From nobody Fri Sep 13 01:33:59 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X4cKg008xz5VF7m for ; Fri, 13 Sep 2024 01:34:15 +0000 (UTC) (envelope-from joesuf4@gmail.com) Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X4cKd1tYlz4jnk; Fri, 13 Sep 2024 01:34:13 +0000 (UTC) (envelope-from joesuf4@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=G+LbBQpW; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of joesuf4@gmail.com designates 2a00:1450:4864:20::32c as permitted sender) smtp.mailfrom=joesuf4@gmail.com Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-42cb806623eso14216225e9.2; Thu, 12 Sep 2024 18:34:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726191250; x=1726796050; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Ya78cIsA/k2YEAXu7MJZEDg9ocOywqyXXy+ykPsjJkQ=; b=G+LbBQpW3pR9NkQ7pqkW2XmRxNQYeRQZjjHjZC1vZhVpw9DXDVh/C/YFJ3hiG/BEM9 +9X3XDmOrS1XxYNBci5s5073rEv/+Quy2JyfWbedA0AmNcfV5wa1J5RpNF5xp3uATmwr Yxnkm87MUZ968XA0hwkdnL3Qocol/cFcUJnHl8Pp6mm43x4lnyj3PpmEE9gtPd0cXpet SMV/IMH8nupsZ1O6s7vaVKQCoNGKQBBrjpmmQrcpAqK/vmBHcI22amh+5F+00X0NG1Z6 VDqpDb04FahjMw3A+mdvIXaGtnrlGFUvqHsCz/64jBIomuV0HIoCUdtUkV8XpWdinmt5 AoJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726191250; x=1726796050; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ya78cIsA/k2YEAXu7MJZEDg9ocOywqyXXy+ykPsjJkQ=; b=gUhYEvZNIX1FieqkhSdtoFXng0mqQbuMebWQjSDPAOxb4e/SEyr0AGvyJue0f4Cbn9 3Idj4D5u3As9ZWrai/iEVWSf4EBNhXWXGW4oy0PJ7TIRvJb+PXybiHDlA8ZVLS98ygWX UfNKCBe/DrjFDCmkghAzp8uXn3IDclvj/anURFnqCDfpkjnIeaR/R0htRPi254YaOfoi VqwF4yOY9jZ3ZlP+4fl/RKMYowo9MjRJxKiEp3+pEyNCmaY8zoU9T4wpMr4/tXx1eZCH dfOWeIkhCJieZCarAdnykVoMP7rs8cz+A0j68Isc62Y7pu3lTXAsxFVjcX3fhZ4qZmHl bAKA== X-Forwarded-Encrypted: i=1; AJvYcCVg41hjNXiZz+zovvJJwriOsUQNTy2MeTdUBmmzm3MDDEqiWhbmlYnA5lk27VovPSbbez0MfYAy@freebsd.org, AJvYcCXAP9/ZxoF/PYY8THqU0JkVb00tkJhrFs31CTRM7eLaFQ+my4qCHjUWmj27MjmdeD3dzBqlzgdNiUEqUdtWuKj7@freebsd.org X-Gm-Message-State: AOJu0YzyoIWNKrxDmAEXuoQwE1ubmJ6hExqugld9LOrJ50WEeEjL6qzl KtgrhEwxjalB7KpNMdpY+YK2cEl8tBl4TcrCleZBiIDVM9he+l5bQ0tg3IGcizDjd9kmNTMw+1z VvV7+mzzwa7+DwVzXKpJx6lyTiek= X-Google-Smtp-Source: AGHT+IFOu5EhBBcUTnxqQok3UUO90fR855k41DRnfJ0fRW0A6iPpZ889cPQF0mnMtzEJ1HzL4NTkz7KHrtDnZW1F1do= X-Received: by 2002:a05:600c:46d4:b0:42c:b995:20ca with SMTP id 5b1f17b1804b1-42cdb5662b4mr35962195e9.24.1726191249941; Thu, 12 Sep 2024 18:34:09 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 References: In-Reply-To: From: Joe Schaefer Date: Thu, 12 Sep 2024 21:33:59 -0400 Message-ID: Subject: Re: The Case for Rust (in any system) To: Pat Maddox Cc: David Chisnall , Alan Somers , Chris , Warner Losh , FreeBSD Hackers Content-Type: multipart/alternative; boundary="000000000000446ca50621f63859" X-Spamd-Bar: --- X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; ARC_NA(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_ONE(0.00)[1]; FREEMAIL_ENVFROM(0.00)[gmail.com]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::32c:from]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_FIVE(0.00)[6]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+] X-Rspamd-Queue-Id: 4X4cKd1tYlz4jnk --000000000000446ca50621f63859 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I just completed a month long project to port a C++ codebase that used vectors for array allocations back to using C=E2=80=98s calloc. For a 15% i= ncrease in memory footprint, batch jobs that took three days to complete now finish in 10-12 hours. That=E2=80=99s what professional engineering is about- making tradeoffs to = delight customers and save money on cloud compute. What you guys go on about is high school drama club debate. On Thu, Sep 12, 2024 at 8:18=E2=80=AFPM Joe Schaefer wr= ote: > -Werror, valgrind, coverity, fuzzers, etc. CI is a thing. > > On Thu, Sep 12, 2024 at 7:59=E2=80=AFPM Pat Maddox wr= ote: > >> I think you have those reversed. >> >> I would say that a compiler that notifies you of errors is more >> empathetic than one that doesn't, inasmuch as the compiler's designers' >> empathy is expressed through the tool. >> >> Knowing that we will write errors and can benefit from automated checks >> expresses humility to me. >> >> The safety net of such checks allows us to explore new ideas. >> >> C's "don't want memory errors? don't write none" approach is clearly mor= e >> hostile and requires strict adherence to the rules. >> >> Pat >> >> On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote: >> > On the other hand, it is foolish to expect a programming language >> > itself to be more thoughtful and wise than the engineers who need to >> > solve a computational problem in the here and now. >> > >> > It=E2=80=99s like banking on building an empire based on process enfor= cement, >> > civility, diversity of preferred quota stereotypes, and obedience; >> > instead of empathy, humility, diversity of thought, and ingenuity. >> > >> > Rust is in the former camp; C the latter. All progress in this fad >> > based universe leads to the same joy-free outcome of forever changing >> > our toolchain to keep up with industry norms that treat professionalis= m >> > in computer engineering as a market commodity. >> > On Thu, Sep 12, 2024 at 3:52=E2=80=AFAM David Chisnall >> > wrote: >> >> On 12 Sep 2024, at 00:14, Alan Somers wrote: >> >> > >> >> > "Memory safety =3D=3D restrictive training wheels" is just a common >> >> > misconception. >> >> >> >> It=E2=80=99s worth thinking about why programming languages exist. An= y modern >> language is Turing complete. In terms of what can be expressed, there is= no >> difference between Rust, C, and C++. The important thing is that there i= s >> an infinite set of possible programs and a finite set of desirable >> programs. The goal of a programming language is to make it easier to >> express programs in the set of desirable programs than ones that are not= in >> that set. Sometimes this is skewed away from specific sets. >> >> >> >> The reason that we care so much about memory-safety bugs is that they >> allow an attacker to step completely outside of the abstract machine of = the >> program. Unless you embed an interpreter/ compiler in your program, >> memory-safety bugs are about the only way that an attacker can get >> arbitrary code execution in your program. The kind of bug where an attac= ker >> provides a specially crafted file / blob of network data and then runs c= ode >> on your machine is typically the worst thing that can happen. >> >> >> >> Rust, in particular, skews towards making programs with memory-safety >> bugs much harder to represent. You can still do it, by using unsafe or >> relying on unsoundness in the type system as cve-rs does, but you have t= o >> try hard. >> >> >> >> I consider that a desirable property in a language. I don=E2=80=99t h= ave to >> think about whether I=E2=80=99ve made these bugs impossible (and, rememb= er, >> WannaCry cost billions of dollars and depended on a single memory-safety >> bug), I get that for free and I can focus on other things. >> >> >> >> David >> >> >> >> >> > --000000000000446ca50621f63859 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I just completed a month long project to port a C++ codeb= ase that used vectors for array allocations back to using C=E2=80=98s callo= c. For a 15% increase in memory footprint, batch jobs that took three days = to complete now finish in 10-12 hours.

That=E2=80=99s what professional engineering is about- makin= g tradeoffs to delight customers and save money on cloud compute.
What you guys go on about is high= school drama club debate.

On Thu, Sep 12, 2024 at 8:18=E2=80=AFPM Joe = Schaefer <joesuf4@gmail.com>= wrote:
-Werror, valgrind, cove= rity, fuzzers, etc. CI is a thing.

On Thu, Sep 12, 2024 at 7:59=E2=80= =AFPM Pat Maddox <pat@patmaddox.com> wrote:
I think you hav= e those reversed.

I would say that a compiler that notifies you of errors is more empathetic = than one that doesn't, inasmuch as the compiler's designers' em= pathy is expressed through the tool.

Knowing that we will write errors and can benefit from automated checks exp= resses humility to me.

The safety net of such checks allows us to explore new ideas.

C's "don't want memory errors? don't write none" appr= oach is clearly more hostile and requires strict adherence to the rules.
Pat

On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote:
> On the other hand, it is foolish to expect a programming language
> itself to be more thoughtful and wise than the engineers who need to <= br> > solve a computational problem in the here and now.
>
> It=E2=80=99s like banking on building an empire based on process enfor= cement,
> civility, diversity of preferred quota stereotypes, and obedience; > instead of empathy, humility, diversity of thought, and ingenuity.
>
> Rust is in the former camp; C the latter.=C2=A0 All progress in this f= ad
> based universe leads to the same joy-free outcome of forever changing =
> our toolchain to keep up with industry norms that treat professionalis= m
> in computer engineering as a market commodity.
> On Thu, Sep 12, 2024 at 3:52=E2=80=AFAM David Chisnall <theraven@freebsd.org>=
> wrote:
>> On 12 Sep 2024, at 00:14, Alan Somers <asomers@freebsd.org> wrote:
>> >
>> > "Memory safety =3D=3D restrictive training wheels" = is just a common
>> > misconception.
>>
>> It=E2=80=99s worth thinking about why programming languages exist.= Any modern language is Turing complete. In terms of what can be expressed,= there is no difference between Rust, C, and C++. The important thing is th= at there is an infinite set of possible programs and a finite set of desira= ble programs. The goal of a programming language is to make it easier to ex= press programs in the set of desirable programs than ones that are not in t= hat set. Sometimes this is skewed away from specific sets.
>>
>> The reason that we care so much about memory-safety bugs is that t= hey allow an attacker to step completely outside of the abstract machine of= the program. Unless you embed an interpreter/ compiler in your program, me= mory-safety bugs are about the only way that an attacker can get arbitrary = code execution in your program. The kind of bug where an attacker provides = a specially crafted file / blob of network data and then runs code on your = machine is typically the worst thing that can happen.
>>
>> Rust, in particular, skews towards making programs with memory-saf= ety bugs much harder to represent. You can still do it, by using unsafe or = relying on unsoundness in the type system as cve-rs does, but you have to t= ry hard.
>>
>> I consider that a desirable property in a language. I don=E2=80=99= t have to think about whether I=E2=80=99ve made these bugs impossible (and,= remember, WannaCry cost billions of dollars and depended on a single memor= y-safety bug), I get that for free and I can focus on other things.
>>
>> David
>>
>>
--000000000000446ca50621f63859--