Eyes Above The Waves

Yeah, nice! Yeah, making 'y' a shared_ptr member here would force it to be a separate allocation. It would also mean the getter function incurs the cost of a thread-safe addref and release. It also means X and Y can't live in read-only memory.

"separate allocation" Just to be clear, I was referring to the aliasing ability of std::shared_ptr, where the shared_ptr seems to point at 'y' when dereferenced, but the reference count is actually tied to 'x'. So there is no separate allocation happening, 'y' is contained as a straight 'Y' within 'X'. (Better explanations there: http://www.codesynthesis.com/~boris/blog/2012/04/25/shared-ptr-aliasing-constructor/ ) However all the other bad stuff is still there: addrefs&releases, reference count object that has to exist somewhere, no ROM objects...

Ah I see. Thanks for pointing that out. That's cool. Though it does point out that std::shared_ptr has to be two words, which sucks. I guess it always was but I just never thought it about it.

"containing a field y of type Y directly" Your code defines an instance variable that holds a Ruby VALUE, which is a reference, and a function that returns that reference. The content of the VALUE will be heap allocated.

That makes 'y' use a separate heap allocation, which I explicitly said we don't want.

Not only that, Crystal has GC under the hood, which mounts the cost (but, to be fair, I don't know if it collects all of the objects or just some of the allocations are GCed).

I agree with much of what you say. Just a couple of replies: By building on LLVM Rust is actually leveraging a lot of the investment in modern C++ compilers. And Rust, at the levels above LLVM, is significantly less complicated than C++. So the situation is not as daunting as you may think. I think "most people I know ... rarely trip on lifetime problems" undersells the seriousness of those problems when they arise. These are serious security issues. Mozilla's browser developers are definitely elite level and they are excited about this stuff. It's certainly true that Rust's "parallelism without fear" story is strong. I'll write about that.

I believe the usecase of this that Manishearth described in his blog post http://manishearth.github.io/blog/2015/05/03/where-rust-really-shines/ is where no sane C++ senior could do this kind of pointer sharing without ownership problems (and thus would probably fall back to copying the memory with new heap allocations, or probably could ‘optimize’ it with shared_ptr or other smart pointer, but then would still have runtime checks with are nonexistent in Rust).

You don't think that it's a problem that every piece of widely deployed c/c++ infrastructure is effectively a door that only the government and mob can open, due to the current economics of exploit development?

Those are two separate objects on the heap. That's what I mean by "separate heap allocation".

This doesn't prevent any reference to y outliving X.

In Rust you also can do that: struct X { pub y: Y } However that is not the point. The point is that Rust will refuse to compile if returned reference would live longer than object itself. Other example would be: struct Matrix2x2([T; 4]); impl Matrix2x2 { fn get(&self, col: usize, row: usize) -> &T { self.0[col * 2 + row]; } } In this (less trivial) example Rust would refuse to compile if you would write something like: let mut t: &Type; { t = matrix.get(1,1); } println!("{}", *t); Where it is perfectly valid in C++. Other popular example (that I often use): int main() { std::vector vec = {1,2,3}; int& ref = vec[0]; vec.push_back(4); std::cout << ref; return 0; } Will compile and even maybe will work, while: fn main() { let mut v = vec![1,2,3]; let r = &r[0]; v.push(4); println!("{}", r); } Will refuse to compile.

Yes, that's true. I'll update the post.

"Getter" methods that provide access to interior parts of an object are common and very useful. It's often a lot more efficient to return a reference (a pointer) to an interior part than copy it. However, C and C++ programs often have "use after free bugs" where the reference is used after the underlying object has been deleted. These bugs often create security issues and should be prevented.

And as soon as I add that note about it being broken, it works.

"newtype" doesn't help with the borrowing-a-field situation here. You're quite right that Haskell and Rust have a lot in common, and a lot of people like both languages! But Rust has some big advantages over Haskell: an execution model that maps much better to hardware (no lazy evaluation, no GC, stateful updates), and its affine type system that provides strong control over aliasing.

Thanks. I might well enjoy programming in Rust, if the occasion ever arises. It sounds like most of Rust's advantages over Haskell relate to what the code compiles down to. Would that be fair? In the past, I haven't really needed to worry about that level of optimization; good asymptotic complexity and trusting the compiler to do a not-terrible job has been enough for me. But I might need to think more carefully about optimization in programs I work on in future.

> It sounds like most of Rust's advantages over Haskell relate to what the code compiles down to. Would that be fair? The affine type system and aliasing control enable various kinds of checking that other type systems, including Haskell's, don't offer. See https://people.mpi-sws.org/~dreyer/papers/rustbelt/paper.pdf for some explanation of that. If you stick to pure functional programming then I guess those checks aren't important.

Yeah, I can't see the relevance of those checks in Haskell — at least not the kind of Haskell I write —, where everything is immutable, so you presume you usually get internal pointers by default. I think I can see the point of those checks though: While you can write Haskell-style everything-is-immutable code in Rust, and get all the guarantees that go with that, you can also write code with mutable data, and still get guarantees that you won't have any data races, use-after-free bugs, and so on (as long as you don't step outside the bounds of "safe" Rust). Part of the reason I like Haskell is that I'm a mathematician (by inclination and training), so it seems natural to me to write definitions, rather than algorithms, and to reason about the correctness of those definitions. So if I was writing in Rust, I'd probably want to tend towards writing code in which almost everything is immutable, or at least code in which almost all functions are referentially transparent. Which leaves me wondering whether such code would be considered unidiomatic Rust, or would be inefficient. For example, how purely functional could a Rust implementation of mergesort be made to be, without sacrificing efficiency? I concede that although Haskell makes it easy (for me, at least) to reason about my code's correctness, it isn't always easy to reason about its efficiency. As an experiment today, I wrote a Haskell program that calculates the nth Fibonacci number (with n given on the command line), naïvely using the recursive definition. Unsurprisingly, it appeared to take exponential time, with a noticeable delay in calculating the 36th Fibonacci number. Then I made a slight modification, defining an infinite list, like so: fibonacciList = map fibonacci [0..] and adjusting the definition of fibonacci to look up the (n - 2)nd and (n - 1)st elements of that list, instead of using direct recursion on itself. I believe this version runs in polynomial time; it certainly calculates the 144th Fibonacci number without any noticeable delay. So Haskell (or, more precisely, GHC) can certainly produce efficient code without much effort, but it doesn't necessarily make it easy to reason about that efficiency. So perhaps I might use Rust if I ever want to reason very carefully about the efficiency of a program, and Haskell when I only want to reason about its correctness. Thanks for the link to that paper, by the way; it was really interesting (though I can't claim to have understood all the details).

> For example, how purely functional could a Rust implementation of mergesort be made to be, without sacrificing efficiency? I guess it would be reasonably easy to do it in O(n log n) space and time. Efficiency isn't just about time, it's also about space. In Rust it's pretty easy to write a sorting implementation that is guaranteed to sort in-place. Obviously a purely functional implementation can't do that. Furthermore any language that depends on GC has to wrestle with the inevitable GC tradeoffs between throughput, latency and space overhead. It sounds like you work on the sorts of problems where these efficiency issues aren't important, and that's fine --- Haskell sounds like a good fit for you. However, when you ship software to a lot of users, efficiency issues are magnified. When you compete against other implementations on performance, they become even more important.