[pdimitar]

Question is: do you realize that Rust's `unsafe` is still not as unsafe as C without bound checks, double `free`-s, and others?

Point is, it's still an improvement. I am regularly amazed as to why that factually correct and (more and more) time-proven argument is always skipped when criticizing Rust.

[megous]

Yes, but do you realize you don't have to write C code without bounds checks? You can add your own.

[pdimitar]

No, I never would have imagined. /s

Point is, many don't do it. And they don't tell anyone. And they deploy important software. And then we get unpleasantly surprised years (or decades) later.

Same argument as with C++: proponents say that the modern C++ is almost like Rust which is cool and I am happy for them, but there are literal hundreds of millions of C++ coding lines out there that will never get upgraded. Having a cop-out like "yeah but the modern version is better" doesn't help legacy code.

Rust on the other hand is super strict for a long time now. They did the right thing.

[megous]

Sorry, I don't know any important C codebase that omits necessary bounds checks casually. Often times it would not even make any sense. (If you want to iterate over an array, you don't just iterate until infinity, lol.) String manipulation is often wrapped in functions that handle length/storage size/reallocation/etc in the background.

[pdimitar]

Nobody is saying they do it casually. People genuinely believe they are without fault, which leads to stuff like Heartbleed (and many others; from 2017 to 2020 there was a number of HN submissions about various well-known pieces of software having buffer under/over-flows).

I heard the ideal theory you cite, many many times. Yet many people still do mistakes. How does that fit in your world-view?

[megous]

Not sure what ideal theory you mean. I didn't state any.

Most of the code in my Linux distro is written in C, yet I don't see many segfaults or data corruption in my favorite tools, even those exposed to the internet. It just works. Supposed buffer overflows and double-frees don't affect me daytoday despite 95%+ code I run being written in C, "catastrophic" issues like heartbleed notwithstanding.

People make mistakes, sure. They'll make them with "safe" languages, too. Rust programs are not immune from mistakes. They'll just be of a different kind.

PHP is memory safe, and there were many easily exploited (not just exploitable) vulnerabilities in software written with PHP. (and it doesn't even have escape hatches out of its memory safety)

[pdimitar]

> If you want to iterate over an array, you don't just iterate until infinity

And yet I am sure we all have witnessed code bases where this was done. At least I and no less than 40 other colleagues I knew have.

The "ideal theory" refers to the old adage of "just be a good programmer, duh" which historically has been proven to be a complete BS.

> Rust programs are not immune from mistakes. They'll just be of a different kind.

Glad we agree on something. I want memory safety problems out of the equation.

Also please don't fight straw-men -- all Rust discussions seem to always spiral from the very reasonable premise of "Rust eliminates a class of bugs" to "But with Rust you can still make logical mistakes!!!!!", and nobody ever claimed the opposite anyway...

[Yoric]

For context, an obligatory reference (slash shameless self-promotion) to definitions of safety and safe languages.

https://yoric.github.io/post/safety-and-security/

[Yoric]

Out of curiosity, do you know projects with C code and bounds checks?

[tialaramex]

Actually Unsafe Rust is arguably more fraught than C because the rules in Unsafe Rust are just as tough as they are in Safe Rust - much tougher than C - but in Safe Rust the language and libraries promise to take care of that, whereas in Unsafe that's on you. So choices which are in fact harmless in C will result in UB in Unsafe Rust.

The benefit is that unsafe passages of Rust are rarer and should be safely abstracted from APIs for use by Safe Rust. Mellisearch seems to often (but not always) provide safety rationales for unsafe code, explaining why whatever is done is OK. I don't understand this domain in enough detail to comment on the quality of the rationales.

[pdimitar]

Yes and no, unsafe Rust still holds a number of invariants, wherever if you just go on your own writing C you have zero.

I prefer the number of guarantees / invariants that's above zero.

[rockwotj]

I'm not criticizing Rust, I really like Rust and think it's great, along with the trend of more things written in it.

At the same time assuming you'll never get a memory issue is over the top.

[pdimitar]

Dunno, I think it should be clear for all experienced devs that the "never" part is still not achieved.

Personally though -- and in my work -- I'll take any improvement that I can. I am sick of reading about yet another important piece of software having yet another memory safety zero day pwnage bug.