←back to thread

Tree Borrows

(plf.inf.ethz.ch)
565 points zdw | 1 comments | 09 Jul 25 14:40 UTC | HN request time: 0.202s | source
Show context
jcalvinowens ◴[09 Jul 25 18:21 UTC] No.44513250[source]
> On the one hand, compilers would like to exploit the strong guarantees of the type system—particularly those pertaining to aliasing of pointers—in order to unlock powerful intraprocedural optimizations.

How true is this really?

Torvalds has argued for a long time that strict aliasing rules in C are more trouble than they're worth, I find his arguments compelling. Here's one of many examples: https://lore.kernel.org/all/CAHk-=wgq1DvgNVoodk7JKc6BuU1m9Un... (the entire thread worth reading if you find this sort of thing interesting)

Is Rust somehow fundamentally different? Based on limited experience, it seems not (at least, when unsafe is involved...).

replies(11): >>44513333 #>>44513357 #>>44513452 #>>44513468 #>>44513936 #>>44514234 #>>44514867 #>>44514904 #>>44516742 #>>44516860 #>>44517860 #
Asooka ◴[09 Jul 25 18:30 UTC] No.44513357[source]
While I can't name the product I work on, we also use -fno-strict-aliasing. The problem with these optimisations is that they can only be done safely if you can prove aliasing never happens, which is equivalent to solving the halting problem in C++. In Rust I suspect the stronger type system can actually prove that aliasing doesn't happen in select cases. In any case, I can always manually do the optimisations enabled by strict aliasing in hot code, but I can never undo a customer losing data due to miscompilation.
replies(2): >>44513415 #>>44515614 #
pornel ◴[09 Jul 25 18:37 UTC] No.44513415[source]
> actually prove that aliasing doesn't happen in select cases

In the safe subset of Rust it's guaranteed in all cases. Even across libraries. Even in multi-threaded code.

replies(2): >>44514341 #>>44517425 #
gronpi ◴[10 Jul 25 05:06 UTC] No.44517425[source]
It requires that the libraries you use do not have UB. If you have no unsafe, but your library does, you can get UB.

https://github.com/rust-lang/rust/pull/139553

This is why it may be a good idea to run MIRI on your Rust code, even when it has no unsafe, since a library like Rust stdlib might have UB.

replies(1): >>44518454 #
simonask ◴[10 Jul 25 07:52 UTC] No.44518454[source]
Isn't this a pretty trivial observation, though? All code everywhere relies on the absence of UB. The strength of Rust comes from the astronomically better tools to avoid UB, including Miri.
replies(1): >>44518645 #
gryhili ◴[10 Jul 25 08:25 UTC] No.44518645[source]
Miri is good, but it still has very significant large limitations. And the recommendation of using Miri is unlikely to apply to using similar tools for many other programming languages, given the state of UB in the Rust ecosystem, as recommended by

https://materialize.com/blog/rust-concurrency-bug-unbounded-...

https://zackoverflow.dev/writing/unsafe-rust-vs-zig

>If you use a crate in your Rust program, Miri will also panic if that crate has some UB. This sucks because there’s no way to configure it to skip over the crate, so you either have to fork and patch the UB yourself, or raise an issue with the authors of the crates and hopefully they fix it.

>This happened to me once on another project and I waited a day for it to get fixed, then when it was finally fixed I immediately ran into another source of UB from another crate and gave up.

Further, Miri is slow to run, discouraging people to use it even for the subset of cases that it can catch UB.

>The interpreter isn’t exactly fast, from what I’ve observed it’s more than 400x slower. Regular Rust can run the tests I wrote in less than a second, but Miri takes several minutes.

If Miri runs 50x slower than normal code, it can limit what code paths people will run it with.

So, while I can imagine that Miri could be best in class, that class itself has significant limitations.

replies(1): >>44519131 #
1. ralfj ◴[10 Jul 25 09:42 UTC] No.44519131[source]
> So, while I can imagine that Miri could be best in class, that class itself has significant limitations.

Sure -- but it's still better than writing similar code in C/C++/Zig where no comparable tool exists. (Well, for C there are some commercial tools that claim similar capabilities. I have not been able to evaluate them.)