@ninjawedding I've found a good way to reason about Undefined Behavior is that it's stuff that's incorrect but expensive in terms of performance to require a compiler to detect. For example to define null pointer derefences you actually would need to insert a check everywhere a pointer could be null. You can't just say "this crashes the program" since the C language spec doesn't actually mandate the behavior of the processor and OS (you can't force every OS to have a non-accessible page 0 and in deeply embedded situations you will want to use that page (or won't have virtual memory / page protection bits)). Meanwhile a compiler can do some useful tricks if it can know a pointer won't be dereferenced (since that would be a bug by the programmer). Same with strict aliasing, it allows the compiler to assume two pointers won't point to the same location and that has important effects on possible optimizations.
@maiyannah I'm still waiting for them to give up the charade about Mozilla being independent and merging it into Google proper. I mean, it's not like they whole world doesn't know where Mozilla gets its money from.
Tech firms are getting themselves in trouble because once you start blocking people for other things than required by law there will be ever more pressure to block people for other things. And then there will be ever more pushback on your role as the moral arbiter of the internet.
@munin @hobbsc I'd just like to interject for a moment. What you're referring to as Linux, is in fact, Systemd/Linux, or as I've recently taken to calling it, Systemd plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning Systemd system made useful by the Systemd init system, shell utilities and vital system components comprising a full OS as defined by Lennart Poettering.
@hobbsc @munin Systemd has a bunch of good ideas but the devs tend to have an attitude of "we own the init system, you will adapt to what we decide". Often the technical arguments behind their decisions have merit but they don't seem to be team players. I think it's that attitude that's putting a lot of people off.
Also, they take such a broad view of what the init system should do that even pro-systemd people like me become uncomfortable with it. E.g. tying stuff up with dbus, making cron jobs a task of the init system, the integration with journald.Β
@clacke It's not a direct link. The borrow checker is necessarily conservative (according to Rusters and this chimes with what I know of type systems), thus it fails programs that are correct but unprovable. It imposes limitations such as that you cannot mutate an object that is borrowed. In some cases code that fails the borrow checker would be correct and more efficient, assuming a straight translation of source to assembly (which we both know compilers don't do).
In order for Rust to be at the same level as C++ the compiler would need to be able to detect workarounds the programmer has made to satisfy the borrow checker and translate that into the same effective code. However optimization possibilities for compilers are limited by all kinds of rules (defined behavior) and for example a function call to a function external to this compilation unit could prevent reordering necessary to optimize.
And before people start about Rust, I'm not convinced it will have the same level of performance as C/C++. Rust is a bargain of restricting what the programmer can do in exchange for correcter code. That inevitably leads to writing code in a less direct way than in C/C++, at least part of the time. The compiler would need to be very good at translating that code to a standard form which doesn't have the indirections in order to gain the same level of performance.
Compilers are good, but I have a hard time believing Rust programmers will always write code that exhibits the properties needed for a compiler to safely rewrite it to the fastest version.
The real reason memory safety is a problem is not because it's not possible with modern programming languages, it's that people want C/C++ levels of performance and that's obtained by letting the compiler and standard library do unsafe things and putting the onus of writing safe code on the application programmer. Β
As much as I like to dislike Rust (due to the culture around it) Tor is a case where the extra checks of Rust make sense. Tor deals with massively untrusted input on a hostile network with the most technologically competent adversaries trying to actively break it.
I just hope Rust doesn't have bugs that introduce security weaknesses. Because getting in a Ken Thompson patch in the Rust compiler may be easier than getting a backdoor into Tor due to Tor folks being sensibly paranoid.
@clacke @maiyannah Yes. The problems happen when you're trying to use it without being fully at container scale. CoreOS is basically designed to be a layer in a Kubernetes cluster or a similar high level cattlefarm (i.e. automated provisioning of new machines, don't care if a machine is down for a few minutes).
It doesn't work so well when it runs services which are started manually through docker. One particular problem is that CoreOS applies updates by rebooting and if you happen to forget to enable a service (systemd) or set a restart policy (docker) that service won't come back up.
CoreOS also has the nice feature that it doesn't support proper tools like a full featured vim. It has that within a container but due to systemd interaction with containers you cannot access the host systemd from within that container, which makes all kind of sysadminning very painful.
@maiyannah I guess my use case is different. I don't want to fuck around with systems. I want them to work and not give me headache. And I want them to support modern container technology because otherwise the boss will mandate things like CoreOS which are _really_ a pain in the ass to work with.
However I fear systemd may eventually end up stopping progress towards better systems rather than accelerating it. With a systemd monoculture there's no real way to try alternative approaches at the large scale needed to learn if and where they provide sufficient benefits.
@maiyannah Oh, I absolutely have too little discipline for C++. The difference is I know it.
But programming discipline is something that most people nowadays don't really learn. Java IDE's and culture make making a mess a perfectly acceptable option. It's languages like C and C++ that teach you to become a better programming. I know my time coding a non-trivial C app at work has made me appreciate how much discipline matters.
And the funny thing is, these days C and C++ are easier than ever. If you program in C you can run valgrind, clang-analyze and the Sanitizer suite and you'll catch a _lot_ of the discipline bugs. You still need discipline but the learning process is much quicker than it used to be.
On the other hand, being forced to debug a spooky action at a distance bug caused by a stack overflow does help etch the need for discipline in your head.
@maiyannah Yeah. Like C++ Java requires discipline from the programmer. And like C++ it's all about not going overboard. The main difference is that Java programmers tend to overdo design patterns and copypasting while C++ programmers tend to overdo cleverness and Boost use.