CISA looked at C/C++ projects and found a lot of C/C++ code. Wanna redo any of it in Rust?

Re: The Rust Evangelism Strike Force...

ken's hypothetical compiler didn't have a bug.

It had a feature.

_{Mine might have undocumented compiler flags ...}

Re: The Rust Evangelism Strike Force...

And the Greenhills compilers had their fair share of faults - including silent faulty target code (correct source code compiled to incorrect target code). They did publish "known errors" - which is good - but sometimes were not as helpful as I would have liked.

However, I don't think the compilation errors were caused by memory-safety errors in the compiler source (no evidence, just my feeling based on how the compiler screwed up and how the problem was reported in the known errors list).

Re: The Rust Evangelism Strike Force...

My last encounter with the Green Hills compiler was when porting Codemasters’ Neon Engine to the Nintendo Wii-U, my first decades earlier as chunks of the Amiga Kickstart ROM depended upon it. Solid, indeed. Wonder what’s still using it but not secret?

Re: The Rust Evangelism Strike Force...

I think the real isssue is a (malicious) program compiling a carefully crafted piece of code that causes the compiler to glitch and so enable the malicious program to gain elevated privileges etc.

On a standalone dev system this probably isn’t a big matter, on a production system (it’s surprising how many production systems have a fully operational dev environment) this could be different, on a cloud service like Git …

Re: The Rust Evangelism Strike Force...

Probably Visual Basic too! And one can write that inside any Office program too!

(Horridly enough, I've had to do this recently. I wanted to programatically build a PowerPoint slide. I decided to do this in the modern, correct way, downloaded all the C# packages to allow manipulation of PowerPoint slides, and set to work. And then stopped, when the true horror of what that entailed dawned. It was going to be a vast amount of code.

I ended up doing it with 6 lines of VBA macro. I've never felt so dirty in all my life, but it did work...)

Re: Rust, or ....

Not just the libraries. Given a new embedded processor (or micro-controller or some other new chip), chances are good that the manufacturer has a C compiler for it. Chances are not good that the manufacturer has ported rust to it.

Re: Rust, or ....

It used to be possible for Pascal to call C, vice versa, on some platforms at any rate. There's horrid things like SWIG, that don't really quite do the whole job even at the best of times.

The ways to allow calling between language islands already exists. Trouble is it exists in multiple incompatible forms. Linux has dBus. Windows has COM. There was CORBA, and other attempts at cross-platform standards, but they've not taken off.

dBus is relatively successful on Linux, but it's a bit of a bodge. They've done the critical part reasonably well, but unfortunately they chose to handcraft it within their project rather than use a pre-existing standard. I'm talking about how you write an XML schema and then use that to build serialisers (marshallers) for dBus messages for your programming language. They invented their own schema standard, and built their own code generation tools. These work, but unfortunately they took it only to a primitive minimum.

Had they picked up a more mature, complete serialisation standard, dBus would automatically have some very useful traits. XSD (XML) schemas have "constraints", as do JSON and ASN.1 schemas. Code generated *properly* from such schemas ends up have code to check objects against the constraints, so if something is too long or out of the declared valid range, the object is automatically rejected. Having automatic content inspection as part of a remote calling interface, automatically enforced, would enrich dBus quite substantially. The reason they hand spun their own serialisation standard is because "free" was a big driver.

This kind of thing is what plagues the software industry, developers large and small generally take things only as far as minimally necessary. It's the "that'll do" attitude, meaning that just enough functionality to be dangerous gets implemented, with no one doing the thinking of might be transformatively better. Take Google Protocol Buffers. It's fairly effective, but has no way of expressing contraints. It's useful for exchanging data between different languages, but if you care about data validity you still have to have a meeting, a document, code review, all the nausiating unreliable methods of ensuring that one dev fully understands what another dev has done. There are 3rd party projects to add constraints syntax and code generation to Google Protocol Buffer, and I wish Google would adopt that and make it mainstream. Worse, Google chose to develop their own thing from scratch - and came up with something that is incomplete - having never used their own search engine to search for tools / standards that already did what they wanted. Had they done so, they'd have come across ASN.1 and maybe just bought one of the existing vendors and OSS it.

I build large heterogenous systems (different languages, different OSes, different CPUs) stringing processes together using something like ZeroMQ (which is very admirably multi-platform and multi-language) and ASN.1, using good tools provided by one of the better commercial tools providers. I end up being limited to languages like C, C++, C#, Java, Python and Go, but never mind. Doing systems this way it becomes possible to make most aspects of systems integration a matter for the system designer, rather than something developers do. Developers effectively get a pre-implemented interface, all they have to do is use it. And if they get it wrong, then the interface implementation they've been given refuses to handle their garbage. This way, an interface owner can really own and control it; the devs are hard-pushed to mis-use it. It also makes it very easy to be agile with interface definitions, very late into a project.

Another really nice aspect is that because ASN.1 is polyglottal when it comes to wireformats, you can shift data around in whatever form suits, e.g. compact binary representations for low bandwidth links, or JSON / XML where you perhaps want something semi-readable, or more verbose binary formats when you want more flexibility in what is sent and when. It's perfectly possible to have a program spitting out XML or JSON, and the recipient need not know how the XML or JSON was generated in the first place.

Re: Rust, or ....

I agree, and there is another important aspect: a domain experienced software engineer in C/C++ needs to be trained in using Rust for that domain - that takes time and effort.

An experienced software engineer in Rust needs domain expertise - same challenge.

I am sure many companies are looking into the transition, but in the meantime they still have to make their production targets.

Re: Yees but ..

Could be an avenue for DoS attacks

Re: Yees but ..

I have seen that with Oracle PL/SQL. One developer wanted to run a process in a loop, kind of like a cron.hourly. Sure enough, when we tested it, it leaked memory.

Re: The tools are wrong.

> The tools are wrong

Are you sure you have actually gone out and got yourself a proper set of tools for the job? Are you expecting that somebody else to do that for you?

> String handling in C is garbage, unless you are working with 16k of RAM.

String handling in C is entirely down to which library *you* decide to use - with the sole exception that statically declared strings are defined to be simple null-terminated character arrays[1] (the compiler has to do *something* if you insist on putting static strings into your code).

Yes, every implementation does provide you with, at a minimum, the really simple (dare I say it, simplistic) set of routines in the C standard library (which were originally written when 16KWords of RAM was all you got, on a very good day).

But you do *not* have to use those oldie-stylie routines - barring a few edge cases (i.e. printing out the word "ABEND") you don't *need* to have and compiler-generated null-terminated "unsafe" strings either (just load 'em from files with "My Best String Lib", which also helps you change 'em for I18N).

> We could just copy the Java/CSharp String APIs into C

Hmm, not sure I'm loving the idea of copying those *specific* APIs[1] but alternate string handling libraries exist in C (I'm not going to recommend a specific one, I don't know your requirements - and see [2])

> but they refuse to

Who is "they" here? Presumably, you mean the devs you work with, because the selection of libraries is up to them (or whoever dictates to them). So, go give them a stern talking to.

If "they" are some other set of devs then - go give them a stern talking to (actually, best to ask first why they aren't using a better library, and then give them a stern talking to).

If by "they" you mean the C compiler writers - well, there are lots of libraries they don't supply, that isn't really their job (and also see [2]) [3].

Bottom line: as others have said, it is possible to do The Best Thing w.r.t. memory (even strings!) in C and C++; it is entirely down to the devs to learn how and bother to do it. Or admit they are not a good fit for that project and go work on something else. If you are affected by people not doing that - give them a stern talking to.

> C++ could have a memory safe/garbage collected mode. Like Managed C++ did. But they refuse to.

They refuse to because it would break the tenets of C++ (and the existing code written in C++). As you say, there are things that do GC and you are at liberty to use those languages

[1] Which is also the case in C++ (the only reason C++ "has better strings than plain old C" is because you are using libraries that provide them; yes, more of these libs are provided "by default" with your C++ compiler, which makes them easier to find, but they are still just a set of libs and you are perfectly able to use a different set if they are a better fit to your needs)

[2] in large part because to my mind they are just as incomplete as the old-fashioned C standard library, because there is no such thing as *one* string representation that is fit for all purposes yet, IIRC, both the Java and C# APIs promote just one representation each. As it appears does every other "standard library" (but I shall start to get ranty here, so shall stop).

[3] Although C++ has gone down the prescriptive "we have done it all for you" route, when STL - a neat idea - metastasised into "Boost *is* standard C++" and "modern C++", which is still not a panacea.

Re: The tools are wrong.

C++ does have a memory safe mode. Most of it predates and is almost identical to Rust in design. Eg 'borrowing' is simply const & and &, both of which long existed in C++.

The only real difference is that C++ has grown over time, adding memory safe options for more use cases, so doesn't use a single "unsafe" keyword to mark a block of code as using the higher risk constructions - which are mostly bare pointers.

Your build tools and IDE can warn you about the higher risk constructions, if you wish. Existing projects can port over to the "memory safe" constructions piecemeal, it doesn't require a full ground-up rewrite and most do not have any runtime cost. (Though they do have a compile-time cost, of course, and to be fair C++ compilation is slow)

C++ also has garbage collected 'modes' if you want, there are several libraries and toolchains - though in my experience they're rarely used, probably because of performance though possibly vendor lock-in.

C is an entirely different language.

Lumping it together with C++ is nonsensical, like saying motorbikes are cars but SUVs are not.

Re: The tools are wrong.

I wrote critical production web C++ code at the turn of the century (that was used at least a few billion times over its 10 year time in prod). And how did I manage memory? I didn't. I just used the ANSI string library which wasn't even really new then.

Re: The tools are wrong.

Modern ISO C++ can be used to write completely memory safe code and the compiler will verify it for you. What's wrong with that?

https://www.theregister.com/2022/09/20/rust_microsoft_c/

Stroustrup got back to us, defending the language he invented.

"We can now achieve guaranteed perfect type and memory safety in ISO C++. That is, every object is used according to the type it was defined with. That implies that we eliminate uses of dangling pointers, catch range errors, and eliminate data races. Note that every 'safe' language, including Rust, has loopholes allowing unsafe code."

The thing is you can write unsafe code in Rust and when I look at all the interesting low level stuff around allocators....it's all unsafe code!!!!!

> Dismissing every argument about improving the tools with this logic simply guarantees that our tools, whether they're good or bad, will not improve.

True enough.

So it is a very Good Thing that software has never lacked, and will never lack, for people working on improvements to its tools[1].

Of course, the corollary to these improving tools is that we will therefore always have a pile of stuff created right up until the day before the new tool appeared[2].

> It may also be that he who blames his tools has bad tools

One day, there will be an article about how we must all stop using Rust because it just does not help with the errors that are causing so many systems to go wrong, errors that the Verdigris compiler catches automatically. A government study will demand to know how this parlous state of affairs was allowed to happen. The comments will be full of people praising Verdigris and complaining that it was always obvious that Rust wasn't good enough and why did we ever use such a rubbish tool; which complaints will be picked apart, line by line, by other commentards.

[1] some days the temptation to improve the tools even gets in the way of actually, you know, using them!

[2] and as TFA talks about the problems that causes (should we rewrite it? Now? Or tomorrow? Or will that make it worse?), maybe we *should* have a moratorium on creating the better tools? (Tongue firmly in cheek, ahem).

Pay no attention to Dunning and Kruger

Just as unfortunately the prevailing mindset is we are going to use technology to solve the problem. Instead of training people to be better drivers, better developers, better workers (from "the poor workman" post), etc.

"The value of experience is I recognize my mistakes every time I repeat them." --by I forget who.

I'm forever weighing the pros and cons of different languages, but practicality is uppermost in my mind. For my current personal project I did the prototype in awk and version 0.1 will be in C. I doubt Rust would be a good fit _now_. Maybe (if I ever release the code) when it reaches version 2.0 someone will complain about the C, but it will be too late then. Tough cookies.