Rust's borrow checker proves some invariants that the code always upholds. Valgr...

aithrowawaycomm · 2024-11-01T05:00:46 1730437246

> But then as a matter of policy, why is Rust meaningfully different than something like using Valgrind with C++? Of course there are substantive differences from a developer's perspective.

I did not say they were the same or even equivalent, though I was sloppy with synecdoche and didn't specifically mean Valgrind. My point is that unsafe Rust without Valgrind is more dangerous than C++ with Valgrind, and the feds are not adequately considering this when thinking about how large organizations might rewrite their C++ applications.

"We will rewrite it in 100% safe Rust" is guaranteed way to eliminate virtually all C++ memory errors. It does not follow that "we will rewrite it in 95% safe Rust, except for the tricky bits" will eliminate 95% of C++ memory errors.

Ygg2 · 2024-11-01T10:49:05 1730458145

> My point is that unsafe Rust without Valgrind is more dangerous than C++ with Valgind

Your point is wrong is the issue.

Doing unsafe Rust is harder – there is some syntaxic salt plus doing unsafe code in Rust requires different mindset.

But it's also safer. Why? Because borrow checker is never turned off. Plus you get warning, lints, miri, clippy warning about your code being wrong.

> It does not follow that "we will rewrite it in 95% safe Rust, except for the tricky bits" will eliminate 95% of C++ memory errors.

Again, wrong. It should go like this "Rewrite in Rust will be memory safe (assuming we didn't bungle up the unsafe bits)".

Compiler relies on you for checking the boundary between safe and unsafe. If that's correct, great. If not you only have to check like 5% of your codebase. Which is 20x less than 100%. Maybe I'm not a 20x developer.

Which is a stark contrast to C++ you either write your safe abstractions and pray to God that others won't break, or you make Vec.pop be unsafe because you can't be bothered to return an Optional or null.