Hello!
While reading the Rust tutorial I'm really excited to see a new programming
language that can replace C/C++ for performance-critical programming. C/C++
is very entrenched but extremely tricky and getting more complicated with
each revision. The world needs a replacement that's not so perilous --
before it causes big disasters.
I'd like to suggest some (hopefully useful) ideas.
(1) Rust has great potential for *real-time programming* as well as secure
programming. Perhaps this just needs a library call to fork "real-time
threads" that never do garbage collection. ("Real-time" means predictably
meeting time deadlines, e.g. in avionics, video capture, medical x-ray, and
robotics. Speed is important but the crucial point is reliably meeting
deadlines. Garbage collectors, JIT compilers, and run-time optimizers are
bad for predictability.) Maybe Rust already has this. What determines
whether a thread-local managed heap uses reference counting? Ref-counting
may be OK in a real-time thread if it doesn't deallocate a variable-length
chain of nodes at an inconvenient time.
(2) I'd like to see programming language designers follow other domains by
doing usability testing.
As Alan Kay said, "The users are not like us." If you're a language
designer or implementer, you can be sure that few language users will have
your deep understanding of it. Few programmers read the entire language
reference manual or even learn all the core semantics. E.g. what percent of
Java programmers know about "precise exceptions" and their implications for
optimization? What percent can declare bounded generic types? What percent
understand "volatile" and lock ordering?
Many real-time programs are *safety-critical*, which has more or less the
same language needs as security-critical: fewer failure modes, easy to
understand and reason about, less error-prone, easier to learn, easier to
document. We could measure this for a language by the number of traps,
pitfalls, and puzzlers books. There are shelves of such books for C++ and
one puzzlers book for Java. Can Rust get it down to a one-pager?
Rust eliminates many C++ failure modes, including memory access errors and
octal constants that look like decimals. Could it systematically eliminate
the failure modes listed in C++ traps & pitfalls books?
Some examples:
- Make the everyday int and uint types portable, that is, produce the
same results on all platforms. int size does matter when it varies
between 16 and 64 bits. If Rust needs an integer type that’s the size of a
pointer, call it intptr_t and only use it for that special case.
- Security holes happen whenever a program does exploitably unexpected
things. When the unexpected results happen in rarely-tested cases like
integer overflow, it’s bad for security. So consider arbitrary precision
int.
- Use postfix syntax for pointer dereference, like in Pascal:
(~rect).area() becomes rect~.area() . That reads left-to-right with
nary a precedence mistake.
While Rust’s auto-dereference feature and type checker will sometimes
catch that mistake, it's better to just fix the failure mode. All security
holes in the field got past the type checker and unit tests.
- Don’t let ; default its second operand. Require an explicit value,
even if (). That fixes an opportunity to goof that might be frequent
among programmers used to ending every statement with a ;.
- AIUI, let mut x, y defines 2 mutable variables but |mut x, y|
defines mutable
x and immutable y. This is harder to learn and easier to goof.
- Drop C-compatible struct layout support? Is such a goal practical
considering that C struct layouts vary by CPU, compiler, and compiler
switches (enum size, pointer size, integer alignment, bit-field padding,
etc.)? C can’t reliably pass a struct to a dynamically-loaded module (that
has burned me) or to another computer (that, too). A better approach is a
library like Protocol Buffers or Cap’n Proto.
Thanks for listening!
--
Jerry
_______________________________________________
Rust-dev mailing list
Rust-dev@mozilla.org
https://mail.mozilla.org/listinfo/rust-dev
