back to article C++ still rules the Chromium roost though Rust has caught our eye, say browser devs

Google's Chromium Project has acknowledged its growing interest in adding more Rust code to the mostly C++ Chromium codebase. Rust is an open-source systems-oriented programming language championed by Mozilla that's known for its memory safety, a characteristic of particular interest to developers interested in browser …

  1. karlkarl Silver badge

    The interop is always an issue. It is in fact what gives rise to all these dependency "solutions" such as NPM, PIP, CPAN, crates.io and other language based package managers. These rack up a technical debt that makes future maintenance a mess. Bindings suck to make and suck to maintain.

    The only way this can be truly solved is by adding a basic C compiler to the new language. Not because C is the nicest language to use but because it gives you access to APIs that the real world uses. For example, do you think C++ would have ever become a success if it couldn't consume C libraries?

    I love Rust but I hate dependencies so C++ is still the only solution for me for now :/

    1. DrXym

      Rust is designed to be very interoperable with C and C++ at runtime - the compiler spits out .o files and lib files just like C / C++ and they link together providing the function you're calling can be resolved.

      There is some boundary stuff you have to do because C is unsafe and Rust is safe, and you need to generate bindings but you can easily call from one to the other.

      Once you have it set up it's no more difficult to call Rust from C++ than it is any other random C library.

      1. karlkarl Silver badge

        "and you need to generate bindings but you can easily call from one to the other."

        I think you underestimate the time required to develop and maintain bindings. Generators don't work on things like function callbacks for example.

        1. DrXym

          You don't need to develop and maintain bindings. You write code in Rust that has public C functions, build it and then invoke cbindgen (https://github.com/eqrion/cbindgen) to spit out a C or C++ header for it. It produces the headers automatically from your actual code. You can even make the cbindgen step part of the build itself.

          An example of an automatically generated header shows it does a very good job.

          https://searchfox.org/mozilla-central/source/__GENERATED__/gfx/webrender_bindings/webrender_ffi_generated.h

          1. karlkarl Silver badge

            In order for rust to be able to call (i.e an OpenGL) function, you need to make a Rust to C binding.

            OpenGL has a *lot* of functions. Would take a long time to bind that.

            And then going the other way (which I think you are referring to). Getting C++ to know about a Rust struct and the lifespan of it (i.e can C++ use a unique_ptr, shared_ptr or will Rust be the memory holder so Raw or wea_ptr?). Can C++ even hold a weak_ptr to a Rust Arc type?

            It can't work easily. Bindings are necessary for both directions.

            1. DrXym

              That's in the other direction. I was talking writing a Rust lib callable by C. If you want to do the other way (a C lib callable by Rust) then you use bindgen which is the opposite of cbindgen - it creates a .rs interface around a C library for Rust to call instead of C bindings around Rust for C to call. Either way it's largely automated so it's a matter of just setting it up and then away you go.

  2. Anonymous Coward
    Coat

    Swift is a good choice. It runs so slowly, crashes never get around to happening.

  3. Elledan

    Kinda sad.

    On one hand it always saddens me to see more projects use Rust as it means that I won't be able to contribute to them as I won't learn that language.

    On the other hand I also do not get why Rust is hyped. Not that I'm a big C++ fan, I'm more of an Ada kind of person, which is exactly why I don't get why Rust is supposed to be 'better'.

    Rust doesn't have super strong typing of Ada, it follows by default more the dynamic typing of Python, its syntax is symbol-based and thus offers a severe learning curve over languages that use plain English (like Ada), it doesn't offer contract-based programming, access types for heap memory and on top of all that it doesn't follow a single one of the Steelman requirements, in particular the restricting of how many ways one can write the same code.

    C++ is 'safe' enough that it has been certified by the DoD to be used to program the avionics of the F-35 jet. As someone who has plenty of professional experience in C and C++ as well, I can see how modern C++ (i.e. C++11 with standardised memory model) can totally work in safety-first applications. It's mostly about pushing the C baggage to the side, instead using the bits of C++ that do not allow you to easily shoot yourself in the foot.

    Yet neither C, nor C++ nor Rust do much to prevent the most common kind of error that makes stuff catch fire in production: logic errors and faulty assumptions. Those incidentally happen to be the reasons why Ada requires explicit termination of blocks with a named end statement, why contract-based programming is part of the core language since Ada 2012 and why nothing is done implicitly. The compiler will bludgeon you over the head with 'are you really sure?' errors until you have addressed every single point.

    So yeah, unless an open source project happens to be written in C, C++ or Ada, it might as well be closed source to me. And that makes me somewhat sad.

    1. Rob Gr

      Re: Kinda sad.

      "Rust doesn't have super strong typing of Ada, it follows by default more the dynamic typing of Python" that is quite simply totally and utterly wrong. It allows types to be inferred, but every variable has a well-defined type at compile time, which is extended to include lifetime analysis to ensure variables are not used beyond the point their value is valid. It's one of the strongest type systems I've seen. It is immensely more safe than C++. The compiler is extremely strict.

      1. Elledan

        Re: Kinda sad.

        Explicit typing in Rust is punished by being more verbose than in Java. Your description fits Python's type system equally well.

    2. diodesign (Written by Reg staff) Silver badge

      Re: Kinda sad.

      "logic errors and faulty assumptions"

      FWIW Rust is strict on trying to stop common errors. For example, Rust's equivalent of a switch-case block (called match) does not allow you to fall through it. You must match one of the arms, and this is checked at compile time. You can put a catch all in ( _ ) but you must explicitly set it up with a handler.

      I skipped C++ and went from C to Rust and the thought of writing C now scares me. I've been meaning to do a 'Rust for C/C++ programmers' article for ages now.

      C.

      1. Anonymous Coward
        Happy

        Re: Kinda sad.

        > Rust's equivalent of a switch-case block (called match) does not allow you to fall through it.

        switch statement fallthrough in C/C++ is not an error, unless the programmer didn't intend it in the first place, but let it happen by mistake. So, I wouldn't count disallowing switch statement fallthrough as a feature.

        Please allow me to introduce you to Duff's Device, which is a way of doing loop unrolling in C/C++ -- for loops with a known compile-time trip count -- based entirely on switch statement fallthrough.

        Also, -Wimplicit-fallthrough both in GCC and clang.

        1. diodesign (Written by Reg staff) Silver badge

          C v Rust

          "unless the programmer didn't intend it"

          Well, yeah, that's the bug. That's what you want to avoid. Stuff happening the programmer didn't intend. I know there are times when a fall-through is useful - Rust lets you do that. You just have to be explicit about it rather than have the compiler assume you know what you're doing.

          Rust pretty much never gives you the benefit of the doubt. It's why I say Google has the language of Go and Mozilla has the language of No. With Rust you have to get used to the compiler telling you No a lot, and stopping compilation. It's annoying but you get over it. It's just software; it's not judging you.

          "Also, -Wimplicit-fallthrough"

          This is just a warning. It's a stop-the-build error in Rust. And without this __attribute__ ((fallthrough)) stuff.

          C.

          1. Anonymous Coward
            Anonymous Coward

            Re: C v Rust

            > It's a stop-the-build error in Rust.

            That's a language design choice. As a C/C++ guy, I find it weird and impractical.

            C/C++ intentionally allow switch fallthrough. It's not a bug.

            -Werror -Wimplicit-fallthrough. Both GCC and clang. No longer just a warning.

            1. Tim Parker

              Re: C v Rust

              It's a stop-the-build error in Rust.

              That's a language design choice. As a C/C++ guy, I find it weird and impractical.

              As a C/C++ guy, I find it very appealing, especially when we have new programmers.

              C/C++ intentionally allow switch fallthrough. It's not a bug.

              C/C++ programmers unintentionally write switch fall-through. That's a bug.

              1. Anonymous Coward
                Mushroom

                Re: C v Rust

                > C/C++ programmers unintentionally write switch fall-through. That's a bug.

                I am not in the business of blaming the language for someone's incompetence.

                Is it really that difficult to add -Werror -Wimplicit-fallthrough to a Makefile?

                I don't care if someone is "new" or not so new. Being able to write a correct switch statement isn't exactly the programming challenge of the century.

          2. Robert Grant

            Re: C v Rust

            You just have to be explicit about it rather than have the compiler assume you know what you're doing.

            I always write the thing that makes it fall through, because that seems to make my code work.

        2. DrXym

          Re: Kinda sad.

          A better reason for fall through is you might have two values which have similar handling but you need to do a little extra handling for one than the other. So you structure the switch such that the little extra handling happens for one and then falls through to the next case. But it's still an edge case and hardly justifies it as a "feature" when it causes so many bugs and can be done some other way.

      2. GrumpenKraut
        Thumb Up

        Re: Kinda sad.

        > I've been meaning to do a 'Rust for C/C++ programmers' article for ages now.

        I'd definitely be interested.

      3. dajames

        Re: Kinda sad.

        I skipped C++ and went from C to Rust and the thought of writing C now scares me. I've been meaning to do a 'Rust for C/C++ programmers' article for ages now.

        C and C++ are two very different languages. Don't be fooled by the fact that most of C is compilable as C++ -- those are the bits of C++ that C++ programmers know better than to use (except in certain situations, such as when interfacing to C or other code that has a C-callable API).

        If you aren't a C++ programmer you shouldn't try to write "Rust for C++ Programmers", but your "Rust for C programmers" might be an interesting read.

    3. CederTree

      Re: Kinda sad.

      You say you *won't* learn rust. You then proceed to say why other languages are better than rust, a language you won't learn. I wonder what makes you believe you are qualified to make comparisons between things you do know and things you refuse to know? For a start, your statements about rust's type system are totally incorrect and made me wince.

    4. poohbear

      Re: Kinda sad.

      "C++ is 'safe' enough that it has been certified by the DoD to be used to program the avionics of the F-35 jet." ... you mean that one with all the software problems?

      1. dajames

        Re: Kinda sad.

        "C++ is 'safe' enough that it has been certified by the DoD to be used to program the avionics of the F-35 jet." ... you mean that one with all the software problems?

        A good point ... but we all know that one can write Fortran in any language, so we shouldn't blame the language for the F35's reportedly bad software.

    5. DrXym

      Re: Kinda sad.

      You've said similar stuff in the past and it is wrong. Rust is a strongly typed language. It is as strongly typed as C++. In some ways, it is more strongly typed since enums are proper types unlike in C++. It is just that the compiler is very good at inferring the type. Think of "let" as you might think of "auto" in C++ except its better.

      And you are wrong to say Rust doesn't do much to prevent the most common kind of error because the most common kinds of errors are null pointers, double-frees, dangling pointers, buffer overruns and data races. All things that Rust stops at compile time. It won't stop application errors, nothing will, but the fact you have half as many bugs in the first place is a seen as a GOOD THING by most people. Especially if you're talking about F-35 jets which is hardly a good example tbh.

      And no one is forcing you to learn Rust, but it mystifies me why you would dismiss it when you don't even know what it does or why it might be a good thing. No one is stopping you using Ada if it works for you, but it helps to know why others might prefer another language.

      1. Elledan

        Re: Kinda sad.

        A language which defaults to type inference is by definition not strongly typed. This is the same reason why I am vehemently against the use of 'auto' in C++ outside of templates.

        You're also wrong about the most common types of errors. But don't take my word for it.

        You may also have missed the part where I have actually looked at Rust in depth, otherwise I would not have made any of those statements.

        Honestly, Go has a lot more going for it than Rust.

        1. DrXym

          Re: Kinda sad.

          Bzzt, no. You can't make up your own definition of what strongly typed means. Strongly typed languages enforce the type of a variable during declaration or assignment, either at compile or runtime. Rust is strongly typed at compile time. Just like C++.

          And no you can't claim to have looked at it in depth or you wouldn't double down on such an obviously wrong statement. Or proclaim you know what causes most bugs. Look at CVEs if you are in any doubt of that. It seems you think that because no language (including Rust) can solve arbitrary application errors (e.g. halting problem) that it means it has no merit.

          All of this suggests a far more likely reason you don't like Rust - you're incorrigible. No one is expecting you like Rust, but if you're going to stick your oar in it helps to have your information straight.

      2. dajames

        Re: Kinda sad.

        In some ways, it is more strongly typed since enums are proper types unlike in C++.

        C++11 has enum classes, which are proper types.

        Rust has things it calls enums that are actually something akin to discriminated union types. Those are a powerful language feature, but I do wish they'd called them something other than "enum".

  4. Anonymous Coward
    Mushroom

    Why Rust is hyped

    > On the other hand I also do not get why Rust is hyped.

    Because (a) Mozilla has been pushing it - it's their brainchild so why not inflict it on everyone else - and because (b) Microsoft discovered a convenient scapegoat - well two scapegoats actually - to blame for the piss-poor quality of their products: C and C++. See, it wasn't Microsoft's fault that their stuff crashes, is under-tested (if at all), is inherently insecure, b0rked, bloated and dumb. It was the programming language's fault all along. At least according to Microsoft.

    > C++ is 'safe' enough that it has been certified by the DoD to be used to program the avionics of the F-35 jet.

    That means very little to (a) someone who can't be bothered to learn how pointers or computers work or (b) someone who spends most of their time copying and pasting Python code fragments from StackOverflow. Now they'll have two languages to copy and paste from StackOverflow.

    1. Elledan

      Re: Why Rust is hyped

      Fair points. I have had the displeasure of dealing with Mozilla's codebase around the time of Firefox 3.7, and it basically displayed every mistake one can make with a build system (60,000 line configuration file), code organisation (no significant hierarchy), code formatting (2-space indent, massive source files, no inline commentary) and documentation (zilch). Oh, and the kicker was having to ensure that at no point you named a new header file the same as another header file somewhere else in the build tree, as they got tossed together in the same flat namespace for reasons I cannot possibly comprehend to this day.

      Based on those experiences I'd definitely call Mozilla 'clueless' when it comes to software development and their blaming of C++ therefore invalid. It also makes me question why with such a background they felt called to design the 'One True Language' and why it'd be any good.

  5. SecretSonOfHG

    Stop calling Rust a "safe" language

    Because it is by all means safer, but has this unsafe {} construct that effectively disables a few key compile time checks that leave on the shoulders of the developer the memory safety of these sections. So to call a Rust program "safe" it needs not to contain unsafe {} blocks. As unfortunately the Rust standard library contains code with unsafe blocks, every Rust program that uses these functions is unsafe.

    Also, I'm very, very sceptic of a language that does not provide "classic" (data members and methods) class inheritance to become as widely used as one that does (namely every other popular langauge) Yes, there are ways of mimicking inheritance but not one wher you can simple grab a class and refine/extend its methods together with their data as with other OO languages. Purists may say that "classic" inheritance is wrong, but there are places where it fits the problem domain almost perfectly, as in, every other GUI toolkit in existence and many other examples. That, by the way, is what puts me off Rust at the moment.

  6. _LC_
    Stop

    Rust, Rust, Rust

    The problems almost entirely arise from “C style programming”. Rust can replace C. Using Rust to replace C++ is idiotic, though. You can make things a lot safer just by making them access things “the C++ way”, i.e., use “.at()” or define the “operator[]” as the safe “.at()” member, etc. pp. This requires A LOT less effort than redoing everything in Rust. Besides, said C programmers would use the "unsafe" in Rust.

    It's always C memory handling, C array access and C functions (memcpy, null-terminated strings) that cause the trouble. C++ has the solution. You can enforce it, if you really want to.

    1. Pier Reviewer

      Re: Rust, Rust, Rust

      The things you mention are good practice for avoiding out of bounds access, however that’s already one of the less common CWEs. Use after free and type confusion are much more common, and very much a C++ problem. Rust prevents them at compile time.

      You’re right that many issues can be avoided by using C++ properly. The problem is the compiler doesn’t enforce that. As a result people make mistakes that make it into the build, and in a 100 million line code base are hard to find. Rust simply says “no” and refuses to build, ensuring that such issues are dealt with ASAP.

      1. _LC_

        Re: Rust, Rust, Rust

        > Use after free and type confusion are much more common, and very much a C++ problem.

        No. Only if you program "the C way".

        That's what objects are there for.

        .

        > Use after free

        Not a "smart pointer" then, is it? I.e., you are not using an object when doing this.

        .

        > type confusion

        In C++?!? I have the eventual static_cast to turn off warnings. Without that, it spits them all in your face.

        .

        > Rust simply says “no” and refuses to build

        No, it doesn't. It lets you use the "unsafe". Besides, idiotic programmers also make idiotical logic errors. Parsing being one area I could point to.

        The idea that you can have a language, which makes bad programmers write good/safe programs is simply absurd. This "marketing gag" has been pushed before. We had our laughs. Time to move on...

        1. SecretSonOfHG

          Re: Rust, Rust, Rust

          "The idea that you can have a language, which makes bad programmers write good/safe programs is simply absurd. This "marketing gag" has been pushed before. We had our laughs. Time to move on..."

          I don't think that's the idea, the idea is more like having a language that makes very difficult for people to write something that works without understanding why. This means that the usual legion of impostors, opportunists and StackOverflow copy-pasters will have a very hard time creating a Rust program that both compiles, does something useful and is dangerous That weeds out a lot of bad programmers out.

  7. P.B. Lecavalier

    Ironic

    So now that Mozilla is shutting down Servo, and presumably resources behind the Rust project, is Chromium... going to be the Rust champion?? Unlikely, but extremely ironic.

  8. EnviableOne

    Lazy programmers

    switching from C to Rust is just cos the current generation of coders dont have the skill to avoid the memory errors

    1. karlkarl Silver badge

      Re: Lazy programmers

      I do understand this. I am sick of Microsoft (i.e MSSQL API) spitting out some stupid raw "C++" pointer because they refuse to write modern safe C++.

      But I am *sure* Microsoft will also manage to fsck up, even when using Rust.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like