Boffins debunk study claiming certain languages (cough, C, PHP, JS...) lead to more buggy code than others

Re: It's "What's the best language" all over again

"you can blame Java, VB, APL, Assembler, etc for your bugs but you're the one who wrote the code."

Yes, the old adage "it's a poor craftsman that blames his tools" continues to remain in full effect.

Re: It's "What's the best language" all over again

Pretty much like asking what the best language is.

I'm sure you can argue Shakespeare vs Dante vs Aristocles vs... to the end of the earth. What matters is not what language they expressed it in, but what was expressed and that it was expressed fluently.

I work in schools and I program in my spare time, so what with the focus on "every kid coding" (when clearly every kid can't even play a musical instrument, let alone code), it's the same question I get all the time.

The answer? I really don't care. So long as I can understand it, and show you where you've gone wrong, that's infinitely more important - that you find a language that you find easier / more complete / are able to source examples for / whatever I don't care.

Fact is, I've never programmed in Python in my life. A colleague gave me a teenager's Python code without telling me anything. In LITERALLY one glance, I spotted every kind of problem with the code that showed it was an amateur programmer, corrected them and was able to run my modified version of their program about 30 seconds after getting a Python interpreter working while simultaneously running their code and demonstrating bugs theirs had that mine didn't.

It's about fluency and expressiveness, not what language. I'm sure Chinese has more language subtlety, that Latin-based languages are easier to learn, that English is understood in more countries. But if you are going to write a ground-breaking novel, the language really doesn't matter as much as the content.

Re: It's "What's the best language" all over again

A "good" language doesn't make a good programmer and a good programmer can, probably, write good code in a "poor" language.

That said, typed and compiled langauges should lead to fewer oversights than an untyped, interpreted langauge. But, again, it isn't a guarantee of no/fewer bugs, it should just help eliminate one source of errors, but there are enough other areas still open, E.g. buffer overflows, programmer error etc.

But good design and good testing are still the biggest differentiator.

Re: It's "What's the best language" all over again

And now you can give a proper answer: Python.

Re: And they get paid money to do this?

In this case, the second set of academicians' research was needed to refute the first and point out what you have posted. Are they aware? Who knows? Seems any PhD candidate will engage in research no matter how aware of things they are.

Even though we IT types know that this research is flawed (the first), we have no standing unless there's plenty of PhD's involved and some reseach grant money.

Re: And they get paid money to do this?

yes!

Re: Too simplistic

Every language* is a DSL.

Except Lisp. And the first thing everyone does in Lisp, is write THIS problem's DSL.

.

* (+ framework, nowadays)

Re: Too simplistic

Much of what determines what a programming language is selected for an application has to do with economics, and that in turn has to do with how it is being deployed and managed as well as what libraries are available to implement it.

I've just had a glance at the report, and while I have not read the whole thing, it's pretty clear the authors have pointed out some gaping holes in the original study. One obvious problem is that actual programming languages don't fit into the neat pigeon holes that the original study assumed. For example, functional languages may have procedural features and visa-versa, so users will commonly combine the two methods in the same project, making any conclusions based on a neat separation of the methodologies void. There are more examples, including the fact that large chunks of data the original study was based on was nowhere to be found.

The studies themselves were based on comparing the number of bug fix Github commits to the number of total commits. In other words, what proportion of commits were bug fixes. A "bug" was determined by scanning for the words "bug", "error", etc. in the commit message.

One pretty obvious problem that neither of the authors appear to have addressed is the relative maturity of projects compared to languages. Projects that have been around for a long time and are relatively stable are likely to be written in languages that have been popular for a long time, and it is possible to hypothesise that commits are more likely to be focused on bug and security fixes rather than new features. On the other hand, projects that are more recent have a greater probability of being written in languages that have become popular only more recently, and to be in a phase in which they are receiving more feature commits rather than bug or security commits. And if we examine how the languages cluster in the study, they seem to fit that pattern. Of course correlation doesn't equate to causation (as the second study points out), but it is yet another possible explanation which should be considered.

And as the study itself points out, there are many "bug" commits which are just fixing cosmetic, style, or comment issues rather than fixing actual functional bugs. The methodology is not able to distinguish these despite some "communities" being more obsessed about these issues than others.

What is noticeable is that most of the well established and popular programming languages appear to cluster pretty closely together while the "boutique" languages are in another cluster. It is not obvious to me how this could be explained simply by language feature rather than being a reflection of who is using them and how.

There are two interesting outliers however, these are C and Perl. C supposedly has an abnormally high number of bugs, while Perl has an abnormally low number of bugs (see figure 5). If we want to make any language superiority claims based on the study, then evidently if we want bug free software we should be writing it all in Perl. Or perhaps it's all just bollocks after all.

Re: Perhaps...

In Certifiable systems you have to prove the quality of your tools as well as your code.

Re: Perhaps...

You're not seriously suggesting that the choice of software by scientists could introduce a significant degree of inaccuracy into their work are you?

https://www.bbc.co.uk/news/technology-37176926

Re: Enjoyed FORTRAN more than any language...

including the language

Re: Enjoyed FORTRAN more than any language...

Bugs come from many directions.

Bugs in C++ might perhaps come from the complexity of the language itself. Not so much Stroustrup's original C++ as-was 30 years ago, but the designed-by-committee monstrosity it grew into.

Bugs in a complex formally-verifiable system I had the misfortune to work on sometime in the '80s came from the complexity of the test framework, and the pressure that put on programmers to get it through the tests rather than get it right.

Re: Rust

I'd think it would be worse. Because there are lot more kinds of bugs than the ones Rust (or any language) can protect against. And a false sense of security is, well, false.

I could list more classes of bugs than will easily fit here that Rust has no clue about; and I'm not really against Rust - I'm against depending on some magic "one weird trick" language to solve it all.

Locks need to evolve because lock pickers and bypassers keep inventing new ways to get past the existing ones. If nothing else.

Re: Rust

"as the claim is it removes memory bounds issues."

But that's only one class of errors. There is a whole ocean of other errors that can happen.

Re: I'm glad its not my job.

"I grew up dealing with DoD's "Ada is the answer" abortion"

Oh, man, that triggers flashbacks. I remember spending a fair bit of pain and time becoming competent with Ada before everyone realized that it wasn't really suitable for much.

Re: I'm glad its not my job.

Research such as the 'least buggy lingo' strikes me as a fool's errand.

Coming from that angle, probably. It would however be useful to know what language features lead to less reliable code being written. I'm sure someone will pop up shortly to say that if you're a good programmer and write tests for everything as you go along etc. then you will never have bugs, the real world demonstrates that this is an ideal scenario and there are people writing programs who, for whatever reason, are not producing perfect code. Because the easier it is to get things right, the lower the required overhead of all the supporting factors you mention becomes. Most major languages it seems aren't fatally enough flawed that they aren't usable, possibly through natural selection more than anything else.

Except of course for JavaScript.

Re: How many times do I have to say this?

Duff's Device.

Does this also work in Java and C#?

Re: How many times do I have to say this?

Assuming a Uniform distribution:

at least 12.5% of the time: once

@Frumious Bandersnatch -- Re: How many times do I have to say this?

Only one question: How old are you?!?

Re: GIGO

Terse but understandable code? That really depends on the problem at hand - many problems I'd have to deal with cannot be written in terse and understandable code because the problem is not terse or understandable even its most simple breakdown. I always used to say to people who said they could write code without a goto to fuck off and write a device driver, or if that didnt work run something on their object code that removed all jmp instructions.

I grew up in chip design and some code worked on a quantum level in emulating how device worked, When that code didnt work as it should you couldn't modify the code - some of which was the combination of several PhD lifetimes of the best minds in the world, If you found a situation where their code failed you just had to make sure you never called their code in a way that would make it fail.

Re: What a load of crap!

" I hate the idea that a process I write will fail so I probably spend an inordinate amount of time writing handlers, backup and correction routines that will try everything possible before giving up and apologising to the operator/user that process X has failed."

I'm with you here.

It's amazing how many battles I've had to engage in just to convince some engineers to do comprehensive error and condition checking. The argument "Yes, it's a problem if users do X, but users will never do X" comes up a lot. Decades of experience has taught me that if it's possible for a user to do something, no matter how ridiculous, then sooner or later a user will do it -- and if the program fails as a result, that's a legitimate bug.

Re: But "bugs fixed" doesn't equal "bugs in code" and may not even be proportional

Ayup, and not to left MS off the hook: A Java or .Net program cannot fix a bug in the JIT compiler or a bug in the garbage collector. Those bugs will never be fixed and will not show in these kind of bug fix studies.

Re: Reminds me of...

In my experience, the kind of problems that can actually be coded in a functional language are so simple, that you don't need a functional language to code it.

I have never seen a useful project done with a functional language. Every place I know that tried a functional language, eventually gave up, fired all the culprits who propounded the damn thing and started over in C.

@bytemaniak -- Re: Reminds me of...

Those functional programming turbonerds that downtalk every other language in existence because it "allows you to write bad code" while X functional language doesnt.

Next time you run into one of these turbonerds¹, ask them if they've seen any of the gawd-awful (and buggy) SQL that is floating around the intertubes.

_{¹ "Turbonerds". Love it! Can I use it?}

Re: Impossible question

"You often don't know that your code is buggy until it's exploited..."

Well said (while others above praise there code without REALLY knowing!).

Publish your code as open source and you soon find out where the exploits are.