Google says Android runs better when covered in Rust

I believe they're talking about in the kernel and system services, not running on top of the Android runtime. The core services in Android are all native code.

Re: Good To Hear !

The idea of memory safety is not exactly new, the Algol Mainframes did have some memory safety features in the 1970s.

The only version of Algol which had heap allocation was Algol 68, which was a failure. Earlier versions of Algol only had stack allocation. Any language without heap allocation is wonderfully memory safe but also as limiting as something like a scientific calculator.

So you can knock C all you like because it's not as memory safe as Algol 60 or as a scientific calculator (remember, we're ignoring Algol 68 which was an evolutionary dead end), but C was necessary and needed because it offered power, portability, and flexibility which other contemporary languages did not.

So your choices were 1) Algol 60 with non-portable assembly for any degree of power, 2) Algol 68, a dead-end, or 3) eventually C or Pascal. Unsurprisingly C and Pascal went through into the next round.

Re: Good To Hear !

If you're in the business of making phone switches (exchanges) like Bell Labs/AT&T then you're also likely to be designing and testing your products thoroughly before releasing them. 'C' was never intended for the 'pile it high and get it out as quickly as possible' school of programming, that's what "high level languages" are for -- they protect the system from the programmer.

Its the same with those organizations who couldn't use segmented -- protected -- memory properly. Nobody forced them to put everything in one huge memory puddle just hoping that one application wouldn't interfere with another. It was just easier / quicker / cheaper to do it (and you can always turn the system off and on again if things go pear shaped).

(Someone else described Algol 68 as a "failure". Its problem is that it tried to cram too many features into it (C++ please note), the biggie being able to declare procedures inside procedures. Essentially unimplementable with the technology of the year (and not a good idea in the first place, IMHO). The thinned down 68R version worked fine, its arguably the best language I've ever had the pleasure of using. Again, though, it doesn't appeal to the 'pile high and get it out fast' programming school.)

Re: Googley

Erm... Google have a C++ style guide because C++ is a vast, broken language with numerous pitfalls and corner cases and their guide is a mitigation against the worst excesses a programmer can indulge in. Just read it if in any doubt since they explain and justify every rule.

And what's this "nonstandard subset" about? There are plenty of "standard subset[s]" all of which contradict each other or have a different emphasis - MISRA, CERT C++, HIC++ etc. Or perhaps you don't like subsets at all - whatever the C++ standards say goes and the abuses they allow. But that is the whole problem.

So basically, a) you have no guidelines and everything blows up, b) you constrain yourself in some fashion incurring "cascading feature breakage" as you put it and possibly dropping tens of thousands on static analysis tools just to know if you're approaching safety, or c) you use a safe language and get safety out of the box.

Is it any wonder Rust is being used and so successfully?

Not me!

But to address the possibility that this is simply coincidence, it's worth noting the sharp drop in memory related vulnerabilities, 76% in 2019 down to 35% in 2022 (and there is still C++ being used), a decline of 41%. The numbers themselves (223 to 85) are also quite large; one does not need the sharpest of actuarial minds to see the unlikliness of a coincidence.

If it were random coincidence, it would unprecedented in computer science history, and one would expect those figures would reverse at some point.

Re: You too can write programs in Crayon

Is the memory safe C/C++ code and the programmers who write it in the room with us now?

Re: You too can write programs in Crayon

I must be free to write shitty, leaky code!!

Re: Lying Cheating

Any evidence to back up those claims?

Re: C++ Memory Safety?

Thirdly, static analysis is a process prone to raising "consessions", places where there has to be some dialogue between dev and review to say why this static analysis whinge can be ignored. There's nothing formal in the syntax to say "here we are unsafe",

If we're talking compiler checks:

#pragma warning disable/restore

#pragma message

Otherwise the static analysis tool will allow you to disable particular static analysis whinges.

The point is that, to make C++ memory safe there's an awful lot of holes to plug, including in places you can't get to.

Follow modern design patterns and use compiler checks and static analysis tools to enforce them. No, you can't "get to" libraries without source code but you can't in Rust anyway. If you can "get to" libraries with source code then you can run static analysis on the library too and fix flags which are raised, which is more practical then rewriting whole libraries in Rust and causing a whole new set of bugs.

Re: C++ Memory Safety?

That's exactly it. Safe by default. If your program crashes, i.e. unexpectedly dies rather than panic and yielding a stack trace, then the first thing you do is go looking for the word "unsafe" in your code or anything it depends on. Guaranteed the crash is in one of those and it represents a tiny fraction of your codebase.

I have a project which is hundreds of thousands of lines of code which I've been working on for 5 years. In total I have 3 unsafe blocks, all calling OpenSSL (to use an esoteric padding / signing functions). It has crashed ONCE in all that time and it was in one of those blocks where I was passing the wrong arg in a C call.

It's also the case that the word "unsafe" is anathema for Rust. You use it when you *must* but not otherwise. Big unsafe fixing splurges have happened in projects like Actix Web where it was deemed there were too many of them.

Re: C++ Memory Safety?

I'd mention that even if you are using the unsafe keyboard, you still have to adhere to the borrow checker and other compiler rules within an unsafe scope, such as the ownership model, aliasing XOR mutability, and type marker constraints. And it's by far much easier to perform a code review or an audit when the bits of unsafe are clearly labeled as such.

Also, there's a lot of great constructs within the Rust core library that make it trivial to handle raw pointers safely. There are zero-sized types that you can wrap pointers in which make interactions with them safer. Such as allowing the compiler to track ownership, leveraging it to prevent aliasing, giving it the ability to check your type transmutations, and more.

It also helps that the language syntax naturally encourages you to write code safely, so it's not a matter of "bad" programmers versus "good" programmers. It takes a lot of extra syntax to interact with code unsafely, as opposed to C or C++ where it takes a lot of extra effort to write code safely.

ABS Brake

"ABS Brakes make driving much more safe, but you can still kill yourself by reckless driving"

Here is the link to the blog post:

https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html

Quite clearly they are still writing new C and C++ code, far more than there is new Rust code. We can assume that this accounts for much of the new bugs, not the existing mature code. But so far zero memory vulnerabilities found in the new Rust code.

The inference to draw is that it is working as designed, reducing memory issues. Rust isn't going to fix application logic errors (e.g. forgetting to check X is true before doing Y) but that wasn't the reason for using it. It was to reduce the kind of errors that have plagued C/C++ programming since forever - over/underflows, null pointers, double frees, data races etc.

I found the numbers a bit questionable:

"From 2019 to 2022 the annual number of memory safety vulnerabilities dropped from 223 down to 85,"

and

"In Android 13, roughly 21 percent of new native code is written in Rust."

So by using 1/5th of "safe" code it results in a 3x drop in bug rate?

If you spend the time to read the blog post then they did clearly label that 21% of all new code was written in Rust, and the other 79% of newly-written code is in C and C++. And within that new code, there's been zero vulnerabilities across the last three Android releases whereas 1 out of every 1000 lines of C/C++ had a vulnerability. So yes there's a strong correlation between vulnerabilities in C/C++ compared to Rust. Google isn't alone in releasing articles and papers like this. There's already been a myriad of research papers and blog articles from academia to Microsoft/Google.

But

Both have very similar memory safety issues:

A) unchecked array access

B) funny raw pointer stuff

B2) super funny pointer casting (e.g. int to pointer)

C) lots of problems from a lack of proper multithreading safety model in the type system

Male Cow Stuff

You claim that seasoned software engineers using C++ never had trouble with memory errors. Which could only mean that rookies worked on WNT, Linux Kernel, Unix kernels, Solaris make, Unix Userland tools, yacc and lots of other widely used programs. Because ALL of them had serious memory errors, which were often discovered decades after their creation.

Remember the HP/UX Ping of Death ?

Remember the exploitable memory errors in the TCP/IP stack of VxWorks ?

Remember how lots of memory errors were found in "well aged" Unix user land tools the first time they were executed under valgrind ?

Then you claim that "SoftICE" would be of help to detect memory errors. I cannot see how.

Conclusion: you have a nice life off C and C++ development and you don't want to learn anything new. So you blasted out some lies and half-truths.

Re: That google guy, he's never shipped product..a "researcher".

Yelling at clouds won't make technological progress halt just because you're not emotionally ready for the change. Rust is already widely adopted by most organizations that write software today, so it's too late to stop it.

Mozilla detached themselves from managing Rust many years ago. Rust is now managed by the Rust Foundation, which has sponsorships from quite a few high profile companies. Guess who these companies are, and why they're sponsoring it?

You claim that Firefox is the only project that's adopted it, and yet you're commenting on an article about Android that's been using it for a few years now. Microsoft had written the exact same articles about Rust, but I guess Android and Microsoft don't exist in your world view.

Even Linux now has Rust integrated into the kernel with many projects in the Linux space using it, but Linux must be a fictitious project in your eyes. Can't even further that virtually every website is using Rust. AWS, Cloudflare, Fastly, and Discord are all using it.

But by all means, keep grasping at straws to curse at younger generations of software developers, and the decades of programming language research written by researchers since the inception of C. That just makes you a pitiful and unenviable shell of a human being. One of the people responsible for the toxic behavior in software development communities that we're all trying to fix today.

Re: Android runs better when covered in Rust

As long as the p........ improve practical computer science, we should applaud them ;-)