Most active commenters
  • pjmlp(5)
  • pron(5)
  • dns_snek(4)
  • Ygg2(4)
  • ViewTrick1002(4)
  • sgt(3)
  • JuniperMesos(3)
  • bayindirh(3)
  • keybored(3)

←back to thread

Open-source Zig book

(www.zigbook.net)
692 points rudedogg | 63 comments | 16 Nov 25 19:44 UTC | HN request time: 0.022s | source | bottom
Show context
poly2it ◴[17 Nov 25 06:14 UTC] No.45951222[source]
> Learning Zig is not just about adding a language to your resume. It is about fundamentally changing how you think about software.

I'm not sure what they expect, but to me Zig looks very much like C with a modern standard lib and slightly different syntax. This isn't groundbreaking, not a thought paradigm which should be that novel to most system engineers like for example OCaml could be. Stuff like this alienates people who want a technical justification for the use of a language.

replies(10): >>45951231 #>>45951258 #>>45951302 #>>45951388 #>>45951755 #>>45951799 #>>45951814 #>>45951964 #>>45952563 #>>45952740 #
1. obviouslynotme ◴[17 Nov 25 06:57 UTC] No.45951388[source]
There is nothing new under the Sun. However, some languages manifest as good rewrites of older languages. Rust is that for C++. Zig is that for C.

Rust is the small, beautiful language hiding inside of Modern C++. Ownership isn't new. It's the core tenet of RAII. Rust just pulls it out of the backwards-compatible kitchen sink and builds it into the type system. Rust is worth learning just so that you can fully experience that lens of software development.

Zig is Modern C development encapsulated in a new language. Most importantly, it dodges Rust and C++'s biggest mistake, not passing allocators into containers and functions. All realtime development has to rewrite their entire standard libraries, like with the EASTL.

On top of the great standard library design, you get comptime, native build scripts, (err)defer, error sets, builtin simd, and tons of other small but important ideas. It's just a really good language that knows exactly what it is and who its audience is.

replies(5): >>45951424 #>>45951440 #>>45951718 #>>45952038 #>>45952891 #
2. ninetyninenine ◴[17 Nov 25 07:06 UTC] No.45951424[source]
>Rust is that for C++

No it's not. Rust has roots in functional languages. It is completely orthoganol to C++.

replies(1): >>45951896 #
3. renewiltord ◴[17 Nov 25 07:09 UTC] No.45951440[source]
> Most importantly, it dodges Rust and C++'s biggest mistake, not passing allocators into containers and functions

Funny. This was a great sell to me. I wonder why it isn’t the blurb. Maybe it isn’t a great sell to others.

The problem for me with so many of these languages is that they’re always eager to teach you how to write a loop when I couldn’t care less and would rather see the juice.

However, nowadays with comprehensive books like this, LLM tools can better produce good results for me as I try it out.

Thank you.

replies(1): >>45951485 #
4. obviouslynotme ◴[17 Nov 25 07:17 UTC] No.45951485[source]
Very, very few people outside of foundational system software, HFT shops, and game studios understand why it's a great selling point. Everyone else likes the other points and don't realize the actual selling point of the language.
5. simonask ◴[17 Nov 25 08:09 UTC] No.45951718[source]
I don't know man, Rust's borrowing semantics are pretty new under the sun, and actually do change the way you think about software. It's a pretty momentous paradigm shift.

Zig is nice too, but it's not that.

replies(4): >>45951766 #>>45952000 #>>45952259 #>>45952444 #
6. rjzzleep ◴[17 Nov 25 08:21 UTC] No.45951766[source]
To call Rust syntax beautiful is a stretch. It seems that way in the beginning but then quickly devolves into a monstrosity when you start doing more complex things.

Zig on the other specifically addresses syntax shortcomings in part of C. And it does it well. That claim of rust making C more safe because it’s more readable applies to Zig more than it does to Rust.

I feel like the reason the rust zealots lobby like crazy to embed rust everywhere is twofold. One is that they genuinely believe in it and the other is that they know that if other languages that address one of the main rust claims without all the cruft gains popularity they lose the chance of being permanently embdedded in places like the kernel. Because once they’re in it’s a decade long job market

replies(6): >>45951822 #>>45952027 #>>45952267 #>>45952271 #>>45952301 #>>45959444 #
7. hnarn ◴[17 Nov 25 08:34 UTC] No.45951822{3}[source]
> they know that if other languages that address one of the main rust claims without all the cruft gains popularity they lose the chance of being permanently embdedded in places like the kernel

First of all, I'm really opposed to saying "the kernel". I am sure you're talking about the Linux kernel, but there are other kernels (BSD, Windows etc.) that are certainly big enough to not call it "the" kernel, and that may also have their own completely separate "rust-stories".

Secondly, I think the logic behind this makes no sense, primarily because Rust at this point is 10 years old from stable and almost 20 years old from initial release; the adoption into the Linux kernel wasn't exactly rushed. Even if it was, why would Rust adoption in the Linux kernel exclude adoption of another language as well, or a switch to another, if it's better? The fact that Rust was accepted at all to begin with aside from C disproves the assumption, because clearly that kernel is open for "better" languages.

The _simplest_ explanation to why Rust has succeeded is that it's solves actual problems, not that "zealots" are lobbying for it to ensure they "have a job".

replies(1): >>45952387 #
8. jasode ◴[17 Nov 25 08:46 UTC] No.45951896[source]
Graydon Hoare, a former C++ programmer on Mozilla Firefox and the original creator of Rust, acknowledges that for many people, Rust has become a viable alternative to C++ :

https://graydon2.dreamwidth.org/307291.html

And on slide #4, he mentions that "C++ is well past expiration date" :

https://venge.net/graydon/talks/intro-talk-2.pdf

It's possible that Graydon's earliest private versions of Rust the 4 years prior to that pdf were an OCaml-inspired language but it's clear that once the team of C++ programmers at Mozilla started adding their influences, they wanted it to be a cleaner version of C++. That's also how the rest of the industry views it.

replies(2): >>45952539 #>>45953793 #
9. hu3 ◴[17 Nov 25 09:06 UTC] No.45952000[source]
There were languages with lifetimes and borrowing mechanics before Rust. Rust packages these mechanics in a nice way. Just like Zig encodes many niceties in a useful C language (comptime, simple cross-compilation, stdlib).
replies(1): >>45952171 #
10. kibwen ◴[17 Nov 25 09:12 UTC] No.45952027{3}[source]
> if other languages that address one of the main rust claims without all the cruft

But regardless of how much one likes Zig, it addresses none of the problems that Rust seeks to solve. It's not a replacement for Rust at all, and isn't suitable for any of the domains where Rust excels.

replies(1): >>45952063 #
11. kibwen ◴[17 Nov 25 09:14 UTC] No.45952038[source]
> Rust and C++'s biggest mistake, not passing allocators into containers and functions

Rather, basing its entire personality around this philosophy is Zig's biggest mistake. If you want to pass around allocators in C++ or Rust, you can just go ahead and do that. But the reason people don't isn't because it's impossible in those languages, it's because the overwhelming majority of the time it's a lot of ceremony for no benefit.

Like, surely people see that in C itself there's nothing stopping anyone from passing around allocators, and yet almost nobody ever does. Ever wonder why that is?

12. sgt ◴[17 Nov 25 09:20 UTC] No.45952063{4}[source]
> and isn't suitable for any of the domains where Rust excels.

That's a pretty bold claim since Zig is specifically designed for systems programming, low level stuff, network services, databases (think Tigerbeetle). It's not memory safe like Rust is, but it comes with constructs that make it simple to build largely memory safe programs.

replies(3): >>45952227 #>>45952544 #>>45953044 #
13. brabel ◴[17 Nov 25 09:43 UTC] No.45952171{3}[source]
Which ones?? Before Rust, to my knowledge, no language had an actually practical way to use lifetimes and borrow-checking so that both memory safety and concurrency safety (data races, which is huge) were solved, even though the concepts were known in research. Doing the actual work to make it practical is what makes the difference between some obscure research topic and a widely used language that actually solves serious problems in the real world.
replies(1): >>45952488 #
14. JuniperMesos ◴[17 Nov 25 09:53 UTC] No.45952227{5}[source]
> It's not memory safe like Rust is, but it comes with constructs that make it simple to build largely memory safe programs.

Right, this is the specific important thing that Rust does that Zig doesn't (with the caveat that Rust includes the `unsafe` mechanism - as a marked, non-default option - specifically to allow for necessary low-level memory manipulation that can't be checked for correctness by the compiler). Being able to guarantee that something can't happen is more valuable than making it simple to do something correctly most of the time.

replies(2): >>45952249 #>>45952438 #
15. sgt ◴[17 Nov 25 09:58 UTC] No.45952249{6}[source]
Sure but there's this belief in the Rust community that it's not responsible anymore to write software that isn't memory safe on the same level as Rust.

So Zig would fail that, but then you could also consider C++ unsuitable for production software - and we know it clearly is still suitable.

I predict Zig will just become more and more popular (and with better, although not as complete- memory safety), and be applied to mission critical infra.

replies(2): >>45952483 #>>45959029 #
16. bayindirh ◴[17 Nov 25 10:00 UTC] No.45952259[source]
> actually do change the way you think about software. It's a pretty momentous paradigm shift.

That's true for people who doesn't read and think about the code they write. For people who think from the perspective of a computer, Rust is "same checks, but forced by the compiler".

Make no mistake, to err is human, but Rust doesn't excite me that much.

17. andy12_ ◴[17 Nov 25 10:02 UTC] No.45952267{3}[source]
For my part, I don't know why, but Zig's syntax feels wrong to me. I don't even know why. I really want to like its syntax, as Zig seems really promising to me, but I just don't, which makes it not very enjoyable for me to write.

I don't know if it's my lack of practice, but I never felt the same about, say, Rust's syntax, or the syntax of any other language for that matter.

18. bayindirh ◴[17 Nov 25 10:04 UTC] No.45952271{3}[source]
> To call Rust syntax beautiful is a stretch.

I'm no Rust fan, but beauty of a syntax is always in the eye of the beholder.

I personally find Go, C++ and Python's syntax beautiful. All can be written in very explicit or expressive forms. On the other hand, you can hide complexity to a point.

If you are going to do complex things in a compact space, you'll asymptotically approach Perl or PCRE. It's maths.

All code is maths, BTW.

19. latexr ◴[17 Nov 25 10:12 UTC] No.45952301{3}[source]
> To call Rust syntax beautiful is a stretch.

I don’t see where the comment you’re replying to does that (was it edited?). Their comment says nothing about aesthetics.

replies(1): >>45952570 #
20. throw9404049 ◴[17 Nov 25 10:32 UTC] No.45952387{4}[source]
> Rust at this point is 10 years old from stable

Rust is not stable even today! There is no spec, no alternative implementations, no test suite... "Stable" is what "current compiler compiles"! Existing code may stop compiling any day....

Maybe in 10 years it may become stable, like other "booring" languages (Golang and Java).

Rust stability is why Linus opposes its integration into kernel.

replies(1): >>45952471 #
21. dns_snek ◴[17 Nov 25 10:43 UTC] No.45952438{6}[source]
It's not that simple though, Zig has equivalent spatial memory safety which prevents issues that are pretty consistently among (or at) the top of the list for most dangerous vulnerability classes.

And while I don't have enough experience with Rust to claim this first hand, my understanding is that writing correct unsafe Rust code is at least an order of magnitude harder than writing correct Zig code due to all of the properties/invariants that you have to preserve. So it comes with serious drawbacks, it's not just a quick "opt out of the safety for a bit" switch.

> Being able to guarantee that something can't happen is more valuable than making it simple to do something correctly most of the time.

Of course, all other things being equal, but they're not.

replies(3): >>45953144 #>>45953169 #>>45958843 #
22. pjmlp ◴[17 Nov 25 10:44 UTC] No.45952444[source]
Kind of, https://en.wikipedia.org/wiki/Cyclone_(programming_language)

What it has achieved is making affine types something mainstream developers would care about.

replies(1): >>45952730 #
23. bayindirh ◴[17 Nov 25 10:49 UTC] No.45952471{5}[source]
In the "other good news department", GCC is adding a Rust frontend to provide the alternative implementation, and I believe Rust guys accepted to write a specification for the language.

I'm waiting for gccrs to start using the language, actually.

24. pjmlp ◴[17 Nov 25 10:53 UTC] No.45952483{7}[source]
If we ignore recent movents in govermental cybersecurity agencies, and big tech to move away from unsafe programming languages, as much as technically possible.

Introducing a language with the same safety as Modula-2 or Object Pascal, would make sense in the 1990's, nowadays with improved type systems making the transition from academia into mainstream, we (the industry) know better.

It is not only Rust, it is Linear Haskell, OCaml effects, Swift 6 ownership model, Ada/SPARK, Chapel,....

replies(1): >>45952659 #
25. pjmlp ◴[17 Nov 25 10:54 UTC] No.45952488{4}[source]
Cyclone for one, which AT&T created exactly to replace C.
replies(1): >>45952766 #
26. krona ◴[17 Nov 25 11:03 UTC] No.45952539{3}[source]
> Rust has become a viable alternative to C++

Alternative yes, derivative no. Rust doesn't approach C++'s metaprogramming features, and it probably shouldn't given how it seems to be used. It's slightly self-serving for browser devs to claim Rust solves all relevant problems in their domain and therefore eclipses C++, but to me in the scientific and financial space it's a better C, making tradeoffs I don't see as particularly relevant.

I say this as a past contributor to the Rust std lib.

27. GuB-42 ◴[17 Nov 25 11:04 UTC] No.45952544{5}[source]
Rust is not designed for low level system programming / embedded systems like Zig is. It is designed to make a browser and software that share requirements with making a browser.

There is some overlap but that's still different. The Zig approach to memory safety is to make everything explicit, it is good in a constrained environment typical of embedded programming. The Rust approach is the opposite, you don't really see what is happening, but there are mechanisms to keep your safe. It is good for complex software with lots of moving parts in an unconstrained environment, like a browser.

For a footgun analogy, one will hand you a gun that will never go off unless you aim and pull the trigger, so you can shoot your foot, but no sane person will. It is a good sniper rifle. The Rust gun can go off at any time, even when you don't expect it, but it is designed in such a way that it will never happen when it is pointed at your foot, even if you aim it there. It is a good machine gun.

replies(1): >>45952707 #
28. fransje26 ◴[17 Nov 25 11:08 UTC] No.45952570{4}[source]
Higher up

> Rust is the small, beautiful language hiding inside of Modern C++

replies(1): >>45953508 #
29. sgt ◴[17 Nov 25 11:23 UTC] No.45952659{8}[source]
Of those listed, I'd bet Swift (having had experience with it) is the most pleasant to work with. I just hope it takes off on the systems and backend side at some point.
replies(1): >>45953524 #
30. Ygg2 ◴[17 Nov 25 11:31 UTC] No.45952707{6}[source]
> Rust is not designed for low level system programming / embedded systems like Zig is.

Pray tell, with Rust already being used in kernels, drivers, and embedded what makes Zig better suited for low-level systems?

More chance to explode a UB in your hand? For that, there is C.

replies(1): >>45953112 #
31. Ygg2 ◴[17 Nov 25 11:35 UTC] No.45952730{3}[source]
That kind of is a bit load bearing. The differences are pretty huge. Plus, borrow checker is nowhere to be found. Cyclone is more C with a few tweaks (tagged unions, generics, regions, etc.).
replies(1): >>45952787 #
32. brabel ◴[17 Nov 25 11:42 UTC] No.45952766{5}[source]
Yeah but is that a practical language people can use instead of C and Rust? I’ve always heard of it only as a research language that inspired rust but nothing else.
replies(1): >>45952977 #
33. pjmlp ◴[17 Nov 25 11:45 UTC] No.45952787{4}[source]
Borrow checking is basically a synonym for affine type system.

The same outcome can be achieved via affine types, linear types, effects, dependent types, regions, proofs, among many other CS research in type systems.

Which is why following Rust's success, plenty of managed languages are now going through the evolution step to combine automatic resource management with improved type systems.

Taking the one that best approaches their current design.

replies(1): >>45955097 #
34. pron ◴[17 Nov 25 12:06 UTC] No.45952891[source]
I think that describing Zig as a "rewrite of C" (good or otherwise) is as helpful as describing Python as a rewrite of Fortran. Zig does share some things with C - the language is simple and values explicitness - but at its core is one of the most sophisticated (and novel) programming primitives we've ever seen: A general and flexible partial evaluation engine with access to reflection. That makes the similarities to C rather superficial. After all, Zig is as expressive as C++.

> Most importantly, it dodges Rust and C++'s biggest mistake, not passing allocators into containers and functions

I think that is just a symptom of a broader mistake made by C++ and shared by Rust, which is a belief (that was, perhaps, reasonable in the eighties) that we could and should have a language that's good for both low-level and high-level programming, and that resulted in compromises that disappoint both goals.

replies(2): >>45957522 #>>45959433 #
35. pjmlp ◴[17 Nov 25 12:22 UTC] No.45952977{6}[source]
Outside AT&T until they ramped down the project, I guess not, Rust also took its time to actually take off beyond Mozilla, and is around because it was rescued by big tech (Amazon, Google, Microsoft,...) hiring most of the core team after Mozilla's layoffs.
36. ViewTrick1002 ◴[17 Nov 25 12:36 UTC] No.45953044{5}[source]
Given the density of memory issues in the Bun issue tracker I have a hard time squaring the statement that Zig makes it "easy" to build memory safe programs.

https://github.com/oven-sh/bun/issues?q=segfault%20OR%20segm...

replies(1): >>45953905 #
37. GuB-42 ◴[17 Nov 25 12:48 UTC] No.45953112{7}[source]
Great C interop, first class support for cross-compilation, well suited for arena allocators.

You can use Rust in kernel/embedded code, you can also use C++ (I did) and even Java! but most prefer to use C, and I think that Zig is a better alternative to C for those in the field.

There is still one huge drawback with Zig and that's maturity. Zig is still in beta, and the closest you get to the metal, the more it tends to matter. Hardware projects typically have way longer life cycles and the general philosophy is "if it ain't broke, don't fix it". Rust is not as mature as C by far, there is a reason C is still king, but at least, it is out of beta and is seeing significant production use.

I remember when I talk about Zig to the CTO of the embedded branch of my company. His reaction was telling. "I am happy to hear someone mention Zig, it is a very interesting language and it is definitely on my watch list, but not mature enough to invest in it". He was happy that I mentioned Zig because in the company, the higher ups are all about Rust because of the hype, even though we do very little of if BTW, it is still mostly C and C++. And yeah, hype is important, customers heard about Rust as some magical tech that will make the code bug-free, they didn't hear about Zig, so Rust sells better. In the end, they go for C anyways.

replies(1): >>45955023 #
38. goku12 ◴[17 Nov 25 12:53 UTC] No.45953144{7}[source]
> And while I don't have enough experience with Rust to claim this first hand, my understanding is that writing correct unsafe Rust code is at least an order of magnitude harder than writing correct Zig code due to all of the properties/invariants that you have to preserve.

How do you make such boldly dismissive assertions if you don't have enough experience with Rust? You are talking as if these invariants are some sort of requirements/constraints that the language imposes on the programmer. They're not. It's a well-known guideline/paradigm meant to contain any memory safety bugs within the unsafe blocks. Most of the invariants are specific to the problem at hand, and not to the programming language. They are conditions that must be met in any language - C and Zig are no exceptions. Failure to adhere to them will land you in trouble, no matter what sort of safety your language guarantees. They are often talked about in the context of Rust because the ones related to memory-unsafe operations can be tackled and managed within the small unsafe blocks, instead of being sprawling it throughout the code base.

> So it comes with serious drawbacks, it's not just a quick "opt out of the safety for a bit" switch.

Rust is not the ultimate solution to every problem in the world. But this sort of exaggeration and hyperbole is misleading and doesn't help anyone choose any better.

replies(1): >>45953445 #
39. ViewTrick1002 ◴[17 Nov 25 12:57 UTC] No.45953169{7}[source]
I would compare the recent Rust Android post [1], where they have a 5000x lower memory vulnerability rate compared to traditional C/C++ with the number of segfaults found in Bun. [2]

In my opinion Zig does not move the needle on real safety when the codebase becomes sufficiently complex.

[1]: https://security.googleblog.com/2025/11/rust-in-android-move...

[2]: https://github.com/oven-sh/bun/issues?q=segfault%20OR%20segm...

replies(1): >>45953488 #
40. dns_snek ◴[17 Nov 25 13:39 UTC] No.45953445{8}[source]
> How do you make such boldly dismissive assertions

As I said that's my understanding from talking and listening to people who have a lot of experience with Rust, Zig, and C.

So generally speaking, are you saying that writing correct unsafe Rust is only as difficult as writing correct Zig code and not, as I understand it to be, significantly more difficult?

replies(2): >>45954737 #>>45954924 #
41. dns_snek ◴[17 Nov 25 13:45 UTC] No.45953488{8}[source]
Why are we comparing a number of exploitable vulnerabilities to the number of segfault reports? Where does the "5000x" figure come from?
replies(1): >>45953935 #
42. ModernMech ◴[17 Nov 25 13:47 UTC] No.45953508{5}[source]
That says Rust is beautiful, not its syntax.
43. ModernMech ◴[17 Nov 25 13:50 UTC] No.45953524{9}[source]
Swift's main problem is that Apple is holding it back but also it'd be nothing without Apple's involvement.
44. ninetyninenine ◴[17 Nov 25 14:23 UTC] No.45953793{3}[source]
So?

Zig, D, and C are also alternatives to C++. It’s a class of languages that have zero cost abstractions.

Rust is NOT a beautiful language hiding inside of C++. It is not an evolution of C++. I’m pointing out that what you said is objectively wrong.

Can rust replace C++ as a programming language that has a fast performance profile due to zero cost abstractions? Yes. In the same way that Haskell can replace Python, yes it can.

45. nvlled ◴[17 Nov 25 14:33 UTC] No.45953905{6}[source]
> https://github.com/oven-sh/bun/issues?q=segfault%20OR%20segm...

It should be noted that most of those issues are created by opening a link that bun creates when it crashes, they are not yet reviewed/confirmed and most likely a lot of them are dulplicates of the same issue.

replies(1): >>45953956 #
46. ViewTrick1002 ◴[17 Nov 25 14:36 UTC] No.45953935{9}[source]
The number is memory vulnerabilities. Not if they are exploitable. The numbers comes from this part of the article:

    This near-miss inevitably raises the question: "If Rust can have memory safety vulnerabilities, then what’s the point?"

    The point is that the density is drastically lower. So much lower that it represents a major shift in security posture. Based on our near-miss, we can make a conservative estimate. With roughly 5 million lines of Rust in the Android platform and one potential memory safety vulnerability found (and fixed pre-release), our estimated vulnerability density for Rust is 0.2 vuln per 1 million lines (MLOC).

    Our historical data for C and C++ shows a density of closer to 1,000 memory safety vulnerabilities per MLOC. Our Rust code is currently tracking at a density orders of magnitude lower: a more than 1000x reduction.
https://security.googleblog.com/2025/11/rust-in-android-move...
replies(1): >>45954768 #
47. ViewTrick1002 ◴[17 Nov 25 14:38 UTC] No.45953956{7}[source]
Comparing Deno most of their segfaults come from having to integrate with V8, and their density is a fraction compared to Bun.
48. goku12 ◴[17 Nov 25 15:57 UTC] No.45954737{9}[source]
> So generally speaking, are you saying that writing correct unsafe Rust is only as difficult as writing correct Zig code and not, as I understand it to be, significantly more difficult?

Yes. That's correct. The point is, unsafe Rust is pretty unremarkable. Safe Rust doesn't just do borrow checking of references. It also forbids certain risky actions like raw pointer indirection or calling unsafe functions (across FFI, for example) [1]. Unsafe Rust just enables those features. That's it! Unsafe Rust doesn't disable anything or impose any additional restrictions. Contrary to a popular misconception, it doesn't even disable the borrow checker. Unsafe Rust actually gives you extra freedoms on top of what you already have (including the restrictions).

And now you have to be careful because Rust just gave you a footgun that you asked for. In a manually memory-managed language, you'd get fatigued by the constant worry about this footgun. In Rust, that worry is limited to those unsafe blocks, giving you the luxury to workout strategies to avoid shooting yourself in the foot. The 'invariants' are that strategy. You describe the conditions under which the code is valid. Then you enforce it there, so that you can breath freely in Safe Rust.

[1] https://doc.rust-lang.org/nomicon/what-unsafe-does.html#what...

49. dns_snek ◴[17 Nov 25 15:59 UTC] No.45954768{10}[source]
Then someone's playing with definitions here because a bug that can't be exploited and doesn't have a demonstrable impact on safety or security isn't a vulnerability under any definition that I subscribe to - it's just a bug.

What we ultimately care about is how many preventable, serious defects sneak into production code - particularly those concerning data security, integrity, and physical safety. The only statistics we should all care about is how many serious CVEs end up in the final product, everything else is just personal preference.

Eliminating a segfault when `--help` is provided twice is nice, but it didn't fix a security vulnerability so using it to bolster the security argument is dishonest.

50. NobodyNada ◴[17 Nov 25 16:13 UTC] No.45954924{9}[source]
If no references are involved, writing unsafe Rust is significantly easier than writing correct C, because the semantics are much clearer and easier to find in the documentation, and there's no insane things like type-based aliasing rules.

If references are involved, Rust becomes harder, because the precise semantics are not decided or documented. The semantics aren't complicated; they're along the lines of "while a reference is live, you can't perform a conflicting access from a pointer or reference not derived from that reference". But there aren't good resources for learning this or clarifying the precise details. This area is an active work-in-progress; there is a subteam of the Rust project led by Ralf Jung (https://www.ralfj.de/blog/) working on fully and clearly defining the language's operational semantics, and they are doing an excellent job of it.

When it comes to Zig, the precise rules and semantics of the memory model are much less clear than C. There's essentially no documentation, and if you search GitHub issues a lot of it is undecided and not actively being worked on. This is completely understandable given Zig's stage in development, but for me "how easy it is to write UB-free code" boils down to "how easy is it to understand the rules and apply them correctly", and so to me Zig is very hard to write correctly if you can't even figure out what "correct" is.

Once Zig and Rust both have their memory models fleshed out, I hope Zig lands somewhere comparable to where Rust-without-references is today, and I hope that Rust-with-references ends up being only a little bit harder (and still easier than C).

51. Ygg2 ◴[17 Nov 25 16:20 UTC] No.45955023{8}[source]
> Great C interop, first class support for cross-compilation, well suited for arena allocators.

C interop and arena allocators aren't hard requirements for a kernel language. In fact, why would a kernel in <INSERT LANG> need to talk to C? You need it to talk to Assembly/Machine code, not C.

It helps if it can talk to/from C but it's not a requirement.

> customers heard about Rust as some magical tech that will make the code bug-free

That's on customers not having a clear picture. What we can look at experimentally is that yes, Rust will remove a whole suite of bugs, and no, Zig won't help there. Is Zig better than C? Sure, but so is C++ and it still sucks at it.

Like, the few big things wrong with Rust is probably compilation speed and async needing more tweaks (pinned places ergonomics, linear types to deal with async drop...) to make it way better.

52. Ygg2 ◴[17 Nov 25 16:26 UTC] No.45955097{5}[source]
> Borrow checking is basically a synonym for affine type system.

No? It's more akin to flow analysis with special generic types called lifetimes.

> The same outcome can be achieved via affine types, linear types, effects, dependent types, regions, proofs, among many other CS research in type systems.

Sure, and sounds, colors, and instruments are the same, but they are mixed to create an audio-video song. I'm not saying that what Rust did is something that came about ex nihilo, without precedence.

But having it all unified uniquely the way Rust did it is frankly revolutionary. Until now, people assumed if you want memory safety, you have to add a GC (tracing or RC). Or alternatively write extensive proofs about types like Ada/Spark.

53. LexiMax ◴[17 Nov 25 19:54 UTC] No.45957522[source]
To me, the fact that Zig has spent so long in development disqualifies it as being a "rewrite of C."

To be clear, I really like Zig. But C is also a relatively simple language to both understand and implement because it doesn't have many features, and the features it does have aren't overly clever. Zig is a pretty easy language to learn, but the presence of comptime ratchets up the implementation difficulty significantly.

A true C successor might be something like Odin. I am admittedly not as tuned into the Odin language as I am Zig, but I get the impression that despite being started six months after Zig, the language is mostly fully implemented as envisioned, and most of the work is now spent polishing the compiler and building out the standard library, tooling and package ecosystem.

replies(1): >>45960086 #
54. JuniperMesos ◴[17 Nov 25 21:59 UTC] No.45958843{7}[source]
> And while I don't have enough experience with Rust to claim this first hand, my understanding is that writing correct unsafe Rust code is at least an order of magnitude harder than writing correct Zig code due to all of the properties/invariants that you have to preserve. So it comes with serious drawbacks, it's not just a quick "opt out of the safety for a bit" switch.

I think this is hard to generalize about. There are many instances where one might want to do unsafe memory operations in rust, with different correctness implications. I am suspicious that in Zig you do actually have to preserve all the same properties and invariants, and there's just nothing telling you if you did so or not or even what all of them are, so you don't know if your code is correct or not.

55. JuniperMesos ◴[17 Nov 25 22:18 UTC] No.45959029{7}[source]
> So Zig would fail that, but then you could also consider C++ unsuitable for production software - and we know it clearly is still suitable.

Speak for yourself, I never want to write C++ ever again in my life.

I'm not a huge fan of the language of responsibility. I don't think there should be a law banning the use of C or C++ or any other programming language on account of it being unsafe, I don't think that anyone who writes in C/C++ is inherently acting immorally, etc.

What I do think is that Rust is a better-designed language than C or C++ and offers a bunch of affordances, including but not limited to the borrow checker, unsafe mode, the type system, cargo, etc. that make it easier and more fun for programmers to use to write correct and performant software, most of the time in most cases. I think projects that are currently using C/C++ should seriously consider switching off of them to something else, and Rust is an excellent candidate but not the only candidate.

I think Zig is also almost certainly an better language than C/C++ in every respect (I hedge more here because I'm less familiar with Zig, and because it's still being developed). Not having as strong memory safety guarantees as Rust is disappointing and I expect that it will result in Zig-written software being somewhat buggier than Rust-written software over the long term. But I am not so confident that I am correct about this, or that Zig won't bring additional benefits Rust doesn't have, that I would argue that people shouldn't use Zig or work on languages like Zig.

56. keybored ◴[17 Nov 25 23:01 UTC] No.45959433[source]
> Zig does share some things with C - the language is simple and values explicitness - but at its core is one of the most sophisticated (and novel) programming primitives we've ever seen: A general and flexible partial evaluation engine with access to reflection.

To my understanding (and I still haven’t used Zig) the “comptime” inherently (for sufficiently complex cases) leads to library code that needs to be actively tested for potential client use since the instantiation might fail. Which is not the case for the strict subset of “compile time” functionality that Java generics and whatnot bring.

I don’t want that in any “the new X” language. Maybe for experimental languages. But not for Rust or Zig or any other that tries to improve on the mainstream (of whatever nice) status quo.

replies(1): >>45960123 #
57. keybored ◴[17 Nov 25 23:02 UTC] No.45959444{3}[source]
> I feel like

Needless flame bait follows.

58. pron ◴[18 Nov 25 00:34 UTC] No.45960086{3}[source]
I don't think it's the implementation that's delaying Zig's stabilisation, but the design. I'm also not sure comptime makes the implementation all that complicated. Lisp macros are more powerful than comptime (comptime is weaker by design) and they don't make Lisp implementation complicated.
replies(1): >>45981649 #
59. pron ◴[18 Nov 25 00:40 UTC] No.45960123{3}[source]
> leads to library code that needs to be actively tested for potential client use since the instantiation might fail

True, like templates in C++ or macros in C or Rust. Although the code is "tested" at compile time, so at worst your compilation will fail.

> I don’t want that in any “the new X” language

Okay, and I don't want any problem of any kind in my language, but unfortunately, there are tradeoffs in programming language design. So the question is what you're getting in exchange for this problem. The answer is that you're getting a language that's both small and easy to inspect and understand. So you can pick having other problems in exchange for not having this one, but you can't pick no problems at all. In fact, you'll often get some variant of this very problem.

In Java, you can get by with high-level abstractions because we have a JIT, but performance in languages that are compiled AOT is more complicated. So, in addition to generics, low-level languages have other features that are not needed in Java. C++ has templates, which are a little more general than generics, but they can fail to instantiate, too. It also has preprocessor macros that can fail to compile in a client program. Rust has ordinary generics, which are checked once, but since that's not enough for a low-level language, it also has macros, and those can also fail to expand correctly.

So in practice, you either have one feature that can fail to compile in the client, or you can have the functionality split among multiple features, resulting in a more complicated language, and still have some of those features exhibit the same problem.

replies(1): >>45971558 #
60. keybored ◴[18 Nov 25 20:25 UTC] No.45971558{4}[source]
I wasn’t clear then. I would rather have N language features of increasing complexity/UX issues for dealing with increasingly complex situations rather than one mechanism to rule them all that can fail to instantiate in all cases (of whatever complexity). That’s the tradeoff that I want.

Why? Because that leads to better ergonomics for me, in my experience. When library authors can polish the interface with the least powerful mechanism with the best guarantees, I can use it, misuse it, and get decent error messages.

What I want out of partial evaluation is just the boring 90’s technology of generalized “constant folding”.[1] I in principle don’t care if it is used to implement other things... as long as I don’t have surprising instantiation problems when using library code that perhaps the library author did not anticipate.

[1]: And Rust’s “const” approach is probably too limited at this stage. For my tastes. But the fallout of generalizing is not my problem so who am I to judge.

> Okay, and I don't want any problem of any kind in my language, but unfortunately, there are tradeoffs in programming language design.

I see.

> So in practice, you either have one feature that can fail to compile in the client, or you can have the functionality split among multiple features, resulting in a more complicated language,

In my experience Rust being complicated is more of a problem for rustc contributors than it is for me.

> and still have some of those features exhibit the same problem.

Which you only use when you need them.

(I of course indirectly use macros since the standard library is full of them. At least those are nice enough to use. But I might have gotten some weird expansions before, though?)

That will have to do until there comes along a language where you can write anything interesting as library code and still expose a nice to use interface.

replies(1): >>45974601 #
61. pron ◴[19 Nov 25 01:07 UTC] No.45974601{5}[source]
> I would rather have N language features of increasing complexity/UX issues for dealing with increasingly complex situations rather than one mechanism to rule them all that can fail to instantiate in all cases (of whatever complexity). That’s the tradeoff that I want.

It's not that that single mechanism can fail in all situations. It's very unlikely to fail to compile in situations where the complicated language always compiles, and more likely to fail to compile when used for more complicated things, where macros may fail to compile, too.

It's probability of compilation failure is about the same as that of C++ templates [1]. Yeah, I've seen compilation bugs in templates, but I don't think that's on any C++ programmer's top ten problem list (and those bugs are usually when you start doing stranger things). Given that there can be runtime failures, which are far more dangerous than compilation failures and cannot be prevented, that the much less problematic compilation failures cannot always be prevented is a pretty small deal.

But okay, we all prefer different tradeoffs. That's why different languages choose design philosophies that appeal to different people.

[1]: It's basically a generalisation of the same idea, only with better error messages and much simpler code.

62. LexiMax ◴[19 Nov 25 16:38 UTC] No.45981649{4}[source]
Fair. I'm not a compiler developer, so I'll defer to your expertise on that front.

That being said, I suppose my ultimate wonder is how small a Zig implementation could possibly be, if code size and implementation simplicity was the priority. In other words, could a hypothetical version of the Zig language have existed in the 80's or 90's, or was such a language simply out of reach of the computers of the time.

replies(1): >>45982175 #
63. pron ◴[19 Nov 25 17:24 UTC] No.45982175{5}[source]
It's not quite as minimal as C, but it definitely could have been made in the 80s or 90s (actually, 70s, too) :) There were far larger, more complex languages back then, including low-level languages such as C++ and Ada, not to mention even bigger high-level languages. High-level languages were already more elaborate even in the 70s (comptime is no more tricky than macro or other meta-programming facilities used in Lisp in the sixties or Smalltalk in the 70s; it certainly doesn't come even remotely close to the sophistication of 1970s Prolog).

I don't think there's any programming language today that couldn't have been implemented in the 90s, unless the language relies on LLMs.