLNUtsSMrMcxTPswRiFQTkKQJF7PpO1u1Qz+oSUJd8sjqFZcvnD mrrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726186710; x=1726791510; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Z2bowsI3LGK/N9K7MuCgi41F8zwI6EmXTLjmxtKDR0k=; b=TWsl3/bJ7dqGVoCutLa5mM8gs5icawSPP0g70ZnGW1l3Kg36nb3EKhOXfVAN1MpKzS sAOTVxdvFs7RCqpnaErnDwi658KvekPeO19XdWttwVaPHEL1cYYmWUK2XizoZ6WIer0C AlaPHLH8eMIPHMQimCt3R0SN2atrwARKBMUNVfUR+kHRRRa/folc653GFFvBZ6Dpfrug btO3QWkLv8wMTOIdSk85Wz7LBUp/MFd2ziCMezHY0aAUUKvk63OMfMxewbaw6/bzzWtT RyXAYhVYD1nJEh1f2JqZwtzVmC4sq9W0C24ye5diXc+fetGe4mJv4XpptfcnEprJRGpZ wTaw== X-Forwarded-Encrypted: i=1; AJvYcCUX4RAwD6kPfeaRjwmSyue9PTxPz1bWi/rsufEXy+YPq8CtAtUvEOOdfKNkPlKgN1i1TdyokoHJGxfNbsUrzEsE@freebsd.org, AJvYcCVP/SvGaSaT+AErIeZDUSLaGc1laR2mKK/IlbO8XLGvZn5UXU/NpvUTm7a7nRDSqLhBoGJzTedR@freebsd.org X-Gm-Message-State: AOJu0YxAo74j/ikchopeitxqdqyDva+30qD9KRB82aw1pbWhaOaY4jmr tU2lEUgKLFlDmeOQ5IxM+GiJqxF7pF3PdoGVBnkNCsfFr5Yorllh7kHUuEln0ORCEAPwc8qhNxS 2eSOpUClAvRLlw2cMpykBpXddKF4= X-Google-Smtp-Source: AGHT+IHHaSM9PmByZVApEwEijVeke3/KimqWXe59AwE2a9FgFnlo1vcaXn5zAcsVnJqApaxiqxd17+4eKDMx/uo47DE= X-Received: by 2002:a5d:4248:0:b0:374:c847:866 with SMTP id ffacd0b85a97d-378c2d06352mr3209233f8f.23.1726186709627; Thu, 12 Sep 2024 17:18:29 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 References: In-Reply-To: From: Joe Schaefer Date: Thu, 12 Sep 2024 20:18:18 -0400 Message-ID: Subject: Re: The Case for Rust (in any system) To: Pat Maddox Cc: David Chisnall , Alan Somers , Chris , Warner Losh , FreeBSD Hackers Content-Type: multipart/alternative; boundary="000000000000a4bc9f0621f52995" X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4X4ZfK67sTz4XHp --000000000000a4bc9f0621f52995 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable -Werror, valgrind, coverity, fuzzers, etc. CI is a thing. On Thu, Sep 12, 2024 at 7:59=E2=80=AFPM Pat Maddox wrot= e: > I think you have those reversed. > > I would say that a compiler that notifies you of errors is more empatheti= c > than one that doesn't, inasmuch as the compiler's designers' empathy is > expressed through the tool. > > Knowing that we will write errors and can benefit from automated checks > expresses humility to me. > > The safety net of such checks allows us to explore new ideas. > > C's "don't want memory errors? don't write none" approach is clearly more > hostile and requires strict adherence to the rules. > > Pat > > On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote: > > On the other hand, it is foolish to expect a programming language > > itself to be more thoughtful and wise than the engineers who need to > > solve a computational problem in the here and now. > > > > It=E2=80=99s like banking on building an empire based on process enforc= ement, > > civility, diversity of preferred quota stereotypes, and obedience; > > instead of empathy, humility, diversity of thought, and ingenuity. > > > > Rust is in the former camp; C the latter. All progress in this fad > > based universe leads to the same joy-free outcome of forever changing > > our toolchain to keep up with industry norms that treat professionalism > > in computer engineering as a market commodity. > > On Thu, Sep 12, 2024 at 3:52=E2=80=AFAM David Chisnall > > wrote: > >> On 12 Sep 2024, at 00:14, Alan Somers wrote: > >> > > >> > "Memory safety =3D=3D restrictive training wheels" is just a common > >> > misconception. > >> > >> It=E2=80=99s worth thinking about why programming languages exist. Any= modern > language is Turing complete. In terms of what can be expressed, there is = no > difference between Rust, C, and C++. The important thing is that there is > an infinite set of possible programs and a finite set of desirable > programs. The goal of a programming language is to make it easier to > express programs in the set of desirable programs than ones that are not = in > that set. Sometimes this is skewed away from specific sets. > >> > >> The reason that we care so much about memory-safety bugs is that they > allow an attacker to step completely outside of the abstract machine of t= he > program. Unless you embed an interpreter/ compiler in your program, > memory-safety bugs are about the only way that an attacker can get > arbitrary code execution in your program. The kind of bug where an attack= er > provides a specially crafted file / blob of network data and then runs co= de > on your machine is typically the worst thing that can happen. > >> > >> Rust, in particular, skews towards making programs with memory-safety > bugs much harder to represent. You can still do it, by using unsafe or > relying on unsoundness in the type system as cve-rs does, but you have to > try hard. > >> > >> I consider that a desirable property in a language. I don=E2=80=99t ha= ve to > think about whether I=E2=80=99ve made these bugs impossible (and, remembe= r, > WannaCry cost billions of dollars and depended on a single memory-safety > bug), I get that for free and I can focus on other things. > >> > >> David > >> > >> > --000000000000a4bc9f0621f52995 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
-Werror, valgrind, coverity, fuzzers, etc. CI is a thing.=

On Thu, Sep 12, 2024 at 7:59=E2=80=AFPM Pat Maddox <pat@patmaddox.com> wrote:
I think you have those reversed.

I would say that a compiler that notifies you of errors is more empathetic = than one that doesn't, inasmuch as the compiler's designers' em= pathy is expressed through the tool.

Knowing that we will write errors and can benefit from automated checks exp= resses humility to me.

The safety net of such checks allows us to explore new ideas.

C's "don't want memory errors? don't write none" appr= oach is clearly more hostile and requires strict adherence to the rules.
Pat

On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote:
> On the other hand, it is foolish to expect a programming language
> itself to be more thoughtful and wise than the engineers who need to <= br> > solve a computational problem in the here and now.
>
> It=E2=80=99s like banking on building an empire based on process enfor= cement,
> civility, diversity of preferred quota stereotypes, and obedience; > instead of empathy, humility, diversity of thought, and ingenuity.
>
> Rust is in the former camp; C the latter.=C2=A0 All progress in this f= ad
> based universe leads to the same joy-free outcome of forever changing =
> our toolchain to keep up with industry norms that treat professionalis= m
> in computer engineering as a market commodity.
> On Thu, Sep 12, 2024 at 3:52=E2=80=AFAM David Chisnall <theraven@freebsd.org>=
> wrote:
>> On 12 Sep 2024, at 00:14, Alan Somers <asomers@freebsd.org> wrote:
>> >
>> > "Memory safety =3D=3D restrictive training wheels" = is just a common
>> > misconception.
>>
>> It=E2=80=99s worth thinking about why programming languages exist.= Any modern language is Turing complete. In terms of what can be expressed,= there is no difference between Rust, C, and C++. The important thing is th= at there is an infinite set of possible programs and a finite set of desira= ble programs. The goal of a programming language is to make it easier to ex= press programs in the set of desirable programs than ones that are not in t= hat set. Sometimes this is skewed away from specific sets.
>>
>> The reason that we care so much about memory-safety bugs is that t= hey allow an attacker to step completely outside of the abstract machine of= the program. Unless you embed an interpreter/ compiler in your program, me= mory-safety bugs are about the only way that an attacker can get arbitrary = code execution in your program. The kind of bug where an attacker provides = a specially crafted file / blob of network data and then runs code on your = machine is typically the worst thing that can happen.
>>
>> Rust, in particular, skews towards making programs with memory-saf= ety bugs much harder to represent. You can still do it, by using unsafe or = relying on unsoundness in the type system as cve-rs does, but you have to t= ry hard.
>>
>> I consider that a desirable property in a language. I don=E2=80=99= t have to think about whether I=E2=80=99ve made these bugs impossible (and,= remember, WannaCry cost billions of dollars and depended on a single memor= y-safety bug), I get that for free and I can focus on other things.
>>
>> David
>>
>>
--000000000000a4bc9f0621f52995--