upvote

points

by omcnoe4 hours ago |
comments
upvoteby pizlonator4 hours ago|
next
[-]
> write memory-unsafe code, just now it is guaranteed to crash

If it's guaranteed to crash, then it's memory-safe.

If you dislike that definition, then no mainstream language is memory-safe, since they all use crashes to handle out of bounds array accesses

reply
upvoteby omcnoe3 hours ago|
parent|
[-]
I don't think that's a useful way of thinking about memory-safety - a C compiler that compiles any C program to `main { exit(-1); }` is completely memory-safe. It's easy to design a memory-safe language/compiler, the question is what compromises are being made to achieve it.

Other languages have runtime exceptions on out-of-bounds access, Fil-C has unrecoverable crashes. This makes it pretty unsuitable to a lot of use cases. In Go or Java (arbitrary examples) I can write a web service full of unsafe out-of-bounds array reads, any exception/panic raised is scoped to the specific malformed request and doesn't affect the overall process. A design that's impossible in Fil-C.

reply
upvoteby wren699126 minutes ago|
parent|
next
[-]
You need to distinguish safety properties from liveness properties.
reply
upvoteby dzaima3 hours ago|
parent|
prev|
next
[-]
Then you run into the problem of infinite loops, which nothing can prevent (sans `main { exit(-1); }` or other forms of losing turing-completeness), and are worse than crashes - at least on crashes you can quickly restart the program (something something erlang).

try-catch isn't a particularly complete solution either if you have any code outside of it (at the very least, the catch arm) or if data can get preserved across iterations that can easily get messed up if left half-updated (say, caches, poisoned mutexes, stuck-borrowed refcells) so you'll likely want a full restart to work well too, and might even prefer it sometimes.

reply
upvoteby wakawaka283 hours ago|
parent|
prev|
[-]
I don't think runtime error handling is impossible in Fil-C, at least in theory. But the use cases for that are fairly limited. Most errors like this are not anticipated, and if you did encounter them then there's little or nothing you can do useful in response. Furthermore, runtime handling to continue means code changes, thus coupling to the runtime environment. All of these things are bad. It is usually acceptable to fail fast and restart, or at least report the error.
reply
upvoteby pizlonator2 hours ago|
parent|
[-]
I could have made Fil-C’s panic be a C++ exception if I had thought that it was a good idea. And then you could catch it if that’s what tickled your pickle

I just don’t like that design. It’s a matter of taste

reply
upvoteby ori_b3 hours ago|
prev|
next
[-]
By that token, Rust is also memory unsafe: array bounds checks and stack overflow are runtime checks.
reply
upvoteby DetroitThrow3 hours ago|
parent|
next
[-]
There are several ways to safely provide array bounds check hints to the Rust compiler, in-fact there's a whole cookbook. But for many cases, yep, runtime check.
reply
upvoteby p1necone2 hours ago|
parent|
prev|
[-]
Why are you talking like this is black and white? Many things being compile time checkable is better than no things being compile time checkable. The existence of some thing in rust that can only be checked at runtime does not somehow make all the compile time checks that are possible irrelevant.

(Also I think the commenter you're replying to just worded their comment innacurately, code that crashes instead of violating memory safety is memory safe, a compilation error would just have been more useful than a runtime crash in most cases)

reply
upvoteby 100ms3 hours ago|
prev|
next
[-]
What's the alternative?

https://play.rust-lang.org/?version=stable&mode=debug&editio...

reply
upvoteby zamadatix3 hours ago|
parent|
next
[-]
.get() will bounds check and the compiler will optimize that away if it can prove safety at compile time. That leaves you 3 options made available in Rust:

- Explicitly unsafe

- Runtime crash

- Runtime crash w/ compile time avoidence when possible

reply
upvoteby omcnoe3 hours ago|
parent|
prev|
[-]
https://play.rust-lang.org/?version=stable&mode=debug&editio...

Catch the panic & unwind, safe program execution continues. Fundamentally impossible in Fil-C.

reply
upvoteby uecker2 hours ago|
parent|
next
[-]
I do not know how Fil-C handles this, but it could raise a signal that one can then catch.
reply
upvoteby wakawaka283 hours ago|
parent|
prev|
[-]
Seems like a niche use case. If it needs code to handle, it's also not apples to apples...
reply
upvoteby omcnoe3 hours ago|
parent|
[-]
It's an apple to non-existent-apple comparison. Fil-C can't handle it even with extra code because Fil-C provides no recovery mechanism.

I also don't think it's that niche a use case. It's one encountered by every web server or web client (scope exception to single connection/request). Or anything involving batch processing, something like "extract the text from these 10k PDFs on disk".

reply
upvoteby wakawaka283 hours ago|
parent|
[-]
Sure, it's not implemented in Fil-C because it is very new and the point of it is to improve things without extensive rewrites.

Generally, I think one could want to recover from errors. But error recovery is something that needs to be designed in. You probably don't want to catch all errors, even in a loop handling requests for an application. If your application isn't designed to handle the same kinds of memory access issues as we're talking about here, the whole thing turns into non-existent-apples to non-existent-apples lol.

reply
upvoteby boredatoms4 hours ago|
prev|
next
[-]
For some things the just-crash is ok, like cli usage of curl
reply
upvoteby forrestthewoods3 hours ago|
prev|
[-]
Rust also has run-time crash checks in the form of run-time array bounds checks that panic. So let us not pretend that Rust strictly catches everything at compile-time.

It’s true that, assuming all things equal, compile-time checks are better than run-time. I love Rust. But Rust is only practical for a subset of correct programs. Rust is terrible for things like games where Rust simply can not prove at compile-time that usage is correct. And inability to prove correctness does NOT imply incorrectness.

I love Rust. I use it as much as I can. But it’s not the one true solution to all things.

reply
upvoteby omcnoe3 hours ago|
parent|
next
[-]
Not trying to be a Rust advocate and I actually don't work in it personally.

But Rust provides both checked alternatives to indexed reads/writes (compile time safe returning Option<_>), and an exception recovery mechanism for out-of-bounds unsafe read/write. Fil-C only has one choice which is "crash immediately".

reply
upvoteby uecker2 hours ago|
parent|
[-]
What makes you think that one can not add an explicit bound check in C?
reply
upvoteby tialaramex2 hours ago|
parent|
next
[-]
It's trickier than it looks because C has mutable aliases. So, in C our bounds check might itself be a data race! Make sure you cope
reply
upvoteby uecker1 hours ago|
parent|
[-]
Depending on what you are doing, yes. But the statement I responded to "your only choice is crash" is certainly wrong.
reply
upvoteby omcnoe2 hours ago|
parent|
prev|
[-]
If you can correctly add all the required explicit bounds checks in C what do you need Fil-C for?
reply
upvoteby kimixa1 hours ago|
parent|
next
[-]
Same reason any turing complete language needs any constructs - to help the programmer and identify/block "unsafe" constructs.

Programming languages have always been more about what they don't let you do rather than what they do - and where that lies on the spectrum of blocking "Possibly Valid" constructs vs "Possibly Invalid".

reply
upvoteby uecker1 hours ago|
parent|
prev|
[-]
For temporal memory safety.
reply
upvoteby wakawaka283 hours ago|
parent|
prev|
[-]
>And inability to prove correctness does NOT imply incorrectness.

And inability to prove incorrectness does NOT imply correctness. I think most Rust users don't understand either, because of the hype.

reply