Pitfalls of Safe Rust

(corrode.dev)

168 points pjmlp | 2 comments | 04 Apr 25 17:55 UTC | HN request time: 0.418s | source

Show context

nerdile ◴[06 Apr 25 17:56 UTC] No.43603402[source]▶

Title is slightly misleading but the content is good. It's the "Safe Rust" in the title that's weird to me. These apply to Rust altogether, you don't avoid them by writing unsafe Rust code. They also aren't unique to Rust.

A less baity title might be "Rust pitfalls: Runtime correctness beyond memory safety."

replies(1): >>43603739 #

burakemir ◴[06 Apr 25 18:33 UTC] No.43603739[source]▶

>>43603402 #

It is consistent with the way the Rust community uses "safe": as "passes static checks and thus protects from many runtime errors."

This regularly drives C++ programmers mad: the statement "C++ is all unsafe" is taken as some kind of hyperbole, attack or dogma, while the intent may well be to factually point out the lack of statically checked guarantees.

It is subtle but not inconsistent that strong static checks ("safe Rust") may still leave the possibility of runtime errors. So there is a legitimate, useful broader notion of "safety" where Rust's static checking is not enough. That's a bit hard to express in a title - "correctness" is not bad, but maybe a bit too strong.

replies(5): >>43603865 #>>43603876 #>>43603929 #>>43604918 #>>43605986 #

whytevuhuni ◴[06 Apr 25 18:45 UTC] No.43603865[source]▶

>>43603739 #

No, the Rust community almost universally understands "safe" as referring to memory safety, as per Rust's documentation, and especially the unsafe book, aka Rustonomicon [1]. In that regard, Safe Rust is safe, Unsafe Rust is unsafe, and C++ is also unsafe. I don't think anyone is saying "C++ is all unsafe."

You might be talking about "correct", and that's true, Rust generally favors correctness more than most other languages (e.g. Rust being obstinate about turning a byte array into a file path, because not all file paths are made of byte arrays, or e.g. the myriad string types to denote their semantics).

[1] https://doc.rust-lang.org/nomicon/meet-safe-and-unsafe.html

replies(3): >>43604067 #>>43604190 #>>43604779 #

ampere22 ◴[06 Apr 25 20:37 UTC] No.43604779[source]▶

>>43603865 #

If a C++ developer decides to use purely containers and smart pointers when starting a new project, how are they going to develop unsafe code?

Containers like std::vector and smart pointers like std::unique_ptr seem to offer all of the same statically checked guarantees that Rust does.

I just do not see how Rust is a superior language compared to modern C++

replies(5): >>43604855 #>>43604887 #>>43604895 #>>43607240 #>>43612736 #

criddell ◴[06 Apr 25 20:49 UTC] No.43604855[source]▶

>>43604779 #

C++ devs need to understand the difference between:

   Vec1[0];
   Vec1.at(0);

Even the at method isn’t statically checked. If you want static checking, you probably need to use std::array.

replies(1): >>43608672 #

1. pjmlp ◴[07 Apr 25 07:08 UTC] No.43608672[source]▶

>>43604855 #

Many also need to learn that there are configuration settings on their compilers that make those two cases the same, enabling bounds checking on operator[]().

replies(1): >>43610249 #

2. criddell ◴[07 Apr 25 11:54 UTC] No.43610249[source]▶

>>43608672 (TP) #

Sure, but at() is guaranteed to throw an exception and operator[] can throw an exception when you go out of bounds. C++26 is tweaking this, but it's still going to differ implementation to implementation.

At least that's my understanding of the situation. Happy to be corrected though.

↑