Most active commenters
  • pron(7)
  • edflsafoiewq(4)
  • TinkersW(3)

←back to thread

Interview with Zig language creator Andrew Kelley [video]

(www.youtube.com)
200 points jorangreef | 22 comments | 27 Aug 20 11:10 UTC | HN request time: 1.654s | source | bottom
Show context
tobz1000 ◴[27 Aug 20 13:08 UTC] No.24293284[source]
Some of Zig's ideas fascinate me, both the great low-level concepts (e.g. arbitrary-sized ints), but much more than that, the high level concepts.

Particularly great is Zig's handling of both macros and generic types, the answer to both of which seems to be: just evaluate them at compile-time with regular functions, no special DSL or extra syntax. Andrew mentions in the video a big drawback of this system - implications for IDE complexity and performance. I imagine the performance side of this could be (maybe is?) mitigated by limiting recursion depth/loop counts for compile-time work.

I'm not particularly interested in taking on a language with manual memory management and the responsibilities it entails, but I would love to have access to Zig's compile-time capabilities, if it were available with some more memory safety.

replies(2): >>24293329 #>>24294235 #
1. pron ◴[27 Aug 20 13:13 UTC] No.24293329[source]
Zig gives you memory safety (or, rather, will ultimately do that), but it does so in a way that's different from both languages with garbage collection (whether tracing or reference-counting) or with sound type-system guarantees a-la Rust. It does so with runtime checks that are turned on in development and testing and turned off -- either globally or per code unit -- in production. You lose soundness, but we don't have sound guarantees for functional correctness, anyway, and given that Zig makes testing very easy, it's unclear whether a particular approach dominates the other in terms of correctness.
replies(6): >>24293512 #>>24293563 #>>24293661 #>>24296835 #>>24298380 #>>24299940 #
2. renaicirc ◴[27 Aug 20 13:35 UTC] No.24293512[source]
> You lose soundness, but we don't have sound guarantees for functional correctness, anyway

This sounds like "we can't guarantee the most important thing, so it's unclear whether it's useful to guarantee this other thing," but that's a bizarre statement, so am I misinterpreting?

replies(1): >>24293642 #
3. TinkersW ◴[27 Aug 20 13:40 UTC] No.24293563[source]
That is the same approach used in many C++ projects
replies(2): >>24293585 #>>24293655 #
4. renaicirc ◴[27 Aug 20 13:42 UTC] No.24293585[source]
Then I guess the obvious question is: has it worked well for those projects?
replies(1): >>24293840 #
5. pron ◴[27 Aug 20 13:49 UTC] No.24293642[source]
It means that there's a complex tradeoff between making sound guarantees and providing correctness in other ways, a tradeoff that all languages make anyway, each finding its own preferred sweet spot, and that we don't know if, say, Rust's sweet spot yields better correctness than Zig's.
6. pron ◴[27 Aug 20 13:50 UTC] No.24293655[source]
But to do that you can only use a subset of C++ (e.g. you can't use arrays nor pointer arithmetic). This works for all of Zig, except for some very specific, clearly marked, "unsafe" operations.
replies(1): >>24293757 #
7. azakai ◴[27 Aug 20 13:50 UTC] No.24293661[source]
My understanding is that Zig goes further than that. In particular it just added a safe allocator suitable for production,

https://github.com/ziglang/zig/pull/5998

edit: For more details, see

https://ziglang.org/#Performance-and-Safety-Choose-Two

8. TinkersW ◴[27 Aug 20 13:58 UTC] No.24293757{3}[source]
It works with arrays if you stick with std::array & std::span like constructs.

It also works with iterators-generally by sticking some extra data in the iterator in dev builds, so it can check for out of bounds access.

If I do have some code that uses C pointers + size, I'll insert some dev build assertions.

replies(1): >>24293820 #
9. pron ◴[27 Aug 20 14:05 UTC] No.24293820{4}[source]
Sure, and then when you enforce that you address the third most bothersome thing for me in C++, leaving you only with the top two (for me): a complex language and slow compilation.
10. TinkersW ◴[27 Aug 20 14:08 UTC] No.24293840{3}[source]
It obviously isn't as safe as Rust, but I think it works well enough for something like gamedev(where absolute safety isn't required).

For memory related issues I find it sufficient.

One aspect where it is probably not as good as Rust is for threading related issues, as it relies on inserting runtime checks which may or may not trigger depending on the number of threads attempting access.

11. vmchale ◴[27 Aug 20 18:24 UTC] No.24296835[source]
That's not on par with linear or affine types.
replies(1): >>24299103 #
12. edflsafoiewq ◴[27 Aug 20 20:40 UTC] No.24298380[source]
Does zig have an answer to RAII yet?
replies(1): >>24300178 #
13. pron ◴[27 Aug 20 21:51 UTC] No.24299103[source]
When compared in isolation, yes. But such mechanisms aren't free; they add to both language complexity and compilation time, two things that can have a negative impact on correctness. So it's impossible to say which approach leads to more correct programs overall without empirical study.

We see similar tradeoffs of soundness in formal verification as well. We're not talking about exactly the same thing here (because affine type safety is compositional) but the general principle is the same: soundness has a cost, and it is not necessarily the most efficient way of achieving a required level of correctness.

Anyway, I think that both Rust and Zig have very interesting approaches to safety, but I don't think we know enough to claim one is more effective than the other at this time.

14. aidenn0 ◴[27 Aug 20 23:41 UTC] No.24299940[source]
Valgrind on C is the closest thing I've worked with in terms of what Zig offers.

My experience is that Rust's approach is definitely better in terms of correctness than using valgrind during testing.

My intuition is that the advantages Zig brings to the table will not tip the balance.

That being said, the choice Zig makes is absolutely the right one. Rust fills the niche of a better and more correct C++ without fixing the issues of slow compilation and language complexity.

Zig fixes so much of what's wrong with C without abandoning the advantages of language simplicity and locality of reasoning. I love Zig, but need a medium sized non-work project for it.

15. pron ◴[28 Aug 20 00:20 UTC] No.24300178[source]
RAII is not a question. Zig prefers explicitness, i.e. by looking at a subroutine you know exactly which code is called, its approach to releasing resource uses defer.
replies(1): >>24300366 #
16. edflsafoiewq ◴[28 Aug 20 00:57 UTC] No.24300366{3}[source]
The question is how to do automatic resource management. There are no checks of any sort, runtime or not, to help you here (correct me if I'm wrong).

RAII is not precluded by explicitness, you could require all values that require cleanup to be syntactically marked in some way and it would still be RAII. defer also cannot handle resources whose lifetimes do not correspond to nested scopes (eg. the elements of an ArrayList) like RAII or a GC can.

replies(2): >>24306357 #>>24359288 #
17. pron ◴[28 Aug 20 15:53 UTC] No.24306357{4}[source]
> RAII is not precluded by explicitness, you could require all values that require cleanup to be syntactically marked in some way and it would still be RAII.

I think this one is TBD.

> defer also cannot handle resources whose lifetimes do not correspond to nested scopes (eg. the elements of an ArrayList) like RAII or a GC can.

Yep, defer won't work if there is no known lifetime scope, but I think this one is actually a good tradeoff to make in a low-level language. Don't get me wrong -- I love tracing GCs and think that they're the right choice for the vast majority of application software, plus there have been great strides made in GC capabilities in the past few years, but in the domains where low-level languages are appropriate there is a different set of constraints. Low-level programming is not like high-level programming, and IMO it's wrong to even try to make them look alike.

18. int_19h ◴[02 Sep 20 23:14 UTC] No.24359288{4}[source]
> defer also cannot handle resources whose lifetimes do not correspond to nested scopes

It can, it's just more explicit about it. In a language with destructors, you'd do RAII here by having a list destructor that cleans up each element in turn. In a language with defer, the same destructor becomes a regular function that you'd invoke in the deferred expression.

replies(2): >>24379048 #>>24379109 #
19. ◴[04 Sep 20 21:25 UTC] No.24379048{5}[source]
20. edflsafoiewq ◴[04 Sep 20 21:33 UTC] No.24379109{5}[source]
The issue is with the individual elements, which get pushed to the list, popped off the list, moved around, pushed to a different list, etc.

The other issue is since there is no generic notion of a destructor, it isn't possible to write generic functions that destroy elements. If you call, say, replace_range on a list of strings, it will leak the replaced strings.

replies(1): >>24404277 #
21. int_19h ◴[08 Sep 20 01:06 UTC] No.24404277{6}[source]
> The issue is with the individual elements, which get pushed to the list, popped off the list, moved around, pushed to a different list, etc.

That's separate from the destructor for the entire list. It does mean that the code that removes an element from the list has to explicitly invoke the destructor for it - which is in agreement with using "defer" to explicitly invoking destructors for locals.

> The other issue is since there is no generic notion of a destructor, it isn't possible to write generic functions that destroy elements.

But you can have a generic notion of a destructor - that's orthogonal to whether destructors are invoked explicitly. You just have an interface (or trait, or whatever it's called) that exposes a destructor method for a type.

replies(1): >>24438025 #
22. edflsafoiewq ◴[11 Sep 20 00:27 UTC] No.24438025{7}[source]
You could but Zig does not.