fsebugoutzone.org:9999

       Post AciCEAPBoYAocvZPYe by hsivonen@mastodon.social
 (DIR) More posts by hsivonen@mastodon.social
 (DIR) Post #ARuUrTdCaJFSVZ7XSS by hsivonen@mastodon.social
       2023-01-22T09:47:26Z
       
       0 likes, 1 repeats
       
       The C++ Direction Group paper on safety is remarkable in a bad way.  https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2023/p2759r0.pdfIt makes it look like the C++ leadership is not up to the task of engaging with the issue of memory safety in a credible way.
       
 (DIR) Post #ARuUrVAuqRoJIPtye8 by hsivonen@mastodon.social
       2023-01-22T09:49:21Z
       
       0 likes, 0 repeats
       
       The paper indicates that Rust and the NSA document (that gives the advice to make a strategic shift to memory-safe languages) put safety on the map now. These put _memory-safety_ on the map. Yet, the paper doesn’t focus on memory-safety but instead defocuses the matter by suggesting that the concern at hand is safety in some broader ill-defined sense.
       
 (DIR) Post #ARuUrWg9FoO5xZWQy0 by hsivonen@mastodon.social
       2023-01-22T09:50:20Z
       
       0 likes, 0 repeats
       
       The paper says: “any one particular safety concept, e.g. type safety is not enough to make the overall system safe” and “For example, aerospace safety is different from medical. So we should not make it the same for every industry.” But memory-safety isn’t a different thing in different industries. This looks like confusing the matter instead of engaging on the problems of C++ in a way that properly acknowledges them.
       
 (DIR) Post #ARuUrY63ywiAMEee00 by hsivonen@mastodon.social
       2023-01-22T09:50:42Z
       
       0 likes, 0 repeats
       
       Moreover, the paper talks about an image problem even though the problem really is substantive and even quantifiable (NSA cites numbers from Microsoft and Google, but Mozilla’s and, IIRC, Apple’s are similar).
       
 (DIR) Post #ARuUrZciJ2QH5mwEWu by hsivonen@mastodon.social
       2023-01-22T09:51:02Z
       
       0 likes, 0 repeats
       
       Also, the paper tries to do some unsubstantiated image building by suggesting the Rust is a “browser language” and “The various C++ variants (e.g. circle, carbon, val, cpp2) all seem to serve specific domains”. I don’t know enough to say about Val, but it seems unjustified not to see these at least as multi-domain as C++ itself at least in terms of design even if they originated in various contexts.
       
 (DIR) Post #ARuUrbBqTu7Rx2Nnvc by hsivonen@mastodon.social
       2023-01-22T09:51:22Z
       
       0 likes, 0 repeats
       
       Additional image building that probably makes the image of C++ leadership look bad instead of making C++ look good: characterizing Rust as “built on top of C++”. Semantically, Rust inherits atomics directly from C++ and implementation-wise the compiler reuses LLVM, but for the most part, Rust is _informed by_ rather than “built on top of” C++ in the sense of deciding various things better with the benefit of hindsight of what problems certain design decisions have caused in the context of C++.
       
 (DIR) Post #ARuUrcc7Bij6MngIVs by hsivonen@mastodon.social
       2023-01-22T09:51:57Z
       
       0 likes, 0 repeats
       
       The paper says “We succeed by learning from others” but then signals a lack of learning even _about_ the language that C++ most significantly needs to learn _from_: Rust. In addition to saying that Rust is “built on top of C++”, the paper calls the borrow checker “borrowed checker” (apparently simply in error and not as a joke of the checker itself getting borrow_ed_ into C++) and repeatedly spells Rust as “RUST”.
       
 (DIR) Post #ARuUreAXPDr7BqnIo4 by hsivonen@mastodon.social
       2023-01-22T09:52:14Z
       
       0 likes, 0 repeats
       
       While these errors are seemingly trivial, it’s implausible that a person who has seriously investigated Rust would make these errors. The issues that the paper refers to in order to make the point that Rust, too, has problems are laughably minor in contrast to the fundamental problems C++ has.
       
 (DIR) Post #ARuUrfibe2hXznk1Y0 by hsivonen@mastodon.social
       2023-01-22T09:52:36Z
       
       0 likes, 0 repeats
       
       The paper is against forcing safety on those who don’t need it and mentions HPC as such a domain, by the paper makes no attempt to quantify the performance cost of safety. In contrast, the lack of memory-safety is damaging in many domains.
       
 (DIR) Post #ARuUrhEC25Yug3WlQ8 by hsivonen@mastodon.social
       2023-01-22T09:52:57Z
       
       0 likes, 0 repeats
       
       I agree with the paper that compatibility with existing C++ is a key thing that makes C++ valuable. There’s no point on making C++ safe in such a way that a future version C++ would, as a prerequisite of migration, require up-front effort similar to rewriting in Rust. In that case, you’d be better off rewriting in Rust.
       
 (DIR) Post #ARuUriiiU5ZXJ0oedU by hsivonen@mastodon.social
       2023-01-22T09:53:52Z
       
       0 likes, 0 repeats
       
       Outside the C++ leadership, it’s easier to draw the conclusion of positioning C++ as appropriate for getting value out of existing C++ code but inappropriate for new projects. Clearly, the C++ leadership isn’t ready to take that position on new projects, but still I would hope that they would engage on the topic in a way that would show having researched what to learn from better and without increasing the scope of “safety” in a way that makes the topic even more intractable.
       
 (DIR) Post #AciCE8O3Jo4kMp1TVY by hsivonen@mastodon.social
       2023-12-11T13:56:55Z
       
       0 likes, 1 repeats
       
       Sadly, C++ standardization leadership’s engagement with the memory safety topic is going even more embarrassingly badly than in January:https://pony.social/@thephd/111550692413752045The very first sentence is: “Memory safety is a very small part of security.” … Despite the result that about 70% of software vulnerabilties are memory-safety issues has been repeated at multiple organizations (Mozilla, Microsoft, parts of Google, IIRC also Apple).…
       
 (DIR) Post #AciCEAPBoYAocvZPYe by hsivonen@mastodon.social
       2023-12-11T13:57:34Z
       
       0 likes, 0 repeats
       
       The “Conclusion” section has this bit that looks like self-parody: “Safety and security should be opt-in instead of by-default.”As before, the references for showing that Rust has problems, too, are laughably weak. (But at least they mention Rust by name.)The doc makes an economic argument (with questionable numbers) against rewrites, but even if you accept an argument against rewrites, it’s not an argument against writing new components or entire new projects in a safe language.…
       
 (DIR) Post #AciCECLiaQaKejxfQO by hsivonen@mastodon.social
       2023-12-11T13:57:59Z
       
       0 likes, 0 repeats
       
       But who wrote this? The submission is listed as anonymous and the PDF says: “We (identified below)” without having names in the PDF. Someone noticed the authors referring to themselves as “ISO C++ Directions Group”: https://hachyderm.io/@alilleybrinker/111546895072685517Furthermore, parts of the content seem to match parts of Stroustrup’s slides from his CppCon talk this year.…
       
 (DIR) Post #AciCEEeE2aZrmidTY8 by hsivonen@mastodon.social
       2023-12-11T13:58:20Z
       
       0 likes, 0 repeats
       
       The talk shows a certain lack of self-awareness of acting towards Rust (not mentioned by name in the talk) like C folks acted towards C++. He said:“…one thing I&#39;ve learned is people when they want to not use a language like C++ they pick something and says oh it doesn&#39;t do that. Today it is safety…”https://youtu.be/I8UvQKvOSSw?feature=shared&amp;t=1214…
       
 (DIR) Post #AciCEGovxkKcWVf3WC by hsivonen@mastodon.social
       2023-12-11T13:58:37Z
       
       0 likes, 0 repeats
       
       And a bit later he makes a big deal about RAII:“Any librarian can tell you that that people will take out books and they&#39;ll forget to give them back again. It&#39;s a sort of human nature and uh we have to do these things at scale so resource release has to be automatic.”But why shouldn’t the same need to automate and the same observation that educating the human nature away does not scale apply to memory safety?…
       
 (DIR) Post #AciCEIlSjck8YK3JNw by hsivonen@mastodon.social
       2023-12-11T13:58:56Z
       
       0 likes, 0 repeats
       
       It’s worth noting that the notion that C++ is on the verge of getting a safe profile after Rust came out isn’t a new thing. This blog post is from 2016:https://robert.ocallahan.org/2016/06/safe-c-subset-is-vapourware.htmlSo where are Profiles now? This is the current state of the repo: https://github.com/BjarneStroustrup/profiles (To save you a click: Even more vaporware than the 2016 lifetime annotations that had implementations going for MSVC and clang. Now there are documents that are empty except for the title.)…
       
 (DIR) Post #AciCEKj3RY0OdQwPuS by hsivonen@mastodon.social
       2023-12-11T13:59:17Z
       
       0 likes, 0 repeats
       
       Stroustrup made way too big a deal of the earlier NSA paper having said “C/C++”. Well, now it’s not just the NSA but agencies from all the Five Eyes countries, and they are now saying “C and C++” are not memory-safe, so I guess that addresses the “C/C++” talking point:https://www.cisa.gov/sites/default/files/2023-12/The-Case-for-Memory-Safe-Roadmaps-508c.pdf(The doc by the Five Eyes agencies is so much better than the doc by the C++ standardization leadership that the contrast isn’t even funny.)