[pclmulqdq]

The idea that Rust can solve this problem is ridiculous to me. The types of bugs that sleep-deprived contributors writing fire-and-forget code will make will just shift to something that the borrow checker doesn't help with.

[unrealhoang]

So, no bug that the borrow checker can help with? Sounds like a big win to me, why is it ridiculous?

[pclmulqdq]

The parent comment implied that this meant that there would be fewer bugs. That is definitely not what happens.

The factor that actually generates the bugs is the tired person writing code they will never read again or use. The borrow checker won't help with that.

I write code with different types of bugs in C, Go, Rust, Javascript, and Verilog, for example. I rarely write code with no bugs, especially when I have no real connection to the code.

[unrealhoang]

GP comment implied there would be fewer exploitable bugs. That is definitely what happens.

If you think there's the same amount of severe exploit from software written in Go/Java/Javascript and software written in C/C++, you are just factually wrong.

70% of exploitable bugs from large company products (M$, Apple, Google) ARE memory safety bugs.

[pclmulqdq]

I do not agree with you, and I think it's a pretty strong claim to make that Rust code has fewer exploitable bugs than other code without evidence. The fact that 70% of "exploitable bugs from large company products" are memory safety bugs does not imply that those products will be any harder to exploit when re-written in Rust, just that they won't have certain types of memory safety bugs - which happen to be 70% of the known exploitable bugs that have emerged.

One big reason why we have so many CVEs for memory safety bugs is that they are very easy to find with analyzers and easy to programmatically test. We currently live in a world where a lot of deployed code has not had the benefit of those analyses, but the attackers do. Hence the huge number of CVEs. Rust closes that asymmetry, which is significant.

It does not mean that we won't move on to a new class of exploitable bugs that show up due to a new class of analyzers.

Also, exploitation means a lot of things to a lot of people. The fact that it's really easy to crash a Rust program could also be considered an exploit (as a number of CVEs do).

Just using Rust does not save you from exploits. Using Rust well makes it easier to be safer.

[burntsushi]

So let me get this straight, you're saying that:

1. You acknowledge others' reports that 70% of exploitable bugs are rooted in memory safety problems.

2. You acknowledge that Rust helps reduce the number of memory safety bugs.

3. You resist any conclusion that Rust therefore reduces the number of exploitable bugs.

4. The stated reason for such resistance is "but but but they might exist and you might not know about them and something something something about how analyzers have gotten better."

1+2 alone seem like a pretty clear open & shut case to me. Your (4) looks like grasping at straw to me. You complain about "without evidence," but 1+2 looks like pretty compelling evidence to me.

One also has to wonder what kind of evidence would meet your standard. What evidence would convince you? And is that evidence even obtainable?

[pclmulqdq]

(1) is wrong. I said that 70% of reported exploitable bugs are rooted in memory safety problems. Not 70% of exploitable bugs. There is a big difference. In other words, I am suggesting that we have found a lot more of the exploitable memory safety bugs than other classes of bugs, which skews the number high, and that there are a tremendous number of latent exploitable bugs that are not related to memory safety that we haven't found out how to find yet (in a systematic way). I am also asserting that the Rust borrow checker likely won't help with those latent bugs.

The evidence that would convince me is ~10 years of a notable reduction in both total CVEs and total monetary value of exploits of that software (or a comparable piece of software). There is almost nothing that would convince me today that Rust is inherently more secure than C or C++ (particularly modern C++), except in the small class of applications that rely solely on memory safety for security and cannot use a garbage collector.

By the way, I do have an application running in production today that fits that requirement, and I wrote it in Rust.

[ducktective]

I think it's a given that idiomatic Rust code has less memory bugs than run-of-the-mill C code but IMO, this debate boils down to this question:

"Do static analyzers like cppcheck, Frama-C, Coverity or NASA's ikos catch more bugs (including memory bugs) than idiomatic Rust code?"

We have to consider the added complexity of the Rust language and the massive man-hours required to re-write old C code-bases. It's a trade-off.

[howinteresting]

The idea that people will just shift to other kinds is ludicrous. There isn't a fixed quota of bugs per developer-hour. In my personal experience, Rust code absolutely has fewer bugs than most other languages.

Several large surveys have found that approximately 70% of bugs in C and C++ projects are memory safety issues.

[pclmulqdq]

I will say that I have written a fair amount of Rust, and never had a bug in a sub-100-line Rust program, which is a huge difference compared to C.

For more complex things, arguing with the borrow checker has often led me to weird solutions that seem to work, but are unlikely to be 100% bug-free.

I would also like to point out that the surveys are looking at known bugs, and memory safety bugs are now very easy to find, thanks to the large number of memory safety analyzers that exist.

The analyzers exist because memory safety problems are significant, but the fact that they are 70% of known bugs does not imply that Rust code will have 30% of the bugs that you would find in a C equivalent. In my experience, if the C equivalent is short, Rust code usually has 0% of the bugs! If the C equivalent is long and complex, it could be a lot higher.

[UltraViolence]

> led me to weird solutions that seem to work, but are unlikely to be 100% bug-free.

So you're telling me you don't unit-test your code? Big red flag there!

Rust is one of the few programming languages where unit testing is an integral part of the toolset.

[UltraViolence]

It's not ridiculous, it's a proven fact! Rust obviously won't stop logical errors, but it will put an end to the almost unending cue of memory and thread related bugs.

Mind you that Firefox, for example, has been around for 17 years. Every month I get security updates fixing multiple memory holes in the code each of which could potentially allow anyone to take over my machine. Seventeen years!! They must have fixed hundreds if not thousands of such bugs by now, and every month more are repaired by updates.

We'd have none of those had it been written in Rust.

Also mind the time saved by developers not having to hunt for such (hard to track down) bugs!

[cesarb]

> We'd have none of those had it been written in Rust.

Except for memory issues in JIT-generated code from Javascript? Not all browser vulnerabilities are caused by memory safety issues in the code generated by the Javascript JIT, but several of them are (particularly "type confusion" vulnerabilities). Rust might help avoid vulnerabilities in the code generator, but not in the generated code.