Most active commenters
  • medo-bear(7)
  • keybored(5)

←back to thread

Compiling C to Safe Rust, Formalized

(arxiv.org)
278 points love2read | 17 comments | 20 Dec 24 23:30 UTC | HN request time: 0.002s | source | bottom
Show context
wffurr ◴[21 Dec 24 00:33 UTC] No.42476523[source]
Note that this is done for “existing formally verified C codebases” which is a lot different from typical systems C code which is not formally verified.
replies(8): >>42476623 #>>42477360 #>>42478051 #>>42478440 #>>42478560 #>>42478707 #>>42479358 #>>42479797 #
akkad33 ◴[21 Dec 24 10:09 UTC] No.42478707[source]
Is Rust formally verified? Not that I know of
replies(3): >>42478873 #>>42480047 #>>42480818 #
PartiallyTyped ◴[21 Dec 24 10:46 UTC] No.42478873[source]
You can always run model checkers like Kani, though even that is limited.
replies(1): >>42479351 #
medo-bear ◴[21 Dec 24 12:43 UTC] No.42479351[source]
So no?
replies(1): >>42479779 #
johnisgood ◴[21 Dec 24 14:10 UTC] No.42479779[source]
The answer is that it is not.

It frustrates me more than it should, I admit, that people always mention Rust when they talk about safety, but never Ada / SPARK. You want formal verification? Use Ada / SPARK. It has been battle-tested. It has been used for critical systems for a really long time now.

(And a compiler being formally verified vs. being able to write formally verified code means two different things.)

replies(2): >>42479874 #>>42484006 #
1. medo-bear ◴[21 Dec 24 14:26 UTC] No.42479874[source]
I think a disclaimer like this should be written with every Rust application, like health warnings on cigarette packets
replies(1): >>42479893 #
2. johnisgood ◴[21 Dec 24 14:30 UTC] No.42479893[source]
At this point, I think that would be better, yes, just because people think Rust is "fully" safe, which is just incorrect. I think the problem was the Rust hype and repeated statements of it being very safe, so we have some undoing to do.

For example if someone on GitHub sees that the project is written in Rust, they are automatically going to assume it is safe, incorrectly so. I do not blame them though.

replies(2): >>42480248 #>>42480314 #
3. keybored ◴[21 Dec 24 15:39 UTC] No.42480248[source]
You presumably extend this to every virtual machine or interpreter for every language which is implemented in an unsafe language. When that language claims to be safe (like all such languages claim to be).

That seems excessive and tedious.

replies(1): >>42480329 #
4. chillingeffect ◴[21 Dec 24 15:50 UTC] No.42480314[source]
Rust is to safe as Tesla is to autopilot.
replies(2): >>42480348 #>>42484824 #
5. medo-bear ◴[21 Dec 24 15:52 UTC] No.42480329{3}[source]
The point, I think, was that "safety" presumptions about Rust are often exaggerated or poorly misunderstood due to hype. That could certainly lead to problems
replies(2): >>42480572 #>>42481051 #
6. medo-bear ◴[21 Dec 24 15:54 UTC] No.42480348{3}[source]
As Tesla is to Tesla
7. woodruffw ◴[21 Dec 24 16:36 UTC] No.42480572{4}[source]
I don’t think Rust’s actual safety properties aren’t overhyped, although they may be subject to misunderstanding about their exact extent.

Concretely: spatial and temporal memory safety are good things, and Rust achieves both. It’s not unique in this regard, nor is it unique in not having a formal definition.

replies(1): >>42484831 #
8. keybored ◴[21 Dec 24 17:49 UTC] No.42481051{4}[source]
> The point, I think, was that "safety" presumptions about Rust are often exaggerated or poorly misunderstood due to hype. That could certainly lead to problems

Then the point is hypocritical.

Runtimes for safe programming languages have been implemented in unsafe languages since the dawn of safe programming languages, basically.

EDIT: I see now that you are the cigarette warning guy. In that case I don’t understand what this coy “I think” speculation is about when you made such a bizarre proclamation on this topic.

replies(1): >>42482241 #
9. medo-bear ◴[21 Dec 24 20:58 UTC] No.42482241{5}[source]
Your tendency to answer jokes so seriously is a symptom of the hype
replies(2): >>42482642 #>>42483003 #
10. keybored ◴[21 Dec 24 21:55 UTC] No.42482642{6}[source]
Me being humorless (read: not just rolling with your cop-out) is a symptom of the Rust hype.

Doesn’t even make sense.

replies(1): >>42483244 #
11. jeltz ◴[21 Dec 24 22:56 UTC] No.42483003{6}[source]
Your irrational hate for a programming language adds nothing to the discussion.
replies(1): >>42483255 #
12. medo-bear ◴[21 Dec 24 23:42 UTC] No.42483244{7}[source]
you feeling the need to defend it at every jibe. chill. rust is not a cult
replies(2): >>42484828 #>>42484832 #
13. medo-bear ◴[21 Dec 24 23:43 UTC] No.42483255{7}[source]
so many powerful words lol
14. mardifoufs ◴[22 Dec 24 07:01 UTC] No.42484824{3}[source]
Judging by the facts, are you saying that Tesla has a safe auto pilot? Rare to see on HN :^)
15. keybored ◴[22 Dec 24 07:02 UTC] No.42484828{8}[source]
A jibe is some sort of playful banter based on a literal or exaggerated truth. Since your comment does not lampoon any real deficiency except when being hypocritical, there is nothing to defend.

Maybe you should wear a sign on your torso: will make irrational points and then complain about persecution when that is pointed out. I don’t know. It’s just one more idea for when we decide to put all the anti-Rust people in camps.

16. keybored ◴[22 Dec 24 07:04 UTC] No.42484831{5}[source]
Double negation makes things ambigious.
17. mardifoufs ◴[22 Dec 24 07:04 UTC] No.42484832{8}[source]
It's weird to imagine for cniles but discussing a language doesn't inherently involve defending it, especially when it's just someone correcting someone else. I know, that's a very weird concept :^)