Hacker News new | ask | show | jobs
by Aeolos 962 days ago
Yes, this is a common theory, but I don’t see evidence for it in the hard numbers. Taking two of the most popular projects in each language, with a comparable LOC count, the numbers look surprisingly similar year over year:

Linux kernel (C): https://www.cvedetails.com/product/47/Linux-Linux-Kernel.htm...

Chrome (C++): https://www.cvedetails.com/product/15031/Google-Chrome.html?...

There’s some variability year over year, but if anything C appears to have a slight advantage over C++ in terms of memory corruption (840 vs 1004), with essentially the same number of overflow errors (322 vs 328). There is no comparable rust project, but initial evidence from the asahi gpu drivers hints that memory corruption errors are fundamentally eliminated.

This is obviously not accounting for confounding factors, hence my request for any peer reviewed evidence for the security claim. Until then, the facts don’t seem to be supporting it.
2 comments
vanviegen 961 days ago
Are you seriously putting the Linux kernel forward as a typical C code base? Isn't that a bit like selecting the example of an F1 car to show that cars are usually at least as fast as motor cycles?
link
Aeolos 961 days ago
Neither Chrome nor Linux are “typical” programs for their respective languages, but they are real examples used by hundreds of millions of people.

Feel free to provide evidence for other cross-comparable c & c++ codebases if you have.

link
nindalf 961 days ago
Picking Chrome and Linux as examples is good for a couple of reasons. No one will complain that the codebases are small or were written by “bad” programmers who didn’t take enough care to write good code.

Because that’s the only thing holding back some languages right? If only the programmers using them would get good, use static analysis tools then bugs would be eliminated.

link
SubjectToChange 961 days ago
Chrome is a vastly more complicated program than Linux.
link
Aeolos 961 days ago
That is very debatable.

Linux compiles and runs on many more architectures and hardware configurations than chrome, and it supports a frankly ridiculous number of peripherals up to and including the most complicated gpu accelerators ever made.

Chrome is indeed complex, but on what do you base your “vastly more” assertion?

link