Poke Poke. Unapproved because of a lot of citations.
Announcement
Collapse
No announcement yet.
Google Wants To See Rust Code In The Linux Kernel, Contracts The Main Developer
Collapse
X
-
Originally posted by oleid View PostI think they are referring to the state of the object which was moved. You can still access it and that is UB.
What was originally is the following:
1. You create an object in a scope.
2. you move it into a function
3. the function "forgets" the object
In c++ you can move an object, but you can still access it in the original scope. Some compilers warn about that, others not.
Originally posted by oleid View PostTrue, sadly it is only a warning, not a hard compile error. While you can make warnings a hard compile error, this is usually not done in real life, as it will break everything once you use a newer compiler. Luckily my employer tries hard to have a warning free code base.
Originally posted by oleid View PostHuh? How can a C++ compiler know when pointer addresses are generated at run time (i.e. via malloc under the hood)?Last edited by ultimA; 18 June 2021, 09:24 AM.
- Likes 1
Comment
-
Originally posted by AlexmitterEven small projects like some top alternative did not compile, beside that I felt violated on how much the rust toolchain felt like something right out of a javascript npm nightmare.
- Likes 1
Comment
-
Originally posted by ultimA View PostCorrect. And using arbitrary addresses is exactly what makes memory access and management unsafe in general in C and C++.
This is why I was talking about an "opt-in" with C++. Your C++ code can both easily and provably memory safe, but as programmer, you need to be consequent about the use of the features I mentioned above. If you go without using the standard library or write code as it was taught 10 years ago, then yes you will likely introduce some memory-related bugs in any non-trivial program. In Rust I said safety-features are "opt-out", because you explicitly have to introduce unsafe contexts to your code to be able to do bad things, but once you are granted arbitrary pointer manipulation and access, you really can do almost anything (including stuff you shouldn't) like in C.
There is some benefit in starting with a new language with the proper expectations up front, engrained into the culture at the start. I think if all C++ programmers were made to watch experts like Sean Parent describe the ideal way to program then things would change for the better. Having the compiler straight up yell at you is not a bad alternative though.
- Likes 1
Comment
-
Originally posted by hipower View Post
As long as there is no mainstream Rust frontend for GCC, Rust is a non-starter for me.
I develop a commercial C++ Win32 program that I cross-compile from Linux with MinGW (which has been rock solid) and I have yet to find a way to cross-compile Win32 programs with Clang/LLVM without pulling in vc headers and libs from a VS install on Windows. I also do occasional embedded development (arm-none-eabi) and there is no GCC alternative in this space.
Although in theory LLVMs modular nature and features make it well suited to cross-compilation, it's not close to there yet.
If LLVM expanded its arch support and there was a decent way to compile for Win32 with Clang without touching Microsoft IP I'd definitely consider jumping ship but for now it's much simpler to stick to one family of toolchain that does almost everything I need it to.
Hopefully gccrs or a similar project gets some funding to bump it along. I really like Rust but it needs to be unshackled from LLVM for me to take it seriously. I actually like the design of LLVM too, it's just not terribly useful for me at present.
Can anyone explain how Rust in the kernel is going to work when the only backend that supports it doesn't even support all the current Linux architectures?
Comment
-
Originally posted by ultimAPerfectly neglecting the fact that new bugs "less than 1 year old" doesn't mean the bugs were introduced in code adhering to new style. The basic assumption when I claim C++ is memory safe is that you are making proper use of the modern standards. And most code today cannot do that as there are restrictions regarding these due to the historical nature of the old code base that has to be maintained. And even if a code base finally manages to migrate to a new toolset, the old code that already existed still needs to be rewritten.
- Likes 2
Comment
-
Originally posted by ultimA View PostIn that scenario the moved-from object's lifetime has ended, and this is clearly defined. Neither the move's semantic nor the object's lifetime are undefined, and these were the claims that I rejected.
Originally posted by ultimA View PostThis should be hard to overlook in code because you have to trigger moves explicitly so it is unlikely this will happen to you by mistake, and also you get tool support too to diagnose such mistakes if they do happen.
Originally posted by ultimA View PostEven if you don't promote it to an error, you get a warning, and in the scenario that you are worried about, the user actively chooses to ignore this warning. That's the user's fault.
Originally posted by ultimA View PostI also don't see how promoting warnings to errors and not being able to compile in C++ is much different from Rust not letting you compile the same error for the same reason by default. Puff, you needed to add a compile flag manually, so what?
Usually, big shared code bases don't have -Werror enabled because it breaks compilation for existing (and working code) if you use a different compiler.
The trouble about warnings in C++ code is that every compiler warns about different things in different releases.
Originally posted by ultimA View PostThere is no reason to worry about addresses returned by allocation functions such as malloc (or new), as these are guaranteed to return a pointer with sufficient alignment for any type.
In part 1 of this series, explore C/C++ language restrictions, their challenges and pitfalls, and examples demonstrating their benefits in optimized code.
- Likes 3
Comment
-
Originally posted by oleid View PostTrue, sadly it is only a warning, not a hard compile error. While you can make warnings a hard compile error, …
However, the real problem is that default disables this warning/error – a dilemma if you have coding policies that mandate use of default (such as MISRA). Example:
Code:switch (trafficlight) { case Red: return "Red"; case Green: return "Green"; // Normally -Werror=switch would catch the missing Yellow … // … but this policy-mandated `default` silences it :-( // Now, we have a runtime error instead of a compile time error! default: break; } return nullptr;
Last edited by andreano; 18 June 2021, 05:02 PM.
- Likes 1
Comment
-
Originally posted by andreano View PostTip: gcc/clang -Werror=switch: I think it should be obligatory
Nevertheless, personally, I think a newer C++ standard should force such things to be errors by default. But it is never going to happen.
- Likes 3
Comment
Comment