So, you're taking a "statement" from another person to "prove" that person you're replying to is wrong without adding any substance to your comment? What person you're replying to said is nothing wrong. Conceptually, Rust forbids certain patterns in programming which are otherwise very valid and necessary. And funnily, in some cases, it chooses to terminate or bring down the whole program in runtime because of that.
> Conceptually, Rust forbids certain patterns in programming which are otherwise very valid and necessary.
Rather than forbid, Rust requires you put logic like this inside unsafe blocks. This limits the number of places you need to look for UB. Hopefully the number of shared writable pointers is not excessive.
C++ programs on the other hand are all the equivalent of one big unsafe block. That's the difference, not anything "forbidden" by Rust.
"To look for" is a very vague and imprecise definition because that's not how you actually write or test your software. You don't look for UBs. It doesn't change the fact that you still have to hunt for bugs using ASAN, UBSAN, TSAN or MSAN _runtime_ sanitizers. This false dichotomy is following Rust since ever.
> that's not how you actually write or test your software. You don't look for UBs.
In Rust, it absolutely is. You generally have so few `unsafe` blocks that it's entirely reasonable for a human to audit them and manually verify that their invariants are upheld. You can still use tools like Miri if you want even more assurance, but that's optional.
Even if such thing would be possible to do by a bare a look at the code, which is most certainly not, it's still unclear to me how would you do that in a non-trivial, let's say, 1M LoC codebase. Or how do you make sure that none of your 3rd-party code even holds to that promise? Although noble that is unreachable goal.
UB does not happen because there's few lines of code that do the wrong(TM) kind of obvious thing but it happens because that chunk of code interacts with other parts of the code in ways that you usually cannot conceive without tooling or realistic workloads.
I guess that for that or similar reason, Rust also happens to be working on adding support for UBSAN, ASAN, TSAN and MSAN sanitizers. Unfortunately it has been WIP for almost 7 years: https://github.com/rust-lang/rust/issues/39699
CloudFlare remade their primary reverse proxy in Rust and had so few development issues, they ended up finding kernel bugs instead when problems arose. I've worked on projects with non-trivial C++ codebases for a variety of companies, large and small, and with some excellent developers who are far more skilled than I likely will ever be.
A non-trivial C++ codebase with that kind of track record is so rare as to be unheard of, though many can approach it with the various sanitizers plugged into the dev workflow after the fact.
C++ has improved dramatically over the last fifteen years, but a lot of stuff simply can't be fixed without breaking backward compatibility, which just isn't going to happen.
We've had enough time elapse to see the related rates of CVEs posted for C++ and Rust apps over the last few years. It's not even close.
It is absolutely possible to have bugs in a Rust app due to logic error or memory leak. But C++ has those same limitations and so many more unless you tack on a host of add-on analysis tools and still you end up with a result that is not as safe as Rust.
Write a web app server in Rust? Sure. As long as I know the problem space, have the dev time allocated, and the need for that efficiency is clear.
Write it in C++? Hell no. Not ever again. Not in a million years. Even if the need for efficiency is demonstrated, I have far less confidence in the integrity of that service when connected to the public internet, no matter how skilled the team is.
Even Scott Meyers—Scott Fucking Meyers, who wrote acclaimed books on advanced use of C++ we mere mortals came to depend upon—does not have confidence in writing code for it anymore. In just three years, he went from an undisputed authority on the topic to this in 2018:
"As you may know, I retired from active involvement in C++ at the end of 2015, and in the ensuing two and a half years, I’ve forgotten enough details of the language that I am no longer able to properly evaluate bug reports regarding the technical aspects of my books. C++ is a large, intricate language with features that interact in complex and subtle ways, and I no longer trust myself to keep all the relevant facts in mind. As a result, all I can do is thank you for your bug report, because I no longer plan to update my books to incorporate technical corrections. Lacking the ability to fairly evaluate whether a bug report is valid, I think this is the only responsible course of action."
Neither I nor the folks I have worked with were as skilled as Scott Meyers at his prime, and the majority of us—myself especially—aren't even as good as he was 2.5 years after he stepped away.
Perhaps you are. Are you certain that everyone else on your team is? Everyone who comes later that has to maintain those codebases?
With Rust, I believe teams have a fighting chance. With C++, I'd just as soon buy lotto scratchers since I'm looking at similar odds. Perhaps I'm just an average software engineer. That's entirely possible, and I'll cop to that. But I'm not alone, and we still have bills to pay and code to write. For the sake of my clients, that'll be in Rust before C++ if I can help it. (And neither if the problem doesn't require their level of efficiency.)
You're constructing your own and very biased reality which you use to derive conclusions. Twice in this thread. Wasting other people time. OTOH I was genuinely trying to give out a different perspective on something you may have not thought about and whose answer could imply that your reasoning is probably not quite correct. However, you're working really really hard for a conversation not to converge by making up bad examples and beating around the bush. Scott Meyers got nothing to do with my comment so does not CloudFlare, which btw has a major outage as of today.
> Cloudflare is assessing a loss of power impacting data centres while simultaneously failing over services. [1]
A major power outage has nothing to do with reverse proxy software. It's difficult to take your critiques in good faith.
C++ is too complex for an expert to safely identify whether something is a bug or not. Not all C++ developers are experts. It is alarming you consider this state of affairs to be acceptable or that Rust does not clear mitigate many of these issues out of the box.
Does Rust eliminate all bugs? Of course not. That was never the assertion. When Microsoft finds in a study that 70%+ of all Microsoft CVEs would have been avoided given Rust's memory model, it should not be hand-waved away as personal preference or irrational bias. [2] [3]
> A major power outage has nothing to do with reverse proxy software.
I am glad you recognize how bad of an example that was. Now apply this to the rest of your arguments.
> or that Rust does not clear mitigate many of these issues out of the box.
You're again imputing something I never said only to support your opinion. This is the third time in this thread you're successfully avoiding to address the substance of my initial two comments. I won't proceed any further in this discussion because it's a plain waste of time.
