[Dylan16807]

I don't understand your post. If you mean 'unsafe' as in 'may misbehave' then the compiler can definitely ensure there will be no segmentation faults and there cannot be certain classes of race condition. If you mean 'unsafe' as in the keyword that lets you do dangerous things, it's trivial to check if your source has blocks marked with that keyword.

There's no way to ensure the compiler is perfect, but rust itself is not capable of certain types of errors.

You can always code the wrong algorithm, but that doesn't mean you can segfault or use after free (in the default safe mode you almost never have an excuse to leave).

[shadowmint]

This is a misconception.

You are flat put wrong, and spreading misinformation about it doesnt help anyone.

If you use any rust, and that includes dependencies and the standard library with unsafe code, bugs in the unsafe code can and do cause segmentation faults.

Its easy to say, 'well, thats a bug in the library, not a problem with rust', but thats the same as with C++ isnt it? If you can assert any code is 100% bug free then why do we care about the nice safety features in rust?

What is true is that any 'safe' code path that never enters an unsafe block in rust proveably cannot result in certain types of failures.

BUT every rust program uses unsafe code. In the standard library. In c bindings. In 'safe' pure rust dependencies (with hidden unsafe blocks). In loading dynamic libraries.

Its completely unavoidable.

What are going to do? Vet every line of every part of every dependency in the code you use? Dont be ridiculous.

Do you use rust?

..because practically speaking it does crash. Not often, sure. ...but this falacy that rust is 'provably safe' is absolutely false. Its provably false.

Thats why people saying it is unfortunate; it makes the rust community look like a bunch of clueless fanboys.

Please stick to reality. Rust has a zero cost memory management strategy and a smart compiler that helps to prevent certain types of common errors.

We dont need to step into magical fairy land to convince people rust is good. It stands on its own merit easily enough.

[Dylan16807]

I guess I should have been more explicit that I was talking about the language itself (without the unsafe keyword). Not libraries written in other languages, not compilers. It's the job of theorem provers and whatnot to make those safe.

In other words I'm talking about code the programmer makes themselves.

>Its easy to say, 'well, thats a bug in the library, not a problem with rust', but thats the same as with C++ isnt it?

In C++ nothing prevents the lines I write from having memory errors. It's not the same at all.

>If you can assert any code is 100% bug free then why do we care about the nice safety features in rust?

Oh well you shouldn't do that, but you also don't have to use unsafe code willy-nilly. In C++ everything you touch is unsafe unless proven otherwise.

>What are going to do? Vet every line of every part of every dependency in the code you use?

For unsafe blocks? Sure, that's easy.

[shadowmint]

There is no rust language without the unsafe keyword. It doesnt exist. The unwinding is unsafe. see the recent thread on /r/rust about mysterious segfaults.

Thats the point.

You cannot assert your rust program cannot crash.

Even if your code is perfect, there may be bugs in either the std library or some dependency you use that does crash.

Im not saying everyone uses unsafe code (or should) in their own code. Far from it.

Im saying that every rust program invokes unsafe code at some point.

So this myth of the 'pure rust' that is 'completely safe' is just that. A myth.

I dont understand why this is difficult idea for people to accept. Just use the good bits of rust. rust doesnt need to be 100% safe; its not, and thats completely ok.

[Dylan16807]

You can write a library in rust that will never invoke unsafe code, even if you can't have an entire standalone program.

>I dont understand why this is difficult idea for people to accept. Just use the good bits of rust. rust doesnt need to be 100% safe; its not, and thats completely ok.

It's okay for now, but I'm eagerly waiting for a version where the important pieces of unsafe code can be formally verified. Give me safe unwinding, memory allocation, and sockets, and I can cover half the world.

As far as I know this isn't an especially difficult request. I could probably cobble together something right now by borrowing bits of verified C and gluing them to library-limited rust.

[Jweb_Guru]

How often has one of your Rust programs segfaulted for you, when it wasn't a bug in your own unsafe code (as opposed to that in the standard library)? For me, the count still stands at zero.

I've been writing Rust for well over a year. I like to abuse new features and I've found many compiler bugs, but my code doesn't crash at runtime.

I'm not saying it doesn't happen, and the plural of anecdote is not data, but I think you're grossly misrepresenting Rust's practical safety benefits. That you only have to trust code in unsafe blocks, rather than all the code everywhere, is a huge benefit.

[shadowmint]

Have you used any of the graphical bindings?

maybe once a fortnight for me?

I'm certainly not trying to bash rust, and I do apologise if it comes across that way.

I just think a bit of realism makes everything look much more sincere and plausible.

As you say 'Rust cannot crash' is false. 'Rust has never crashed for me' could well be a completely true thing to say. Also, 'Its so much easier to write rust code (than say c) that doesnt crash!'

I completely ok with all of those.

..but 'you can do anything in rust and its always perfectly safe!' or 'rust programs dont have to worry about security issues' or 'It is effectively impossible to have an unsafe memory access error in Rust'?

Those are people being enthusiastic (good) but unfortunately spreading misinformation (bad) and making the rust community look bad (very bad).

I just wish people could be excited about the the things that are actually exciting about rust. I feel like this whole safety thing is a massive distraction.

fast, low level, concurrent and managed memory with no cost is both accurate and exciting about rust.

'helps avoid bugs and race conditions' isn't very exciting to me, but I acknowledge its important.

I guess 'completely provably safe!' is exciting to some people; but since its not true, Id prefer not to get people excited about rust that way.

[Jweb_Guru]

The safety thing isn't a massive distraction. It's a major part of the point of Rust, whether it's exciting to you or not.

The graphical bindings you're using are not part of the standard library, which is why I specifically asked about that. I know there are bugs in third-party dependencies in Rust, because there are many C bindings that aren't exposed safely by those libraries. I've segfaulted using a TrueType binding library, for example, because it was not actually exposed in a way that prevented double frees. But writing a bad binding is something you can do just as easily in Ruby, or Java. The standard library is what we were originally talking about. I wouldn't disbelieve you if you said you crashed every fortnight using only standard library code, but I would probably press for details.

I am not saying Rust is "completely provably safe", but nothing is. You always have some trusted software or hardware that, if it screws up, will compromise your program. Rust's advantage is that it allows you to be explicit about what parts are trusted and what parts aren't. It vastly reduces the potential attack surface.