| ▲ | danbruc 5 days ago |
| Nope. You can have programs without undefined behavior and still not have thread safety. In .NET, for example, writes to variables that are wider then the machine width or not aligned properly, are not guaranteed to be atomic. So if you assign some value to an Int128 variable, it will not be updated atomically - how could it, that is just beyond the capabilities of the processor - and therefore a different thread can observe a state where only half of the variable has been updated. No undefined behavior here but also sharing this variable between threads is not thread safe. And having the language synchronize all such writes - just in case some other thread might want tot look at it - is a performance disaster. And disallowing anything that might be a potential thread safety issue will give you a pretty limited language. |
|
| ▲ | tialaramex 5 days ago | parent | next [-] |
| > disallowing anything that might be a potential thread safety issue will give you a pretty limited language. Safe Rust doesn't seem that limited to me. I don't think any of the C# work I do wouldn't be possible in Rust, if we disregard the fact that the rest of the team don't know Rust. Most of the programs you eliminate when you have these "onerous" requirements like memory safety are nonsense, they either sometimes didn't work or had weird bugs that would be difficult to understand and fix - sometimes they also had scary security implications like remote code execution. We're better off without them IMNSHO. |
|
| ▲ | kllrnohj 5 days ago | parent | prev | next [-] |
| Critically to the authors point that type of data race does not result in UB and does not break the language and thus does not create any memory safety issues. Ergo, it's a memory safe language. Go (and previously Swift) fails at this. There data races can result in UB and thus break memory safety |
|
| ▲ | ameliaquining 5 days ago | parent | prev | next [-] |
| See the article's comments on Java, which is "thread safe" in the sense of preventing undefined behavior but not in the sense of preventing data-race-related logic bugs. .NET is precisely analogous in this respect. |
| |
| ▲ | tialaramex 5 days ago | parent [-] | | I can buy that claim for the .NET CLR but I've never seen it nailed down properly the way Java did which gives me pause. I worry about the Win95-era "Microsoft Pragmatism" at work and a concrete example which comes to mind is nullability. In the nice modern software I often work on I can say some function takes a string and in that program C# will tell me that's not allowed to be null, it has to be an actual string - a significant engineering benefit. But, the CLR does not enforce such rules, so that function may still receive a null instead e.g. if called by some ten year old VB.NET code which has no idea about "nullability" and so just fills out a null for that parameter anyway. Of course the CLR memory model might really be set in stone and 100% proof against such problems, but I haven't seen anything to reassure me as I did for Java and I fear that if it were convenient for Windows to not quite do that work they would say eh, good enough. | | |
| ▲ | ameliaquining 5 days ago | parent [-] | | There's a documented memory model (https://github.com/dotnet/runtime/blob/main/docs/design/spec...), does that not address this concern? | | |
| ▲ | tialaramex 4 days ago | parent | next [-] | | So, the answer is that I've read that and I wasn't as reassured as I'd like. ECMA definitely isn't enough as it acknowledges. The platforms which exist today are fine. And future platforms? Well we're told it will be difficult to change these assumptions. Yeah, it would be difficult. For a comparison, the x86 has what that document calls TSO, a very strict "free" ordering (in fact you pay all the time, but, you can't opt out so in that sense it's free to get this ordering on Intel) so 1990s C++ written for Windows just assumes volatile means you get memory ordering -- even though that's not what that means. If you compile brand new code for x86 on Microsoft's compilers today you get the exact same promise, but if you target their ARM platforms you don't get that because it would be expensive so, too bad. | |
| ▲ | actionfromafar 5 days ago | parent | prev [-] | | It depends on what it says? |
|
|
|
|
| ▲ | kibwen 5 days ago | parent | prev [-] |
| The statement "there is no memory safety without thread safety" does not suggest that memory safety is sufficient to provide thread safety. Instead, it's just saying that if you want thread safety, then memory safety is a requirement. |
| |
| ▲ | minitech 5 days ago | parent [-] | | > Instead, it's just saying that if you want thread safety, then memory safety is a requirement. It's saying the opposite – that if you want memory safety, thread safety is a requirement – and Java and C# refute it. | | |
| ▲ | zozbot234 5 days ago | parent | next [-] | | > Java and C# refute it. No, they don't. They're using a different meaning for "thread safety" that's more useful in context since they do ensure data race safety - which is the only kind of thread safety OP is talking about. By guaranteeing data race safety as a language property, Java and C# are proving OP's point, not refuting it. | |
| ▲ | kibwen 5 days ago | parent | prev [-] | | > It's saying the opposite Indeed, you're correct, I interpreted the implications in reverse. |
|
|
