I am very excited to hear about Rust because the world is greatly in need of a language which increases safety and expressiveness without compromising performance and this seems to be one of the motivations behind Rust.
But I am concerned that ranged types are not a core part of the language, or even overflow-checked machine types. Our profession should be embarrassed that memory safety is still but it looks like Rust has a chance of finally solving it. But memory safety is only one part of creating reliable software. Java has substantial memory safety, although not as much as Rust, and still java software is full of bugs... perhaps a higher defect rate than common C code once you correct for java's verbosity. I worry that once Rust fixes memory safety it will quickly be time to replace Rust to correct all the other programmer-traps. On example is overflow. This is a common source of flaws in C/C++ software. Instrumenting to detect overflow is difficult, and it is difficult or impossible to determine the permitted ranges output from library functions in order to by-hand statically certify software against overflow. Tools like valgrind make memory safety often fairly painless but overflow and other kinds of logic flaws cannot be easily statically or dynamically detected because the languages (and machine code) do not express enough for the machine to tell when the behavior is wrong. In Rust (like C) there doesn't appear to be any way to access the processor flags to cheaply detect overflow on machine types, so writing your "safe integer objects" will likely have poor performance and of course not work with the standard libraries. Integrated ranged types would also be synergistic with memory safety since a function which takes limited-range inputs can sometimes be statically proven memory-safe when it couldn't otherwise be, allowing the boundary check to be hoisted out of functions entirely even across closed-source-library boundaries when their interfaces are range constrained. Some C compilers now offer an int128 type that uses the fast hardware carry support, which makes certain kinds of overflow safety easier (for example 64bit x 64bit cannot overflow int128) as long as you don't mind non-portable code, but it doesn't appear that Rust has this either. Overflow is something that ada seems to handle well, but ada doesn't really seem to be in the running for a wide spread next language outside of certain niches. I hope some thought has been given to how greater safety could be added later without making an inconsistent mess of the language. In any case, thank you for the exciting new language! _______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
