Mastodawn

White House: Future Software Should Be Memory Safe

https://pawb.social/post/7241364

White House: Future Software Should Be Memory Safe - Pawb.Social

On the one side I really like c and c++ because they’re fun and have great performance; they don’t feel like your fighting the language and let me feel sort of creative in the way I do things(compared with something like Rust or Swift). On the other hand, when weighing one’s feelings against the common good, I guess it’s not really a contest. Plus I suspect a lot of my annoyance with languages like rust stems from not being as familiar with the paradigm. What do you all think?

mipadaitu Feb 26, 2024

Depends on if you’re coding for critical infrastructure (i.e. - electrical grid), or writing a high performance video game that can run on older hardware.

We should absolutely have specific licenses like Civil Engineers do for computer infrastructure that is required for any software written for specific purposes. It would be a nightmare to implement, but at some point, it’s going to be needed.

SorteKanin Feb 26, 2024

writing a high performance video game that can run on older hardware

Unless it’s some really exotic platform, I’d honestly still say no. Rust has shown that memory safety and performance doesn’t have to be a tradeoff. You can have both.

But sure, if whatever you’re targeting doesn’t have a Rust compiler, then of course you have no choice. But those are extremely rare cases these days I’d say.

cm0002 Feb 26, 2024

I don’t even think we really need to eek out every MHz of performance these days unless your shipping code for a space vehicle or something (But that’s an entirely different beast)

We’ve got embedded devices shipping with 1GHz+ processors now

It’s just time to move on from C/C++, but some people just can’t seem to let go.

Croquette Feb 27, 2024

Because there is still market for small mcus. A 1GHz processor is a lot more expensive than a 32 bits 75MHz. If you produce even a low number of units, the price difference can be huge.

frezik Feb 27, 2024

A lot of those mcus don’t need to run particularly complex programs. Many of them don’t do anything more complicated than reading the status of a pin and using that to activate another pin. 75MHz with a Rust program is more than enough.

For that matter, when Python was first released, the Intel Pentium wasn’t even out yet. People made it work. Micropython could handle the above just fine provided the polling rate didn’t need to be that high.

It’ll all depend on the application, of course, but a huge number of mcu programs could easily be Rust. The performance hit is not that big. The code size on lower end mcus is also going to be naturally limited by their flash space, so even the compiler speed isn’t going to be a big hit.

One thing is that the last time I tried using Rust on an esp32, the toolchain was still in its infancy and didn’t work very well. Looks like Go has been ported in, as well, but it doesn’t support wifi or bluetooth on the esp32. Or even i2c or pwm.

Croquette Feb 27, 2024

I haven’t seen a test on the difference between rust and c, but your last point is the biggest caveat for rust is your last point.

If you have been running the same toolchain on multiple products, changing the language means a productivity loss because the devs need to learn the ins and outs of the new language, and if the toolchain is buggy, then it is another productivity loss.

I’m always eager to try out new stuff in products I design, but the incertitude and productivity loss is a no go because I can just spin a barebone code that works in half a day.

Until the tool chain is mature, C will still exist.

pycorax Feb 27, 2024

Battery life is a reason. I’ve had clients come to me complaining their solution from another vendor didn’t last very long. Turns out it was running Java on an embedded device.

Akisamb Feb 27, 2024

Why would java have an impact on battery performance ? Pretty much all credit cards run java for their encryption algorithms, and they need pretty much no power to run.

Croquette Feb 28, 2024

There are orders of magnitude in what is considered low current. I’ve worked on a product that was guaranteed 2 years of lifetime for 3 AA batteries.

pycorax Feb 28, 2024

The JVM isn’t free. It was a simple dara collection device that interfaces with a sensor. Something light written in C is more than enough.

Cirk2 Feb 27, 2024

That is the mindset that gives us text editors using 100% cpu to blink a cursor because their css triggers a bug in the web browser they ship to render the text editor.

You can be memory save without shipping a whole browser, but disregarding power and memory efficiency will just make performance gained by hardware evaporate in overhead.

suy Feb 27, 2024

It’s just time to move on from C/C++, but some people just can’t seem to let go.

The Rust community has 2 websites that I keep periodically checking: Are we game yet? and Are we GUI yet?. The answers on those sites are respectively (as of February 2024, when this comment is written) “Almost. We have the blocks, bring your own glue” and “The roots aren’t deep but the seeds are planted”. I’ve seen the progress in Bevy and Slint, but it’s still the same, those websites don’t change, and my situation WRT to making a Rust project for fun or work it’s the same.

I’ll be happy to start doing Rust projects whenever I get the chance (which will be when it’s a sufficient tool for my use cases). But I’m tired of smoke sellers.

Are we game yet?

A guide to the Rust game development ecosystem.

Are we game yet?

calcopiritus Feb 28, 2024

Have you actually tried making a GUI or a game? I don’t think you can summarize the state of the whole ecosystem in a sentence that doesn’t change in years. I’ve made perfectly functional GUIs with iced, and imgui. Haven’t tried slint yet.

Godot is a very popular game engine and it’s written in rust, so you probably can use it in rust.

einsteinx2 Feb 28, 2024

Godot is written in C++ not Rust…

calcopiritus Feb 29, 2024

That’s true. I might’ve gotten confused because I saw godot rust bindings.

suy Feb 29, 2024

I’ve wanted to start a project in Rust, but for the ideas that I have (and the time that I have for a hobby project, as for work it’s rarely starting a new one, but continuing and existing one), Rust seemed a viable, but not ideal alternative to just doing it all in C++, for which I already have enough knowledge and very well proven libraries. I will look again soon, and I will keep looking because eventually something will surely click, it’s just that so far, the time has not been right.

Note that my point is not that it’s unusable for everyone. Just that it’s false that “some people just can’t seem to let [C or C++] go”, as the previous comment said. I can’t let go something that works well for something that doesn’t, given the projects that I have to work on.

themusicman Feb 26, 2024

There’s always a trade-off. In rust’s case, it’s slow compile times and comparatively slower prototyping. I still make games in rust, but pretending there’s no trade-off involved is wishful thinking

Lmaydev Feb 27, 2024

They mean a trade off in the resulting application. Compile times mean nothing to the end user.

Dave.Feb 27, 2024

That may be true but if the language is tough to develop with, then those users won’t get a product made with that language, they’ll get a product made with whatever language is easier / more expedient for the developer. Developer time is money, after all.

Lmaydev Feb 27, 2024

You’d be better just using a managed language in many cases.

With tired jit and careful use of garbage allocations they can actually be faster.

MareOfNights Feb 27, 2024

Can we stop pretending Rust doesn’t take performance trade-offs? Of course if you compare it one to one its roughly the same, since it’s compiled. But Optimizing memory for cache hits becomes a lot more difficult in Rust, to the point where you have to use unsafe. And unsafe Rust has more undefined behavior than C. In my opinion C is more safe than unsafe Rust.

If you want normal performance its a good Language, but once you need to Optimize memory, which is usually the bottleneck, You are out of luck.

SorteKanin Feb 27, 2024

But Optimizing memory for cache hits becomes a lot more difficult in Rust

Why is this?

xmunk Feb 26, 2024

C++ can have excellent performance without ever using a single pointer and avoiding unsafe functions like gets() - this isn’t necessarily a judgment on language - it’s a judgement on bad programming habits.

Pointers fucking suck, in a modern C++ codebase everything should be pass by value or const/mutable ref. To my preference I’d rather drop mutable refs to force everything to be more functional but whatever.

OsrsNeedsF2P Feb 26, 2024

I mean that’s just the problem with C++. There’s 17 different ways to do things, 2 are always wrong, 14 are contextual, and 1 is reserved for super special cases

HornyOnMain Feb 27, 2024

And the one you choose is always the one that's weak to the specific vulnerability you didn't think of!

SorteKanin Feb 26, 2024

Working with habits is just not good enough. C++ has far too many footguns to be considered a safe language and there are frankly objectively better modern alternatives that you should use instead, perhaps except if you have a really large legacy code base you can’t replace (but even then, consider calling into it via FFI from a safe language).

Even if you tried to actually enforce these habits, you’d just end up inventing a new language and it would be incompatible with previous C++ too.

C++ is not a viable language for the future.

xmunk Feb 26, 2024

I get kinda bad vibes from this comment and I’d like to explain why…

If somebody said “We’re building a point of sale terminal and to make it secure we’re going to be using C++” I’d probably have a dumbfounded expression on my face unless they immediately continued with “because there are libraries we can lean on to minimize the amount of code we need to write.”

C++ has an extremely mature ecosystem - Qt is essentially it’s own language at this point! There are reasons to still consider building in C++ and saying “C++ is not a language for the future” feels dogmatic and cargo culty to me. Algol, Cobol and Fortran still have programming communities and while I agree that C++ is outsized in presence for the danger it presents there are still good reasons to choose it for some specific domains - high performance graphical programs being one of those in particular.

C++ has a plethora of foot guns and you need to be aware of them but when you are they’re easy to avoid in fact your quote:

Even if you tried to actually enforce these habits, you’d just end up inventing a new language and it would be incompatible with previous C++ too.Even if you tried to actually enforce these habits, you’d just end up inventing a new language and it would be incompatible with previous C++ too.

Is probably the thing I agree most with - well built C++ isn’t incompatible with regular ol’ C++ but it feels like a different language… but as a not too old old-man-developer different projects often feel like different languages - each company/project has tools and libraries they use and it’ll cause code written in the same language to read really differently… I’m a functionally oriented programmer with a pretty particular style, my C++, Python, Java, PHP, Node and Rust all look nearly the same except for language specific peculiarities.

So yea, discipline is needed and nobody’s default choice should be C++ but if you follow best practices your C++ can be quite safe.

… that all said… I fucking hate the concept of definition files being sseparate from code files so I’m not going to use C++ anytime soon.

abhibeckert Feb 26, 2024

Pointers suck in C++. In other languages every single variable is a pointer and it works perfectly.

xmunk Feb 26, 2024

That’s one reason I mentioned pass by reference “smart” languages will do it automatically depending on the size of the argument, some languages (including my beloved PHP) even have a copy-on-edit functionality where everything is technically passed as a mutable reference but as soon as you mutate it (unless it was explicitly marked as a mutable reference) it will copy the original object and have you edit the copy instead of the original.

Is being explicit about when copies happen almost always a good thing - yea the overhead of that system is undesirable in performance sensitive situations - but for a high level scripting language it’s quite nice.

Feathercrown Feb 27, 2024

The way PHP does it is oddly smart

Feathercrown Feb 27, 2024

just avoid all the bad stuff bro

If I was giving a tour of my kitchen and it included phrases such as “avoid using the leftmost cabinet of any set of two”, “the freezer doesn’t work but the fridge can be set to the same temperature”, or “the oven has been deprecated, just use the oven”, you’d rightfully gtfo. Why is this acceptable of a programming language??

arendjr Feb 27, 2024

Even references aren’t safe in C++ though, since there’s no borrow checker. Unless you copy everything or use reference counting types everywhere, you’ll still hit plenty of memory-violating footguns. But at that point, why use C++ at all?

calcopiritus Feb 28, 2024

A big difference between rust and C++ is that in C++ you say “everyone should passing by value or const ref (mutable ref if needed)”.

In rust, the default is passing by value. The default refs are consts, you have to explicitly make them mut, and the compiler will warn you if you don’t mutate a mut parameter.

onlinepersona Feb 26, 2024

Leaders in Industry Support White House Call to Address Root Cause of Many of the Worst Cyber Attacks

And it’s called C/C++. It’s gotten so bad that even the friggin’ white house has to make a press release about it. Think about it, the place where that majority barely even understand the difference between a file browser and a web browser is telling you to stop using C/C++. Hell, even the creator and maintainers of the language don’t know how to make it memory safe. If that isn’t a wake up call, then nothing ever will be.

If you want memory-safe, don’t write C/C++. Trying to get that shit memory-safe is a hassle and a half. You’re better off learning a language that isn’t full of foot-guns, gotchas, and undefined behavior.

CC BY-NC-SA 4.0

Can C++ Be Saved? Bjarne Stroustrup on Ensuring Memory Safety

C++ creator Bjarne Stroustrup joins calls for changing the programming language itself to address security concerns, though other core contributors want to make more modest moves.

The New Stack

abhibeckert Feb 26, 2024

If you want memory-safe, don’t write C/C++.

Fixed that for you. There’s no situation where you want buffer overruns.

cm0002 Feb 26, 2024

There’s no situation where you want buffer overruns.

I want buffer overruns in my game consoles for jailbreaking purposes lmfaoooooo

evranch Feb 27, 2024

If you don’t want memory-safe buffer overruns, don’t write C~~/C++.~~

Fixed further?

It’s perfectly possible to write C++ code that won’t fall prey to buffer overruns. C is a lot harder. However yes it’s far from memory safe, you can still do stupid things with pointers and freed memory if you want to.

I’ll admit as I grew up with C I still have a love for some of its oh so simple features like structs. For embedded work, give me a packed struct over complex serialization libraries any day.

I tend to write a hybrid of the two languages for my own projects, and I’ll be honest I’ve forgotten where exactly the line lies between them.

Feathercrown Feb 27, 2024

You’re better off learning a language that isn’t full of foot-guns, gotchas, and undefined behavior.

As a JS developer, seeing this quote about C/C++ for a change gives me unbelievable levels of schadenfreude

fubo Feb 26, 2024

Rust does memory-safety in the most manual way possible, by requiring the programmer prove to the compiler that the code is memory-safe. This allows memory-safety with no runtime overhead, but makes the language comparatively difficult to learn and use.

Garbage-collected compiled languages — including Java, Go, Kotlin, Haskell, or Common Lisp — can provide memory-safety while putting the extra work on the runtime rather than on the programmer. This can impose a small performance penalty but typically makes for a language that’s much easier on the programmer.

And, of course, in many cases the raw performance of a native-code compiled language is not necessary, and a bytecode interpreter like Python is just fine.

SorteKanin Feb 26, 2024

Rust does memory-safety in the most manual way possible

The most manual way is what C does, which is requiring the programmer to check memory safety by themselves.😛

Also will say that outside of some corner cases, Rust is really not that harder than Java or Python. Even in the relatively rare cases that you run into lifetimes, you can usually clone your data (not ideal for performance usually but hey its what the GC language would often do anyway). And reliability is far better in Rust as well so you save a lot of time debugging. Compiles = it works most of the time.

520 Feb 26, 2024

The most manual way is what C does, which is requiring the programmer to check memory safety by themselves.😛

The difference is, Rust will throw a tantrum if you do things in an unsafe way.

Rust is really not that harder than Java or Python.

As someone who's done all the, the fuck it isn't.

If you are familiar with C/C++ best practices to any operational level, those things will translate over to Rust quite nicely. If not, that learning curve is going to be fucking ridiculous with all the new concepts you have to juggle that you just don't with either Java or Python.

calcopiritus Feb 28, 2024

I haven’t been able to compile a single C/C++ program (even bought a C++ book!) Learned to write normal programs in rust (even with simple lifetime annotations!) In 1-2 months. I just knew python and the basic knowledge of 1st year university.

It’s not that hard.

Just reading through the rust book (a week, maybe? I don’t remember how much time it took) will make you able to confidently write a simple CLI program.

520 Feb 28, 2024

Just reading through the rust book (a week, maybe? I don’t remember how much time it took) will make you able to confidently write a simple CLI program.

You can do the same in Java or especially Python from zero much, much quicker.

Also you can learn to go beyond simple CLI programs in those languages much quicker, because you don't have to worry about memory management.

calcopiritus Feb 29, 2024

I’m not saying that java or python are harder, of course they aren’t. I’m just saying that it’s not as hard as people seem to think. What is 1 week of commitment to learn a new language? Of course it depends on what there is to offer.

I think the benefits of rust far outweigh it’s drawbacks (including the learning time).

Kogasa Feb 26, 2024

C# dev with reasonable experience with java, python, and rust:

Rust is harder

admiralteal Feb 26, 2024

I like Rust a lot, philosophically and functionally... but it is WAY harder. Undeniably very hard.

Just try and do anything with, say, a linked list. It's mind-boggling how hard it is to make basic things work without just cloning tons of values, using obnoxious patterns like .as_mut(), or having incredibly careful and deliberate patterns of taking stuff. Not to mention the endless use of shit like Boxes.

I still think it's a good language and valuable to learn/use, and it's incredibly easy to create performant applications in it once you mastered the basics, but christ.

MonkderZweite Feb 27, 2024

It’s mind-boggling how hard it is to make broken basic things work are

admiralteal Feb 27, 2024

I have not encountered anything broken, aside from maybe binary app docstring stuff (e.g., automated example testing).

On the contrary, everything seems precise, reliable, and trustworthy. That's the thing to really like about Rust -- you can be pretty much fearless in it. It's just difficult. I die a bit in time any time I have a return type that looks like Box<dyn Fn(&str) -> Result<Vec<String>, CustomError>> or some shit . Honestly, the worst thing about Rust is probably that you have to manually specify heap vs stack when the compiler could easily make those determinations itself 99% of the time based on whether something is sized.

tiredofsametab Feb 27, 2024

Software engineer for almost two decades at this point, programming off and on since a kid in the late '80s: Rust is harder. It did seem to get better between versions and maybe it's easier now, but definitely harder than a lot of what I've worked in (which ranges Perl, PHP, C, C++, C#, Java, Groovy/Grails, Rust, js, typescript, various flavors of BASIC, and Go (and probably more I'm forgetting now but didn't work with much; I'm excluding bash/batch, DB stored procedures (though I worked on a billing system written almost entirely in them), etc.)

abhibeckert Feb 26, 2024

A better approach is the one Apple uses with Swift (and before that, Objective-C… though that wasn’t memory safe).

In swift the compiler writes virtually all of your memory management code for you, and you can write a bit of code (or annotate things) for rare edge cases where you need memory management to do something other than the default behaviour.

roanutil_Feb 27, 2024

To be fair, Swift uses reference counting instead of garbage collection which has different tradeoffs than GC but does incur a performance penalty.

frezik Feb 27, 2024

I wish more languages used ref counting. Yes, you have to be careful of circular refs, but the tradeoff is simplicity, speed, lack of needing threads in the runtime, and predictability. Rust gives you special data structures for ref counting for a reason.

calcopiritus Feb 28, 2024

Ref counting is just a very basic GC. I’d be surprised if a ref counted language performed better than a GC one. Sure, the program won’t temporarily halt in order to run the GC, but every copy/destroy operation will be slower.

seeaya Feb 28, 2024

When Apple introduced the iPhone they required automatic reference counting to be used in Objective-C rather than garbage collection (the language supports both) due to performance reasons (iPhones were significantly slower than Macs). At least Apple seems to think that reference counting is faster than standard garbage collectors. The compiler can do a lot to remove unnecessary releases and retains. Additionally each retain is just incrementing an integer, and each release is just decrementing an integer and comparing the integer to 0, so the overhead is pretty small.

calcopiritus Feb 28, 2024

If the compiler optimizes away some RC then I see how it can be faster.

floofloof Feb 26, 2024

I’m no Rust expert, but in what I have done with it I’ve always found it reassuring to know the compiler has my back, and I haven’t found the rules too onerous. In some ways I prefer this to counting on some black-box garbage collector with unpredictable performance costs.

Faresh Feb 27, 2024

What memory-safe systems programming languages are out there, besides Rust?

Traister101 Feb 27, 2024

Languages with GC

Faresh Feb 27, 2024

I appreciate your answer, but I mentioned systems programming, because I was more interested in languages that do not rely on a garbage collector.

Traister101 Feb 27, 2024

Huh, I totally missed that my bad