Inherently unsafe C/C++ vs. Rust

This post is a short refreshing post, providing some food for thoughts and expanding a little on the two recent consecutive blog posts by Microsoft Security Response Center which describes why Rustlang is the way to go as a modern system language with compile time safety guarantees.

Ears pricked up?

C/C++ are inherently unsafe languages, no matter how many static-analyzers or sanitizers to use. In particular, C/C++ are impossible to get right. Even if one can claim they write safe C/C++ code, when it comes to interfacing other programs, they cannot guarantee anything.

Rust does its “magic” using its unique (affine) type-system, borrow-checker (static analyzer) and smart compiler to get (sub)type variance, validity and safety invariant right!

John Regehr in a series of blog posts (also presented in CppCon 2017) extensively describes some of the Undefined Behavior pits falls in C abstract machine and how the C/C++ guideline does not help the programmers to have a concrete and useful mental model when writing C/C++ codes. Moreover, Chris Lattner continues in that realm with What Every C Programmer Should Know About Undefined Behavior.

I should note that the complete semantic of the Rust abstract machine has not been fully defined yet and is under heavy research (RustBelt paper) and discussions with a final goal of formally proving the safety guarantees of Rust abstract machine. To see more details, you might have a look at Rust unsafe-code-guideline.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.