←back to thread

Zlib-rs is faster than C

(trifectatech.org)
341 points dochtman | 6 comments | 16 Mar 25 19:35 UTC | HN request time: 1.568s | source | bottom
Show context
IshKebab ◴[16 Mar 25 19:55 UTC] No.43381686[source]
It's barely faster. I would say it's more accurate to say it's as fast as C, which is still a great achievement.
replies(3): >>43381694 #>>43381776 #>>43381791 #
ajross ◴[16 Mar 25 20:05 UTC] No.43381791[source]
It's... basically written in C. I'm no expert on zlib/deflate or related algorithms, but digging around https://github.com/trifectatechfoundation/zlib-rs/ almost every block with meaningful logic is marked unsafe. There's raw allocation management, raw slicing of arrays, etc... This code looks and smells like C, and very much not like rust. I don't know that this is a direct transcription of the C code, but if you were to try something like that this is sort of what it would look like.

I think there's lots of value in wrapping a raw/unsafe implementation with a rust API, but that's not quite what most people think of when writing code "in rust".

replies(6): >>43381833 #>>43381841 #>>43381849 #>>43382402 #>>43383336 #>>43385335 #
hermanradtke ◴[16 Mar 25 20:09 UTC] No.43381833[source]
> basically written in C

Unsafe Rust still has to conform to many of Rust’s rules. It is meaningfully different than C.

replies(2): >>43381882 #>>43382119 #
ajross ◴[16 Mar 25 20:43 UTC] No.43382119[source]
Are there examples you're thinking about? The only good ones I can think of are bits about undefined behavior semantics, which frankly are very well covered in modern C code via tools like ubsan, etc...
replies(2): >>43382359 #>>43382384 #
steveklabnik ◴[16 Mar 25 21:15 UTC] No.43382384[source]
They're just fundamentally different languages. There's semantics that exist in all four of these quadrants:

* defined in C, undefined in Rust

* undefined in C, undefined in Rust

* defined in Rust, undefined in C

* defined in Rust, defined in C

replies(1): >>43383481 #
ajross ◴[16 Mar 25 23:11 UTC] No.43383481[source]
That doesn't seem responsive. The question wasn't whether Rust and C are literally the same language ("duh", as it were), it was effectively "are there meaningful safety features provided to the unsafe zlib-rs code in question in that aren't already available in C toolchains/ecosystems?"

And there really aren't. The abbreviated/limited safety environment being exploited by this non-idiomatic Rust code seems to me to be basically isomorphic to the way you'd solve the problem in C.

replies(1): >>43383677 #
steveklabnik ◴[16 Mar 25 23:38 UTC] No.43383677[source]
> it was effectively "are there meaningful safety features provided to the unsafe zlib-rs code in question in that aren't already available in C toolchains/ecosystems?"

Ah, so that was like, not in your comment, but in a parent.

> And there really aren't.

I mean, not all of the code is unsafe. From a cursory glance, there's surely way more here than I see in most Rust packages, but that doesn't mean that you get no advantages. I picked a random file, and chose some random code out of it, and see this:

    pub fn copy<'a>(
        dest: &mut MaybeUninit<DeflateStream<'a>>,
        source: &mut DeflateStream<'a>,
    ) -> ReturnCode {
        // SAFETY: source and dest are both mutable references, so guaranteed not to overlap.
        // dest being a reference to maybe uninitialized memory makes a copy of 1 DeflateStream valid.
        unsafe {
            core::ptr::copy_nonoverlapping(source, dest.as_mut_ptr(), 1);
        }
The semantics of safe code, `&mut T`, provide the justification for why the unsafe code is okay. Heck, this code wouldn't even be legal in C, thanks to strict aliasing. (Well, I guess you could argue that in C code they'd be of the same type, since you don't have "might be uninitialized" in C's typesystem, but again, this is an invariant encoded in the type system that C can't do, so it's not possible to express in C for that reason either.)
replies(1): >>43383764 #
1. ajross ◴[16 Mar 25 23:53 UTC] No.43383764[source]
Isn't that exactly my point though? This is just a memcpy(). In C, you do some analysis to prove to yourself that the pointers are valid[1]. In this unsafe Rust code, the author did some analysis to prove the same thing. I mean, sure, the specific analyses use words and jargon that are different. I don't think that's particularly notable. This is C code, written in Rust.

[1] FWIW, memcpy() arguments are declared restrict post-C99, the strict aliasing thing doesn't apply, for exactly the reason you're imagining.

replies(1): >>43383856 #
2. steveklabnik ◴[17 Mar 25 00:07 UTC] No.43383856[source]
> In C, you do some analysis to prove to yourself that the pointers are valid[1]

Right, and in Rust, you don't have to do it yourself: the language does it for you. If the signature were in C, you'd have to analyze the callers to make sure that this property is upheld when invoked. In Rust, the compiler does that for you.

> the strict aliasing thing doesn't apply

Yes, this is the case in this specific instance due to it being literally memcpy, but if it were any other function with the same signature, the problem would exist. Again, I picked some code at random, I'm not saying this one specific instance is even the best one. The broader point of "Rust has a type system that lets you encode more invariants than C's" is still broadly true.

replies(1): >>43384409 #
3. ajross ◴[17 Mar 25 01:45 UTC] No.43384409[source]
> In Rust, the compiler does that for you.

No it doesn't? That comment is expressing a human analysis. The compiler would allow you to stuff any pointer in that you want, even ones that overlap. You're right that some side effects of the runtime can be exploited to do that analysis. But that's true of C too! (Like, "these are two separate heap blocks", or "these are owned by two separate objects", etc...). Still human analysis.

Frankly you're overselling hard here. A human author can absolutely mess that analysis up, which is the whole reason Rust calls it "unsafe" to begin with.

replies(1): >>43384514 #
4. steveklabnik ◴[17 Mar 25 02:04 UTC] No.43384514{3}[source]
I think you're misunderstanding of what I'm claiming is being checked. I don't mean the unsafe block directly. I mean that &mut Ts do not alias. That is checked by the compiler.

I'm saying that even in a codebase with a lot of unsafe, the checks that are still performed have value.

replies(1): >>43388428 #
5. ajross ◴[17 Mar 25 13:32 UTC] No.43388428{4}[source]
Sure, but C++ objects returned from operator new are likewise guaranteed not to alias. There's "value" there, but not a lot of value. And I repeat, you're overselling hard here. People who write rust like this are going to produce roughly the same amount of memory safety bugs, and pretending otherwise is frankly dangerous, IMHO.
replies(1): >>43390634 #
6. sophacles ◴[17 Mar 25 17:14 UTC] No.43390634{5}[source]
The difference is:

In c++ i could do something like:

x_ptr = new object y_ptr = x_ptr

copy(x_ptr, y_ptr)

In safe rust there is no way to call the function in question if that sort of aliasing has happened. This means that if you get a bug from your copy, its in the copy method - the possibility it's been used inappropriately has been eliminated.

It reduces the search space for problems from: everywhere that created a pointer that is ultimately used in the copy, to: the copy function itself.

It reduces the number of programmers who have to keep the memory semantics of that copy in their head from "potentially everyone" to just "those who directly implement and check copy".

Pretending that has no value is absurd.