this post was submitted on 19 Mar 2024
145 points (92.9% liked)

Programming

17509 readers
10 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
145
submitted 8 months ago* (last edited 8 months ago) by [email protected] to c/programming
 

Python is memory safe? Can't you access/address memory with C bindings?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 38 points 8 months ago (1 children)

I'm not a Rust developer (yet), but I understand its strength in this regard as: Rust is statically memory safe by default, and code which isn't statically memory safe must be declared with the unsafe keyword. Whereas C++ has not deprecated C-style pointers, and so a C engineer can easily write unsafe C code that's valid in a C++ compiler, and no declaration of its unsafeness is readily apparent to trigger an audit.

It's nice and all that C++ pioneered a fair number of memory safety techniques like SBRM, but the debate now is about safety by default, not optional bolt-on safety. All agree that the overall process to achieve correct code is paramount, not just the language constructs.

[–] snowe 38 points 8 months ago (3 children)

It's also just a huge fallacy. He's saying that people just choose to not write memory safe code, not that writing memory safe code in C/C++ is almost impossible. Just look at NASA's manual for writing safe C++ code. It's insanity. No one except them can write code that's safe and they've stripped out half the language to do so. No matter how hard you try, you're going to let memory bugs through with C/C++, while Rust and other memory safe languages have all but nullified a lot of that.

[–] [email protected] 21 points 8 months ago* (last edited 8 months ago) (3 children)

As someone who is in the aerospace industry and has dealt with safety critical code with NASA oversight, it's a little disingenuous to pin NASA's coding standards entirely on attempting to make things memory safe. It's part of it, yeah, but it's a very small part. There are a ton of other things that NASA is trying to protect for.

Plus, Rust doesn't solve the underlying problem that NASA is looking to prevent in banning the C++ standard library. Part of it is DO-178 compliance (or lack thereof) the other part is that dynamic memory has the potential to cause all sorts of problems on resource constrained embedded systems. Statically analyzing dynamic memory usage is virtually impossible, testing for it gets cost prohibitive real quick, it's just easier to blanket statement ban the STL.

Also, writing memory safe code honestly isn't that hard. It just requires a different approach to problem solving, that just like any other design pattern, once you learn and get used to it, is easy.

[–] 0x0 1 points 8 months ago

I'd've thought Ada would play a larger role in aerospace, because of these issues, among others.

[–] snowe 1 points 8 months ago

Also, writing memory safe code honestly isn’t that hard. It just requires a different approach to problem solving, that just like any other design pattern, once you learn and get used to it, is easy.

the CVE list would disagree with you.

[–] arendjr -2 points 8 months ago (1 children)

Also, writing memory safe code honestly isn’t that hard. It just requires a different approach to problem solving, that just like any other design pattern, once you learn and get used to it, is easy.

This statement is kinda ironic after you just said it’s “easier” to just ban the entire STL and dynamic memory allocation as a whole. You already left the domain of what most consider “easy” quite a while ago.

[–] 0x0 1 points 8 months ago

Op said NASA thinks it's easier.

[–] [email protected] 9 points 8 months ago (1 children)
[–] snowe 24 points 8 months ago* (last edited 8 months ago) (2 children)
[–] [email protected] 9 points 8 months ago (2 children)

That first link is about a document from 2006, while C++ became a lot safer with C++11 in 2011. It's much easier to write safe C++ now, if you follow current guidelines:

https://isocpp.github.io/CppCoreGuidelines/

[–] tyler -2 points 8 months ago (1 children)

Yeah the standards for safe C++ haven’t changed, no matter how much the language changes.

[–] [email protected] 5 points 8 months ago* (last edited 8 months ago)

I would say the standard has changed. The current guidelines require you to use features that didn't exist before C++11. C++11 was a huge change and it made C++ a lot nicer. The updates since then have generally been improvements but more incremental than revolutionary.

[–] aport -3 points 8 months ago (1 children)

Dude core guidelines is like 2000 pages, C++ is a meme language

[–] [email protected] 5 points 8 months ago (1 children)

Print from html to PDF in a browser was 708 pages, so maybe half that if printed like a book (less whitespace etc.). About like a Rust textbook. Still a lot I guess.

[–] aport 2 points 8 months ago

Well I'm old so I need a larger font size

[–] [email protected] 4 points 8 months ago

Seems very reasonable, apart from an arbitrary number of assertions required per function

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (1 children)

It's also a fallacy that rust code is memory safe. I audited a couple of large rust projects and found that they both had tens of unsafe constructs. I presume other projects are similar.

You can't use "unsafe" and then claim that your program's memory safe. It may be "somewhat safe-ish" but claiming that your code is safe because you carefully reviewed your unsafe sections leaves you on the same shaky ground as c++, where they also claim that they carefully review their code.

[–] [email protected] 2 points 8 months ago (1 children)

I don't have the data, but I don't think it's wild to assume that most rust programs have 0-1 unsafe blocks, in total. Except for special cases like ffi.

Even if your rust project has 1000s of unsafe blocks, it is still safer than C++, which is 100% an unsafe block. You only have to carefully review the parts marked "unsafe", in C++ you have to carefully review the whole code.

Also, because unsafe blocks are explicitly declared, you know which parts of the code require extra carefulness, and if you encounter a memory bug, doing Ctrl+F "unsafe" will soon show the root cause.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

Yes, that's the difference between "safer" and "actually safe".

[email protected]