The parent comment implied that this meant that there would be fewer bugs. That is definitely not what happens.
The factor that actually generates the bugs is the tired person writing code they will never read again or use. The borrow checker won't help with that.
I write code with different types of bugs in C, Go, Rust, Javascript, and Verilog, for example. I rarely write code with no bugs, especially when I have no real connection to the code.
GP comment implied there would be fewer exploitable bugs. That is definitely what happens.
If you think there's the same amount of severe exploit from software written in Go/Java/Javascript and software written in C/C++, you are just factually wrong.
70% of exploitable bugs from large company products (M$, Apple, Google) ARE memory safety bugs.
I do not agree with you, and I think it's a pretty strong claim to make that Rust code has fewer exploitable bugs than other code without evidence. The fact that 70% of "exploitable bugs from large company products" are memory safety bugs does not imply that those products will be any harder to exploit when re-written in Rust, just that they won't have certain types of memory safety bugs - which happen to be 70% of the known exploitable bugs that have emerged.
One big reason why we have so many CVEs for memory safety bugs is that they are very easy to find with analyzers and easy to programmatically test. We currently live in a world where a lot of deployed code has not had the benefit of those analyses, but the attackers do. Hence the huge number of CVEs. Rust closes that asymmetry, which is significant.
It does not mean that we won't move on to a new class of exploitable bugs that show up due to a new class of analyzers.
Also, exploitation means a lot of things to a lot of people. The fact that it's really easy to crash a Rust program could also be considered an exploit (as a number of CVEs do).
Just using Rust does not save you from exploits. Using Rust well makes it easier to be safer.
1. You acknowledge others' reports that 70% of exploitable bugs are rooted in memory safety problems.
2. You acknowledge that Rust helps reduce the number of memory safety bugs.
3. You resist any conclusion that Rust therefore reduces the number of exploitable bugs.
4. The stated reason for such resistance is "but but but they might exist and you might not know about them and something something something about how analyzers have gotten better."
1+2 alone seem like a pretty clear open & shut case to me. Your (4) looks like grasping at straw to me. You complain about "without evidence," but 1+2 looks like pretty compelling evidence to me.
One also has to wonder what kind of evidence would meet your standard. What evidence would convince you? And is that evidence even obtainable?
(1) is wrong. I said that 70% of reported exploitable bugs are rooted in memory safety problems. Not 70% of exploitable bugs. There is a big difference. In other words, I am suggesting that we have found a lot more of the exploitable memory safety bugs than other classes of bugs, which skews the number high, and that there are a tremendous number of latent exploitable bugs that are not related to memory safety that we haven't found out how to find yet (in a systematic way). I am also asserting that the Rust borrow checker likely won't help with those latent bugs.
The evidence that would convince me is ~10 years of a notable reduction in both total CVEs and total monetary value of exploits of that software (or a comparable piece of software). There is almost nothing that would convince me today that Rust is inherently more secure than C or C++ (particularly modern C++), except in the small class of applications that rely solely on memory safety for security and cannot use a garbage collector.
By the way, I do have an application running in production today that fits that requirement, and I wrote it in Rust.
Total CVEs is a poor metric given that we (Rust programmers) tend to file CVEs far more liberally than C or C++ programmers. More to the point, the evidence you claim to require is just that: reported exploitable bugs. Which seems to have the same problems as the evidence that has already been presented to you.
> I am also asserting that the Rust borrow checker likely won't help with those latent bugs.
Kind of a silly assertion, no? Particularly given you've failed to characterize these "latent bugs" other than the fact that they aren't related to memory safety. You've also failed to provide any compelling commentary regarding whether these "latent bugs" are present in C or C++ programs. If you believe they are, then Rust still makes the situation better by reducing the number of exploitable bugs by reducing the number of memory safety bugs.
Methinks you are suffering to an appeal to ridicule. Your comments are written as if someone is saying "Rust will eliminate exploitable bugs." Nobody has said that in this thread. More to the point, I'd be willing to wager that nobody with any modicum of credibility has ever said that.
From experience, no. At least cppcheck, clang tidy, and coverity together still miss aome fairly simple use-after-free on the stack. Asan or valgrind can catch it, as long as you have a unit test that would cause it, which might require 100% code and branch coverage. In more complicated cases where it somehow dependsnon inputs, even that might not cut it.
Speaking about tools like Frama-C, it is important to note that while there is an overhead during development of Rust programs because of the type system, proving the absence of runtime errors in industrial size programs using Frama-C is not something easy, and it remains quite costly (and to be fair, far more costly than making Rust programs type). However, it is true that you can catch some errors that are not caught by the Rust type system, say for example, integer overflows. But I would not bet that all problems caugth thanks to the type system of Rust can be caught using Frama-C.
Now, if we focus on functional properties (proving that the code is correct), one terribly hard problem when dealing with real world programs is handling the shape of the memory. That can make some proofs awful and really hard to complete. In a language like Rust, you can get a lot of information about the shape of the memory and the memory separation for free thanks to the type system. That would make proofs really easier (this is for example what is done, but with far less precision than what the Rust type system could provide, in the different memory models configuration in Frama-C/WP and it can already dramatically improve proof performance).
It probably does not justify rewrite everything, nor changing verification tools chains that are in use in some critical domains. However, I would definitely love working on and working with a Frama-Rust tool ;)
The idea that people will just shift to other kinds is ludicrous. There isn't a fixed quota of bugs per developer-hour. In my personal experience, Rust code absolutely has fewer bugs than most other languages.
Several large surveys have found that approximately 70% of bugs in C and C++ projects are memory safety issues.
I will say that I have written a fair amount of Rust, and never had a bug in a sub-100-line Rust program, which is a huge difference compared to C.
For more complex things, arguing with the borrow checker has often led me to weird solutions that seem to work, but are unlikely to be 100% bug-free.
I would also like to point out that the surveys are looking at known bugs, and memory safety bugs are now very easy to find, thanks to the large number of memory safety analyzers that exist.
The analyzers exist because memory safety problems are significant, but the fact that they are 70% of known bugs does not imply that Rust code will have 30% of the bugs that you would find in a C equivalent. In my experience, if the C equivalent is short, Rust code usually has 0% of the bugs! If the C equivalent is long and complex, it could be a lot higher.
The factor that actually generates the bugs is the tired person writing code they will never read again or use. The borrow checker won't help with that.
I write code with different types of bugs in C, Go, Rust, Javascript, and Verilog, for example. I rarely write code with no bugs, especially when I have no real connection to the code.