This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
In the beginning, the C programming language was created, and there was much rejoicing. C is perhaps the single most influential language in the history of computing. It was "close to the hardware"*, it was fast*, it could do literally everything*. *Yes, I am simplifying a lot here.
But there were a few flaws. The programmer had to manage all the memory by himself, and that led to numerous security vulnerabilities in applications everywhere. Sometimes hackers exploited these vulnerabilities to the tune of several million dollars. This was bad.
But it's not like managing memory is particularly hard. It's just that with complex codebases, it's easy to miss a pointer dereference, or forget that you freed something, somewhere in potentially a million lines of code. So the greybeards said "lol git gud, just don't make mistakes."
The enlightened ones did not take this for an answer. They knew that the programmer shouldn't be burdened with micromanaging the details of memory, especially when security is at stake. Why is he allowed to call
mallocwithout callingfree?* The compiler should force him to do so. Better yet, the compiler can check the entire program for memory errors and refuse to compile, before a single unsafe line of code is ever run. *Actually memory leaks aren't usually security issues but I'm glossing over this because this post is already long.They had discovered something profound: Absent external forces, the programmer will be lazy and choose the path of least resistance. And they created a language based on this principle. In C, you may get away with not checking the return value of a function that could error. In Rust, that is completely unacceptable and will make the compiler cry. The path of least resistance in C is to do nothing, while the path of least resistance in Rust is to handle the error.
That's what makes Rust a better programming language. And I have to agree with the zealots, they are right on this.
...So I have to be disappointed when they're not.
Rust seems to keep popping up in the news in the past couple of months. In November, a bug in Rust code deployed by Cloudflare took down their infrastructure, and half the Internet with it. (Why Cloudflare even has a monopoly on half the Internet is a controversial topic for another time.) The cause? A programmer didn't handle the error from a function.
Well that's technically not true, they did. It's just that calling
.unwrap(), a function which will immediately abort the application on error, counts as "handling" the error. In other words, the path of least resistance is not to actually handle the error, but to crash. I argue that this isn't a better outcome than what would have happened in C, which would also be to crash. Sure, the crash won't be a segfault in Rust, but that doesn't matter if half the Internet dies.This month, a CVE was filed in the Rust part of the Linux kernel, and it turned out to be a memory corruption vulnerability, ironically enough. "But how could this happen?" Rust has these things called
unsafeblocks that let you do unsafe memory operations, closer to what you would be allowed to do in C (though granted, I have heard convincing arguments that unsafe Rust is still generally safer than C). So the path of least resistance is not to do things the safest way, but to just surround everything inunsafeif you get tired of fighting the borrow checker.I hear the same pitch all the time from Rust advocates. "C is unsafe, programmers are too fallible, we must use a language that forces good code." They consistently blame the language, and don't blame the programmer. So how did they react to the above incidents? Did they blame the programmer, or the language?
unwraplike that." "Duh, don't useunsafe, it's obviously unsafe."If I was one of them, I would throw my hands up and admit that the language didn't have guardrails to prevent this, so if I would blame C in a universe where the incidents happened in equivalent C code, then I should blame Rust here. But then, I wouldn't be a Rust zealot. I'd just be a Rust kinda-supporter. I'd have to carefully consider the nuances of the language and take into account various factors before forming an opinion. Oh no, the horror! And if I went the other way and blamed the programmer, it wouldn't be long before I'd have this nagging feeling that I'm just like a C-nile greybeard, telling the programmers to git gud, and at that point, there seems to be less of a point to using Rust if we just assume that programmers are infallible.
It's a Catch-22, in other words.
To be clear, I'm not saying that these incidents alone mean Rust is a bad choice for anything, ever. I'm not saying Cloudflare or Linux shouldn't use Rust. I'm not telling people what they should or shouldn't use. I'm just pointing out the double standards. Rust people can attack C all day using one set of (IMO, entirely justified) standards, but when they are confronted with these incidents, they suddenly switch to another set of standards. Or to put it more clearly, they have a motte and bailey. Motte: "Rust can't prevent shitty programmers from writing shitty code." Bailey: "C is unsafe, because of all the memory unsafe code people have written, and we should rewrite everything in Rust to fix all of it!"
I spent the last 2 years of my career fighting with Rust, and I detest the language. Unfortunately, I'm aware that I'm in the minority, and a lot of people buy into the hype that it's the wave of the future. In my opinion, it's a language that was a bad idea from the start.
Most programs are not the Linux kernel and do not need 100% safety guarantees. It's honestly fine if a game segfaults once in a while due to C++'s scaaaary "undefined behavior" (which is a crash 99.99% of the time).
And Rust kinda fails at the safety guarantees in practice, anyway. People who aren't experts bash their heads against the language, trying to do simple tasks that in any other language would be done in 15 minutes, and then they finally give up and do one of two things: wrap things in an unnecessary "unsafe" block, or copy a large object that didn't need copying. It turns mediocre programmers into bad programmers. (This isn't rhetoric; in our very real project, I saw how the "unsafe" blocks kept adding up, because we had to actually deliver a product instead of spending our time justifying ourselves to the borrow checker.)
The cost of C++ is all the crashes that we very visibly see everywhere. The cost of garbage-collected languages is sluggishness and, often, software literally just pausing for multiple seconds to free up memory. (When you're playing a game and you see a multi-second pause in the middle of gameplay, that's why.) The cost of Rust is in code that just doesn't get written, because it's 3-5x harder to get anything practical done. And unlike the first two, this is a subtle, invisible cost that is easily overlooked.
The designers of Rust really wanted to make a programming language with formally-verified correctness; there are other programming languages that go all the way on this, but they're all impossible to use. In fairness, Rust is merely difficult to use rather than impossible, but that's because the borrow checker is trying to do most of the proof for you. Unfortunately, the borrow checker isn't very good at it, and fails in many common actually-safe scenarios, and they didn't include any way for you to, well, help it along. (Ok, they do have lifetime specifiers, but those are insanely ugly constructs that provide no actual value to the programmer. They're only there for you to assist the borrow checker - often in ways it should be smart enough to do itself.) Now, Rust does keep improving the borrow checker, so fortunately this improves each year, but I doubt the problem will ever really go away.
The thing that really, really sticks in my craw is that the language is built around a horrible "mutable" keyword that is both ugly and a lie. C++ has "const", which is fantastic and they should have just copied it and been done with it. I actually think their choice not to do that is political, so they could pretend they were innovating over C++. But now, lots of objects have to have "internal mutability" to work, which means that there's no actual way to get, say, a reference to a mutex with the guarantee that you will not modify the object it points to. And you also can't have "const" member variables, so for instance, you can't initialize a temp directory as an object's member and add an in-language guarantee that it won't change until the object is destroyed.
One thing that Rust does really, really, amazingly really well is type inference. And it's nice in a lot of situations, but like the "auto" keyword in C++, I think people abuse it far too much. Types should be explicitly written out in code! They're a very important part of the logic! Libraries should be encouraged to be written so that types are easily readable (not 100-character-long nested monstrosities that both C++ and Rust are guilty of). And Rust uses its type inference to hide just how ugly its design actually is, so you don't have to stare at crap like
MutexGuard<Option<Arc<Map<int,Result<Option<String>,MyError>>>>>>all the time.But oh well. I'm aware that some of this is just my biased old-man get-off-my-lawn outlook. (Also, I'm not a Rust master, so I'm sure that some of what I'm saying above is flat-out incorrect.) But I don't think I'm wrong that Rust has a lot of downsides and is not the right tool for many (or even most) purposes. Ironically, one saving grace is that it's getting popular at the same time as LLMs, which are actually pretty good at navigating its human-unfriendly intricacies. Without ChatGPT I would have been a lot less productive.
Professional Rust developer here.
First of all, congratulations on getting paid to write Rust code without actually liking it. In my experience this was quite difficult to achieve so everyone around me really likes Rust a lot.
Borrow checker is honestly one of the hot topics about Rust that always confuses me, because I almost never have problems with it apart from some very small edge cases. Meanwhile people online seem to base half their Rust experience on the borrow checker. May I ask you what sort of programming did you do?
I will fight you to death about the mut keyword. It is absolutely fantastic and it pushes you in a more functional way of programming.
But this can be achieved easily with like a 10 line wrapper type around Mutexes in your codebase?
Anyway I used to write C code and switched to Rust without brushing much with C++ so it has been a gigantic improvement in all ways. But honestly I fail to see why anyone would prefer C++ at this point for new projects (except for gamedev where shipping something buggy and fun trumps correctness by a lot).
Ok, I guess we're getting into the weeds now. Anybody who's not a programmer, feel free to bow out. :)
Backend infra work. Efficiency was important, so we ended up having to use pointers to bypass the Rust borrow checker in cases where it just didn't work (e.g. for caching a map lookup). Concurrency was also important, and Rust's concurrency features were kind of tacked on later in its design. (Actually, Rust relies on third-party libraries to solve a LOT of its design flaws, like tokio for async stuff.) I do admit that the Send/Sync traits are nice for catching a few common concurrency bugs. But screw Rust for intentionally not implementing them for the pointer type because they want to discourage its use.
I don't think you should compare "const" and "mut" if you're not a C++ developer and you've never used "const" before. "const" is "absolutely fantastic" and pushes you to a "more functional way of programming" - it lets you clearly spell out what side effects all your functions and APIs have. With Rust's version of "&mut" - which despite the lying name (and horrible syntax) actually just means "exclusive reference", something that is correlated with but not the same as "mutable" - a shared non-mut object might change, it might not, you'll just have to check the implementation for details.
Here's a C++ object:
MyStruct. Here's the read-only version of that C++ object:const MyStruct. You'll forgive me for not being impressed that this common safety pattern can be done in "like 10 lines" in Rust by implementing your own Mutex wrapper.Yeah, don't get me wrong, C++ has plenty of issues, and I wish there was a better alternative that kept its strengths too. Rust, unfortunately, decided not to. If you're going directly from C to Rust, you might even think it's normal that you need third-party libraries to, say, put floats into a heap (heh).
EDIT: Actually, while I'm on the topic, and since you're a Rust pro, let me ask... does putting wrappers around everything feel natural to Rust developers? The type inference makes it so you don't have to see all the nested wrapping. Maybe that's just a paradigm I don't grok. Because I find Rust's heap to be spectacularly and uniquely badly designed. Rather than treating the comparator as a separate parameter from the thing being compared - like in every other language in existence - Rust instead has you create a wrapper object to override the object's comparisons. Which means you need to do type conversions for every get and put operation. And if you pull some objects out of a max-heap and you forget to convert them back, then do some comparisons on them yourself... the code (because its types are hidden) will look innocuous, but you'll get exactly the wrong result.
This is wild for me. I work in HFT and almost never have to touch pointers even in cases where latency/performance is important to absurd levels. I know you said you don't work anymore, but passing pointers around threads like what you are describing is not even a good C++ practice: https://floooh.github.io/2018/06/17/handles-vs-pointers.html. Pointers are too big on 64 bit systems and will mess up your cache locality and you will often get horrible assembly because aliasing (more details on that below).
What design flaw is tokio solving? It is quite inherent in Rust that the language doesn't ship with a default runtime, so there is experimentation around this. And tokio is a really fantastic piece of software. Maybe you are thinking of libraries like async-trait? It can be annoying to find gaps like this in the language that takes years to close, but they have been going down in numbers rapidly, and it is quite nice that different solutions can be tested as macro libraries before being baked into language design. Definitely beats a committee hashing out nonsense which then cannot be changed forever because muh backwards compatibility.
Yes and this is fantastic design because aliasing. If you ever stared at absolutely horrible assembly because gcc couldn't prove two pieces of memory are not overlapping, you understand why this language design exists. It is not for political reasons or giving an illusion of progress over C++. Godbolt guy's recent compiler optimizations video is a decent primer: https://youtube.com/watch?v=PPJtJzT2U04?si=kZ3CFZKlzDCeSRxX. mut is much superior to const for this reason alone. Crazy that C has the reserved keyword to address this problem, but C++ doesn't even have this. (also it is a correct choice to make the default non-mut, makes reasoning about code much easier). I think you have a point about interior mutability confusing this relationship though. You win some you lose some.
I am not very knowledgable about this subject, but if const MyStruct contains a pointer in it, you can simply mutate the pointed data right? Chatgpt seems to think so. Then this is the exact same problem you are complaining about with Rust Refcell/Mutexes. Your const MyStruct doesn't guarantee anything at all not already guaranteed by Rust shared reference or Rc/Arc without interior mutability.
Yes the newtype pattern is extremely standard in Rust and I do it all the time.
Usually when you newtype something, you are doing so because you don't want the inside type to be accessible as it is anymore, but only through a certain limited interface. In most use cases you should be writing the newtype in a way that the user can do everything they need through the newtype. It is pretty trivial to define arithmetic operations on your newtype for example
So, you have some good responses and I want to repeat that this is all just my opinion and personal experience. Thanks for the reply.
I won't address your criticism of our design because you don't know the details (and I'm not going into them). But we're not stupid people. Not collectively, at least... :) This attitude of "I've thought for three whole minutes and I can't see why anybody would ever want this, so the people telling me they want this are wrong" is kind of emblematic of Rust's design vs C++'s.
I agree it's nice that Rust solves the aliasing problem. They didn't have to solve it by confusing mutability and exclusivity, though! It's like if a plumber comes and fixes my toilet, but breaks some windows on the way out. The correct response to "hey, why did you break the windows" isn't "look, the toilet's fixed!"
You can if you can access it, yeah, but it'd be weird for the C++ object to give a user access to raw internal pointers. Note that in most cases you're also limited on what methods (including getters/setters) you can call on a "const MyStruct" - whether a function is read-only or not can be explicitly declared in its signature. Now, you don't have to use const at all in a library. Or you could use it but then have the same "internal mutability" as Rust - but why would you do that? The point of the keyword's existence is to allow programmers to positively assert "this is what a read-only version of this object looks like". Which is powerful and important and should be easier than it is in Rust.
If your complaint is that "const" doesn't force the C++ programmer to be safe, you're right about that. C++ gives options, not restrictions, and for bad programmers it is indeed full of footguns. My praise of "const" is due to what it can be in the hands of good programmers - and I would have loved it if Rust introduced the keyword but applied its stringent safety guarantees to it.
But the heap example I give is the exact opposite of this. I want access to the inside type (the number) - I never want to think about the heap's operator except at initialization - but instead I'm being forced to wrap it everywhere. Now, it's not entirely fair to compare Rust's library with C++'s STL. Like you said, "it can be annoying to find gaps like this in the language that takes years to close" - Rust is young, and the STL is the result of decades of finetuning/nitpicking work from thousands of people. I agree that, in the future, something like Rust's bad heap implementation might be a non-problem.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link