| |
| ▲ | simonask 4 days ago | parent | next [-] | | If that's all you need, the state of the art is very available already through the JVM and the .NET CLR, as well as a handful others depending on your use case. Most of those also come with decent languages, and great facilities to leverage the GC to its maximum. But GCs aren't magic and you will never get rid of all the overhead. Even if the CPU time is not noticeable in your use case, the memory usage fundamentally needs to be at least 2-4x the actual working set of your program for GCs to be efficient. That's fine for a lot of use cases, especially when RAM isn't scarce. Most people who use C or C++ or Rust have already made this calculation and deemed the cost to be something they don't want to take on. That's not to say Fil-C isn't impressive, but it fills a very particular niche. In short, if you're bothering with a GC anyway, why wouldn't you also choose a better language than C or C++? | | |
| ▲ | mbrock 4 days ago | parent | next [-] | | I don't understand the need to hammer in the point that Fil-C is only valuable for this tiny, teeny, irrelevant microscopic niche, while not even talking about what the niche is? To be clear, the niche is rebuilding your entire GNU/Linux userland with full memory safety and completely acceptable performance, tomorrow, without rewriting anything, right? Is this such a silly little idiosyncratic hobby? | | |
| ▲ | simonask 4 days ago | parent | next [-] | | So I don’t want to come off as dismissive of the effort - it’s certainly impressive! The reason I’m not super excited is based on the widely publicized findings from Google and Microsoft (IIRC) about memory safety issues in their code: The vast majority is in new code. As such, the returns on running the entire userspace with Fil-C may be quite diminished from the get-go. Those who need to guard against UB bugs in seriously battle-hardened C software in production are definitely a small niche. But that doesn’t mean it isn’t also very useful as a tool during development. | | |
| ▲ | mbrock 4 days ago | parent | next [-] | | Hmm, so if they're writing new memory unsafe code in C/C++, presumably to remain within their already established and entrenched C/C++ ecosystems, why isn't Fil-C interesting as a way to thwart memory safety issues in that new code? | | |
| ▲ | simonask 4 days ago | parent [-] | | Because every problem detected by Fil-C is already a serious problem in the existing code. As a mitigation strategy, that becomes less interesting as the quality of that code increases, but you still pay the full cost regardless of whether there are actually any bugs. That can certainly be valuable to you, but as a developer, the more interesting proposition is about how not to ship bugs in the first place. | | |
| ▲ | vacuity 4 days ago | parent [-] | | As others have said, programs that have already been written are plainly not in the business of "not...[shipping] bugs in the first place". New code is new code; old code is old code. |
|
| |
| ▲ | jitl 4 days ago | parent | prev | next [-] | | It seems like there are constant updates for 20 year old packages on my Ubuntu systems. Ubuntu 20.04 Focal Fossa (first released April 2020) glibc had an update on 2025-05-28. Current stable updated glibc 2025-09-22. To say nothing about the rest of the packages in that operating system. | | | |
| ▲ | brucehoult 4 days ago | parent | prev [-] | | > The reason I’m not super excited is based on the widely publicized findings from Google and Microsoft (IIRC) about memory safety issues in their code: The vast majority is in new code This makes perfect sense to me. Which is why I don't at all understand the current fetish with rewriting things that have been working well for decades in Rust. Such as coreutils. Or apt. It feels like an almost deliberate crippling of progress by diverting top talent into useless avenues, much like string theory in physics, or SLS/Artemis. | | |
| ▲ | tempaccount420 4 days ago | parent [-] | | > It feels like an almost deliberate crippling of progress by diverting top talent into useless avenues, much like string theory in physics, or SLS/Artemis. You don't have to be a "top talent" to rewrite old unix utilities. The hard part is writing it safely, which in Rust can be done without "top talent." | | |
| ▲ | brucehoult 4 days ago | parent [-] | | And then you end up with code 17 times slower than the C code it is replacing. When it didn't need replacing in the first place. |
|
|
| |
| ▲ | vorador 4 days ago | parent | prev | next [-] | | There's a contingent of rust fans that show up on every story about C – their premise is that C code is unsafe and most safety-critical C code should be rewritten in rust. Fil-C is new and is a viable competitor to rust, that's why you're hearing all asides about tiny niches, unacceptable performance degradation, etc. | | |
| ▲ | vacuity 4 days ago | parent | next [-] | | Hacker News is not a place where any one group brigrades a thread. There are people who prefer C who don't want a GC, people who prefer Rust who don't want C, people who prefer Rust who agree with Fil-C for legacy C, people who don't prefer C or Rust and may use languages with GC.... We all have interests and face people who denigrate them in bad faith. If you have specific objections to inaccurate statements in this thread, then state them. I'll do the same for any technology if I'm qualified to make statements on it. | | |
| ▲ | kasabali 3 days ago | parent [-] | | > Hacker News is not a place where any one group brigrades a thread Sweet summer child | | |
| ▲ | vacuity 2 days ago | parent [-] | | I'm not saying that people don't comment in bad faith here. But if someone's first thought upon seeing significant negativity is that a coordinated, massive campaign is occurring, that someone is probably wrong. Commenting in that vein also harms discussion. If Hacker News is to foster good discussion, then simply not being a troll or ideologue is not sufficient. There really are many people here, with largely diverse opinions. Don't lump people together unless they lump themselves together. |
|
| |
| ▲ | petesergeant 4 days ago | parent | prev | next [-] | | > Fil-C is new and is a viable competitor to rust I’ve no horse in the race here, but the Fil-C page talks about a 4x overhead from using it, which feels like it would make it less competitive | | |
| ▲ | mbrock 4 days ago | parent [-] | | Currently measured worst case for some types or code. | | |
| ▲ | brucehoult 4 days ago | parent [-] | | I tried it on my primes micro-benchmark (http://hoult.org/primes.txt) and got a 2:1 slowdown on 13th gen i9. It does a LOT of array access and updating, probably near to worst-case for code that isn't just a loop copying bytes. The average slowdown is probably more in the same region as using Java or C# or for that matter C++ std::array or std:vector. | | |
| ▲ | mbrock 3 days ago | parent [-] | | If you missed it, djb himself posted this cute graph of "nearly 9000 microbenchmarks of Fil-C vs. clang on cryptographic software (each run pinned to 1 core on the same Zen 4)": https://cr.yp.to/2025/20251028-filcc-vs-clang.html I've heard Filip has some ideas about optimizing array performance to avoid capability checks on every access... doing that thread safely seems like an interesting challenge but I guess there are ways! | | |
| ▲ | brucehoult 3 days ago | parent [-] | | Sure of course I followed that link. I've really got no idea what the horizontal axis is! But there is a huge cluster of results between 1x and 1.5x execution time. And, the kind of code he is interested in is not necessarily the same as the kind of code I'm interested in. In fact I know it's not! As one more data point, compiling my little benchmark with gcc, without any optimisation flag. 1964ms gcc primes.c -o primes -O
3723ms fil-c primes.c -o primes -O
3753ms gcc primes.c -o primes
16334ms fil-c primes.c -o primes
Fil-C with -O is almost identical to gcc without. |
|
|
|
| |
| ▲ | testdelacc1 4 days ago | parent | prev | next [-] | | There’s no Rust fans here, only GC skeptics. GC skeptics existed long before anyone dreamed of Rust and will survive Rust as well. It’s a pretty reasonable objection too (though I personally don’t agree). C has always been chosen when performance is paramount. For people who prioritise performance it must feel a bit weird to leave performance on the table in this way. And Jesus Christ, give it a rest with this “Rust fans must be thinking” stuff. It sounds deranged. | | |
| ▲ | vorador 4 days ago | parent [-] | | No, back in the day C was used for everything. Vim was not written in C because it needed to wring every last bit of performance out of text editing. Rewriting everything in rust "for memory-safety" is a false tradeoff given the millions of lines of C code out there and the fact that rewrites always introduce new bugs. | | |
| ▲ | testdelacc1 4 days ago | parent [-] | | Please, I’m begging you, stop talking about Rust. You’re shoehorning Rust into a discussion where it hasn’t been mentioned, just to hate on some imaginary people you think are pushing Rust here. No one is talking about that. You sound deranged and obsessed. The vast majority of the conversation here is about GC and the performance implications of that. Please stick to the rest of the thread. | | |
| ▲ | brucehoult 4 days ago | parent | next [-] | | I almost always find that building Boehm GC as a malloc replacement (malloc() -> GC_malloc(), free() -> NOP), and then using LD_PRELOAD to get it used makes any random C/C++ program not only still work but also run faster. Not only that, but you can then use GC_FREE_SPACE_DIVISOR to tune RAM usage vs speed to your liking on a program by program (or even instance by instance) basis, something completely impossible with malloc(). | |
| ▲ | vorador 4 days ago | parent | prev [-] | | Lol there are right now 33 mentions of rust in this thread but go on.. |
|
|
| |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
| |
| ▲ | conradev 4 days ago | parent | prev [-] | | I am a member of this niche – thank you for the flake!! https://discourse.nixos.org/t/radically-improving-nix-nixos-... |
| |
| ▲ | kragen 4 days ago | parent | prev | next [-] | | I think Fil-C is for people who are using software that has already been written, not for people who are trying to pick what language to write new software in. A substantial amount of software has, after all, already been written. | | |
| ▲ | pizlonator 4 days ago | parent | next [-] | | It's super fun to write C and C++ code in Fil-C because it's like this otherworldly crossover between Java and C/C++: - Unlike Java, you get fantastic startup times. - Unlike Java, you get access to actual syscall APIs. - Unlike Java, you can leverage the ecosystem of C/C++ libraries without having to write JNI wrappers (though you do have to be able to compile those libraries with Fil-C). - Like Java, you can just `new` or `malloc` without `delete`ing or `free`ing. It's so fun! | | |
| ▲ | kragen 4 days ago | parent | next [-] | | I like C, have a probably unhealthy relationship with C++ where I am amazed by what it can do and then get unrealistic expectations it keeps failing to fulfill, and don't really like Java. You know Julia Ecklar's song where she says that programming in assembler is like construction work with a toothpick for a tool? I feel like C, C++, or Java are like having a teaspoon instead. Maybe Java is a tablespoon. I'd rather use something like OCaml or a sane version of Python without the Mean Girls community infighting. I just haven't found it. On the other hand, the supposedly more powerful languages don't have a great record of shipping highly usable production software. There's no Lisp or Ruby or Lua alternative to Firefox, Linux, or LLVM. | |
| ▲ | skissane 4 days ago | parent | prev [-] | | > Like Java, you can just `new` or `malloc` without `delete`ing or `free`ing. Is your intention that people use the Fil-C garbage collector instead of free()? Or is it just a backstop in case of memory leak bugs? Can the GC be configured to warn or panic if something is GCed without free()? Then you could detect memory leak bugs by recompiling with Fil-C - with less overhead than valgrind, although I’m guessing still more than ASan - but more choices is always a good thing. | | |
| ▲ | phire 4 days ago | parent | next [-] | | Yeah, it panics when you use after free. [1] But I'm not sure it's worth porting your code to Fil-C just to get that property. Because Fil-C still needs to track the memory allocation with its garbage collector. there isn't much advantage to even calling free. If you don't have a use-after-free bug, then it's just adding the overhead of marking the allocation as freed. And if you do have a use-after-free bug, you might be better off just letting it silently succeed, as it would in any other garbage collected language. (Though, probably still wise to free when the data in the allocation is now invalid). IMO, if you plan to use Fil-C in production, then might as well lean on the garbage collector. If you just want memory safety checking during QA, I suspect you are better off sticking with ASan. Though, I will note that Fil-C will do a better job at detecting certain types of memory issues (but not use-after-free) [1] See the "Use After Free example on: https://fil-c.org/invisicaps_by_example | | |
| ▲ | skissane 4 days ago | parent | next [-] | | > Yeah, it panics when you use after free. I wasn’t talking about use-after-free, I was talking about memory leaks - when you get a pointer from malloc(), and then you destroy your last copy of the pointer without ever having called free() on it. Can the GC be configured to warn/panic if it deallocates a memory block which the program failed to explicitly deallocate? | |
| ▲ | rzerowan 4 days ago | parent | prev [-] | | Question , would this be a desirable outcome for drivers. As far as i can tell most kernel driver crashes are the ones that would benefit from such protection.Plus obviate the need to do full rewrites - if such a GC can protect from the faults and help with the recovery.Assuming the GC after recovery process is similar to erlang BEAM where a reload can bring back healthy state. |
| |
| ▲ | pizlonator 4 days ago | parent | prev [-] | | > Is your intention that people use the Fil-C garbage collector instead of free()? Or is it just a backstop in case of memory leak bugs? Wow great question! My intention is to give folks powerful options. You can choose: - Compile your code with Fil-C while still maintaining it for Yolo-C. In that case, you'll be calling free(). Fil-C's free() behavior ensures no GC-induced leaks (more on that below) so code that does this will not have leaks in Fil-C. - Fully adopt Fil-C and don't look back. In that case, you'll probably just lean on the GC. You can still fight GC-induced leaks by selectively free()ing stuff. - Both of the above, with `#ifdef __FILC__` guards to select what you do. I think you will want to do that if your C program has a custom GC (this is exactly what I did with emacs - I replaced its super awesome GC with calls to my GC) or if you're doing custom arena allocations (arenas work fine in Fil-C, but you get more security benefit, and better memory usage, if you just replace the arena with relying on GC). The reason why the GC is there is not as a backstop against memory leaks, but because it lets me support free() in a totally sound way with deterministic panic on any use-after-free. Additionally, the way that the GC works means that a program that free()s memory is immune to GC-induced memory leaks. What is a GC-induced leak? For decades now, GC implementers like me have noticed the following phenomena: - Someone takes a program that uses manual memory management and has no known leaks or crashes in some set of tests, and converts it to use GC. The result is a program that leaks on that set of tests! I think Boehm noticed this when evangelizing his GC. I've noticed it in manual conversions of C++ code to Java. I've heard others mention it in GC circles. - Someone writes a program in a GC'd language. Their top perf bug is memory leaks, and they're bad. You scratch your head and wonder: wasn't the whole point of GC to avoid this? Here's why both phenomena happen: folks have a tendency keep dangling pointers to objects that they are no longer using. Here's an evil example I once found: there's a Window god-object that gets created for every window that gets opened. And for reasons, the Window has a previousWindow pointer to the Window from which the user initiated opening the window. The previousWindow pointer is used in initialization of the Window, but never again. Nobody nulled previousWindow. The result? A GC-induced leak! In a malloc/free program, the call to previousWindow.destroy() (or whatever) would also delete (free()) the object, and you'd have a dangling pointer. But it's fine because nobody dereferences it. It's a correct case of dangling pointers! But in the GC'd program, the dangling program keeps previousWindow around, and then there's previousWindow.previousWindow, and previousWindow.previousWindow.previousWindow, and... you get the idea. This is why Fil-C's answer to free() isn't to just ignore it. Fil-C strongly supports free(): - Freeing an object immediately flags the capability as being empty and free. No memory accesses will succeed on the object anymore. - The GC does not scan any outgoing references from freed objects (and it doesn't have to because the program can't access those references). Note that there's almost a race here, except https://fil-c.org/safepoints saves us. This prevents previousWindow.previousWindow from leaking. - For those pointers in the heap that the GC can mutate, the GC repoints the capability to the free'd singleton instead of marking the freed object. If all outstanding pointers to a freed object are repointable, then the object won't get marked, and will die. This prevents previousWindow from leaking. > Can the GC be configured to warn or panic if something is GCed without free()? Nope. Reason: the Fil-C runtime itself now relies on GC, and there's some functionality that only a GC can provide that has proven indispensable for porting some complex stuff (like CPython and Perl5). It would take a lot of work to convert the Fil-C runtime to not rely on GC. It's just too darn convenient to do nasty runtime stuff (like thread management and signal handling) by leaning on the fact that the GC prevents stuff like ABA problems. And if you did make the runtime not rely on GC, then your leak detector would go haywire in a lot of interesting ports (like CPython). But, I think someone might end up doing this exercise eventually, because if you did it, then you could just as well build a version of Fil-C that has no GC at all but relies on the memory safety of sufficiently-segregated heaps. | | |
| ▲ | kragen 4 days ago | parent | next [-] | | Okay, that's brilliant. I didn't even imagine that the GC-induced leak problem was even solvable. I guess the freed-but-not-GCed object could be arbitrarily large, but that's almost never going to be a gradual leak. What's awesome about the Emacs GC? | | |
| ▲ | pizlonator 4 days ago | parent [-] | | Even if you have a large freed object, it’ll really get GC’d unless it’s referenced from a root that the GC can’t edit. I allow for such things to simplify the runtime, but they’re rare. As a GC dev I just found the emacs GC to be so nicely engineered: - The code is a pleasure to read. I understood it very quickly. - lots of features! Very sophisticated weak maps, weak references, and finalizers. Not to mention support for heap images (the portable dumper). - the right amount of tuning but nothing egregious. It’s super fun to read high quality engineering in an area that I am passionate about! |
| |
| ▲ | gkfasdfasdf 3 days ago | parent | prev | next [-] | | Is it possible to use Fil-C as a replacement for valgrind/address sanitizer/leak sanitizer? I.e. say I have a C program that does manual memory management already. Can I then compile it with Fil-C and have it panic/assert on heap use after free, uninitialized memory read (including stack), array out of bounds read, etc? | |
| ▲ | skissane 4 days ago | parent | prev [-] | | > Nope. Reason: the Fil-C runtime itself now relies on GC, and there's some functionality that only a GC can provide that has proven indispensable for porting some complex stuff (like CPython and Perl5). What if there was a flag you could set on an allocation, “must be freed”. An app can set the “must be freed” flag on its allocations, meaning when the GC collects the allocation, it checks if free() has been called on it, and if it hasn’t, it logs a warning (or even panics), depending on process configuration flags. Meanwhile, internal allocations by the runtime won’t set that flag, so the GC will never panic/warn on collecting them. | | |
| ▲ | pizlonator 3 days ago | parent [-] | | Internal allocations can have pointers to user allocations | | |
| ▲ | skissane 3 days ago | parent [-] | | Right… but how is that a problem for my proposal? I’m not seeing the issue. |
|
|
|
|
| |
| ▲ | buu700 4 days ago | parent | prev [-] | | It seems kind of analogous to disabling hyperthreading. Sure there's an immediate performance hit, but in exchange you're now protected from entire classes of vulnerabilities. A few years later, no one remembers or cares about that old setback that has been long since eclipsed by subsequent hardware advancements. Modern hardware is stupidly fast compared to what existed at the time that a lot of C/C++ projects first started. My M2 MacBook Air has 5x higher multi-core performance than my previous daily driver (a 2015 MacBook Pro, a highly capable machine in its own right), and the new iPhone is now even faster than that. I'd happily accept a worst-case 4x slowdown of all user space C/C++ code in the interest of security, especially when considering how much of that code is going to be written by AI going forward. |
| |
| ▲ | tkz1312 4 days ago | parent | prev | next [-] | | I do not think this is niche in the slightest. I would very happily take a 2-4x slowdown for almost all of the web facing C software I run if I get guaranteed memory safety. I will be using at the very least fil-c openssh (and likely much more) on every machine I run. | | |
| ▲ | simonask 4 days ago | parent | next [-] | | Sure, that makes sense. The point I’m making is just that from an engineering perspective, that also implies that there is no longer any reason for that software you’re running to be written in C at all. | | |
| ▲ | mbrock 4 days ago | parent | next [-] | | From an engineering perspective, the software is already written in C, and you're weighing the tradeoffs between rewriting it and recompiling it. | |
| ▲ | sfpotter 4 days ago | parent | prev | next [-] | | Sure there is. Making tough choices between alternatives based on where to allocate a limited amount of manpower is an engineering choice. Choosing to use Fil-C to recompile existing (established, stabilized, functional...) software rather than rewrite it is an engineering choice. | |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
| |
| ▲ | somat 3 days ago | parent | prev [-] | | Apologies ahead of time as this is pure FUD, That is I don't actually know what I am talking about but had an interesting thought. Remember the Debian weak keys kerfuffle, That was caused because the Debian package maintainer saw a warning about using uninitialized memory, fixed it, and then it turned out that uninitialized memory was a critical seed for the openssl random number generator. Anyhow my stupid FUD thought. is there a weak-key equivalent bug that shows up now that your C compiler is memory safe? |
| |
| ▲ | EPWN3D 4 days ago | parent | prev | next [-] | | Even if you can't use something like Fil-C in your release/production builds, being able to e.g. compile unit tests with it to catch memory safety bugs is a huge win. My team use gcc for its mips codegen, but I'm working on adopting the clang bounds-safety annotations for test builds for exactly this reason. | | |
| ▲ | OmarAssadi 4 days ago | parent [-] | | Yeah, I haven't yet taken a serious look into it from that perspective yet, but similar came to mind; while, outside of bootstrapping the JDK from GCJ, Boehm GC hasn't been super relevant to me for "release" builds of anything, it's been useful in leak detection mode on occasion. I figure even if you cannot use, or do not want to use, something like Fil-C in production, there's solid potential for it to augment whatever existing suite of sanitizers and other tools that one may already build against. |
| |
| ▲ | usefulcat 4 days ago | parent | prev | next [-] | | The point is that it can compile most existing C and C++ code as-is, and do it while providing complete memory safety. That's the claim, anyway. Doesn't sound all that niche to me. | |
| ▲ | miki123211 4 days ago | parent | prev | next [-] | | If you write your software in a language that needs GC, everybody using your software needs GC, but they're guaranteed to get memory safety. If you write your software in an unsafe, non-GC language, nobody needs GC, but nobody gets memory safety either. This is why many software developers chose the latter option. If there were some use cases in which GC wasn't acceptable for their software, nobody would get GC, even the people who could afford it, and would prefer the increased memory safety. Fil-C lets the user make this tradeoff. If you can accept the GC, you compile with Fil-C, otherwise you use a traditional C compiler. | |
| ▲ | i80and 4 days ago | parent | prev | next [-] | | The user of the code may plausibly want to make a different tradeoff than the author, without wanting to rewrite the project from scratch. | |
| ▲ | HL33tibCe7 4 days ago | parent | prev | next [-] | | The value prop here is for existing projects in C or C++, as is made abundantly clear in the linked article | |
| ▲ | rowanG077 4 days ago | parent | prev | next [-] | | I expect Fil-C is not really aimed at green field projects. But rather at making existing projects safe. | |
| ▲ | GTP 4 days ago | parent | prev [-] | | I would say that Rust would be a better choice rarher than patching memory safety on top of C. But I think the reason for this is that most, if not all, cryptographic reference implementations are in C. So they want to use existing reference implementations without having to port them to Rust. IMO cryptographers should start using Rust for their reference implementations, but I also get that they'd rather spend their time working on their next paper rather than learning a new language. | | |
| ▲ | _flux 4 days ago | parent | next [-] | | I'm not a practioner of cryptography, but I would be wary about timing attacks that might become possible if such a dynamic runtime is introduced. At least relevant pieces of code would need to be re-evaluated in the Fil-C environment. But maybe you could use C as the "glue language" and then the build better performing libraries in Rust for C to use. Like in Python! | | |
| ▲ | mbrock 4 days ago | parent [-] | | Good call! Fil-C does in fact have a way to let you build and run OpenSSL with its constant time crypto. I don't know how this works exactly but I guess it's relatively easy to guarantee it's safe. | | |
| ▲ | kragen 4 days ago | parent [-] | | How easy is it to link Rust code with C compiled with Fil-C's ABI? |
|
| |
| ▲ | pjdesno 4 days ago | parent | prev | next [-] | | The original poster got pretty much all of Debian running in Fil-C, in a fairly brief amount of time. Re-writing even a single significant library or package in Rust would take exponentially longer, so in this case Rust would not be "a better choice", but rather a non-starter. | |
| ▲ | bangaladore 4 days ago | parent | prev | next [-] | | Memory safety is a very small concern for most cryptographic implementations (e.g Side Channel attacks).
Rust solves essentially none of the other concerns. | | |
| ▲ | GTP 3 days ago | parent [-] | | IIRC SHA3's reference implementation had an integer overflow in a counter that made finding collisions trivial, as it meant that some blocks of the input weren't considered. |
| |
| ▲ | johnisgood 4 days ago | parent | prev [-] | | > IMO cryptographers should start using Rust for their reference implementations IMO they should not, because if I look at a typical Rust code, I have no clue what is going on even with a basic understanding of Rust. C, however, is as simple as it gets and much closer to pseudocode. | | |
| ▲ | Ar-Curunir 4 days ago | parent [-] | | Good cryptographic code should match its algorithmic description. Rust enables abstractions that allow this. C does not. That you have some familiarity with C and not Rust should not be a contributing factor. I say this as someone who has written cryptographic code that’s been downloaded millions of times. | | |
| ▲ | johnisgood 3 days ago | parent [-] | | The problem in terms of reference implementations is exactly the abstractions. Reference implementations should be free of abstractions and should be understandable. Abstractions make code much less understandable. I say this as someone who has been involved in cryptography and has read through dozens of reference implementations. Stick to C, not Python or Rust, it is much easier to understand because the abstractions are just there to hide code. Less abstractions in reference implementations = better. If you do not think so, I will provide you a code snippet of a language of my own choosing that is full of abstractions, and let us see that you understand exactly what it does. You will not. That is the point. | | |
| ▲ | Ar-Curunir 3 days ago | parent [-] | | Abstractions are the only way to make sense of cryptography. Pretending otherwise leads to cross layer bugs and vulnerabilities.
Of course bad abstractions are bad, but that doesn’t mean no abstraction is good. Feel free to post your challenge snippet. | | |
| ▲ | johnisgood 3 days ago | parent [-] | | pub fn read<P: AsRef<Path>>(path: P) -> io::Result<Vec<u8>> {
fn inner(path: &Path) -> io::Result<Vec<u8>> {
let mut file = File::open(path)?;
let mut bytes = Vec::new();
file.read_to_end(&mut bytes)?;
Ok(bytes)
}
inner(path.as_ref())
}
"aBsTraCtiOnS aRe gOod"... Right.Reference implementations must NOT have abstractions like this. Rust encourages it. Lots of Rust codebase is filled with them. Your feelings for Rust is irrelevant. C is simple and easy to understand, therefore reference implementations must be in C. Period. ...or Common Lisp, or OCaml... why not?! | | |
| ▲ | Ar-Curunir 3 days ago | parent [-] | | (a) that is a fairly easy to understand piece of code. Are you complaining about the definition of the inner function? (b) the equivalent C code would look pretty similar. (c) this is not cryptographic code |
|
|
|
|
|
|
| |
| ▲ | quotemstr 4 days ago | parent | prev [-] | | It's amazing how much technical discourse revolves around impressions. "Oh, it has a GC! GC bad!" "No, this GC by smart guy, so good!" "No, GC always bad!" People aren't engaging with the technical substance. GC based systems and can be plenty good and fast. How do people think JavaScript works? And Go? It's like people just absorbed from the discursive background radiation the idea GC is slow without understanding why that might be or whether it's even true. Of course it's not. | | |
| ▲ | mbrock 4 days ago | parent | next [-] | | You can wrack some people's brains by stating that for some problems, a GC is a great way to alleviate the performance problems caused by manual memory management. | | |
| ▲ | jeltz 4 days ago | parent [-] | | For those problems arena allocators tend to perform even better. | | |
| ▲ | mbrock 4 days ago | parent | next [-] | | Yeah, but if you actually need to retain a live subgraph of the allocated heap, the arena can't help you. So you make an arena allocator that only frees its slab after moving out the reachable set to a new compacted arena. Congratulations, you've implemented a Cheney-style compacting GC! | |
| ▲ | quotemstr 4 days ago | parent | prev [-] | | Not for all allocation patterns. It's hard to beat bump pointer allocation and escape analysis in general. |
|
| |
| ▲ | kragen 4 days ago | parent | prev | next [-] | | > How do people think JavaScript works? Very slowly. Java, OCaml, or LuaJIT would be better examples here! | | |
| ▲ | quotemstr 4 days ago | parent [-] | | How many of the "GC is always slow" people would recognize those systems? Besides: V8 and JSC have pretty decent JITs nowadays. IME, performance of JIT systems has more to do with the structure of programs written in JS than with VM performance itself. | | |
| ▲ | kragen 4 days ago | parent [-] | | Maybe I don't know what I'm doing, but I rarely get performance within an order of magnitude of single-threaded C from V8. In those other systems I usually do, unless you count Java's startup time. |
|
| |
| ▲ | lproven 3 days ago | parent | prev | next [-] | | > It's amazing how much technical discourse revolves around impressions. One of the single most incisive comments in the whole discussion. My take: people don't take the time to even try to understand some things of only moderate complexity. They dismiss it as "too hard", drop it, accept the received wisdom and move on. This is also behind the curse of "best practice". After coming up on 40Y in the industry, my impression is that this boils down to "this is what the previous guys did and it worked". In other words, very close to "nobody ever got fired for buying IBM" as a methodology. What it means: "you don't need to think about it -- just do this." Which quickly turns to "you don't need to understand it, just do this." Why I am saying this: because I think you're absolutely right, much of the industry discourse runs on impressions -- but there is a second factor that matters as much. People form impressions of things they don't understand well themselves by listening to the opinions of people they trust. The question then is: where do they find those opinions? There are communities of like-minded folks, folks interested in particular tech or whatever. Rust folks, "plain ol' C" folks, C++ folks, "let's replace C with $something_more_modern" folks (where that's D or Nim or whatever). But those communities group together too. They hang out in the same fora, talk on the same media, etc. Result, there are hierarchies of communities, and the result is like religions: people in one church know of other related churches fairly well, and some are siblings, relatives, whatever; others are hated enemies to be scorned. But they know next to nothing of other religions which are too far away, too different. So when people are comparing the offspring of C, they are probably from the Unix faith. They don't know that but everyone they ever talked to, every software they ever saw, is a Unix, so they don't realise there's anything else. I see passionate debates about Rust vs Go and things and I strongly suspect these are problems fixed among the Wirthian languages decades ago. Walls of text, thousands of lines of code, for things fixed in Modula-2 or Ada 30 or 40 years ago and those folks moved on. Whereas the Lisp folks never had those problems and are politely baffled by tools that still have flaws that deeply passionate 20-somethings and 30-somethings are calling each other names about and blocking each other over. I've had people in dead seriousness tell me that ALL OTHER SOFTWARE is written in C at the lowest level. They are amazed when I laugh at them. C is a niche in a niche and the team that wrote C and Unix moved on to Aleph and Limbo and one splinter wrote Go. The Forth people laugh at the vastly verbose Lisp folks and their forgotten million-line OSes. The APL people smile at the painfully iterative Forth and Lisp folks. Unix won on servers and it's pushing Windows off desktops, now relegating everything else to embedded and realtime and the handwritten-by-one-person systems, where nobody else will ever read their code. I can't help but think that there must be a better way. Not sure what it is. Classes in comparative software religion on Youtube? Sports style competitions for the smallest/simplest/fastest ways to solve particular problems in languages people might not consider? Tools for easier linkage between less-known languages and well-known OSes? | | |
| ▲ | lproven 2 days ago | parent | next [-] | | This article bears directly on my point: Why Engineers Can't Be Rational About Programming Languages Steve Francia
3 Nov 2025 The Leadership Blindspot: How Identity Drives Multi-Million Dollar Technical Debt https://spf13.com/p/the-hidden-conversation/ | |
| ▲ | cb321 3 days ago | parent | prev [-] | | While I agree with everything you wrote, the "better ways" have a "cap" on how effective they can be. The root causes -- both in-group preference[1] and laziness/delegation to the "smart loudmouth contemporaries/smart-enough predecessors" -- will be things for the foreseeable future among humans. Some might even call them eternal / instinctive. Our whole civilization is based upon delegation/layering, but trust sure is tricky! Even the smartest humans fall prey to Gell-Mann amnesia[2] on topics beyond their expertise. Personally, I think most of what you wrote all connects to the cluster of wicked problems[3] that I think of as "Humanity Complete" (after NP-Complete transformability). [1] https://en.wikipedia.org/wiki/In-group_favoritism [2] https://en.wikipedia.org/wiki/Gell-Mann_amnesia_effect [3] https://en.wikipedia.org/wiki/Wicked_problem | | |
| ▲ | lproven 3 days ago | parent [-] | | Very nicely put. Thanks for that. I'd offer solutions, except for the trivial implementation detail that I don't have any. But then, if I did, I'd have a Nobel and possibly be the first president of the united planet. |
|
| |
| ▲ | pas 4 days ago | parent | prev [-] | | Hi, I noticed you made a typo in "JS bad, Go bad", it's not too late to edit your comment! /s |
|
|
