Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is the sort of thing I suspected without proof. It seems people do find that Rust is useful in terms of specific types of bugs but why cant pre C/C++ 11 just do the same job.


In safe rust you cannot read uninitialized memory or variables, you cannot dereference a null or freed pointer, you can't concurrently mutate the same variable from multiple threads without locking primitives, you can't accidentally modify a variable after it has been moved out of scope - all of these things are enforced at compile time. If your code compiles, you are safe from all of these classes of bugs (outside the use of unsafe code).

In addition, you can't overflow a buffer nor unintentionally read outside the bounds of an array, that will cause a runtime panic and abort the program.

Doing this in C or C++ is possible, but the fact that even the best of the best programmers in these languages sometimes still make these mistakes shows the limitations of the paradigm.

Even the most novice Rust programmer who stays in the guardrails will produce programs free of these sorts of memory safety bugs. The same cannot be said about C or C++ programs.


> In safe rust you cannot read uninitialized memory or variables, you cannot dereference a null or freed pointer, you can't concurrently mutate the same variable from multiple threads without locking primitives, you can't accidentally modify a variable after it has been moved out of scope - all of these things are enforced at compile time. If your code compiles, you are safe from all of these classes of bugs (outside the use of unsafe code).

Aren't most of these issues caught in C++ code by static code analysis tools, and even just flipping switches on C++ compilers? I mean, check out tools like cppcheck and address sanitizer. They exist for ages.

Your blend of comments makes it sound like no one knew or cared about these issues other than Rust fanboys.


No, they aren't. C++ codebases, even those who make quite a big effort to use as many analysers and checkers and sanitizers as they can, are still plagued by memory safety issues. Rust has a measurably lower incidence of security bugs due to this (not zero, but lower). People have tried (and are still trying) to retrofit memory safety onto C++ and they have not in general been successful. There's too many sharp edges built into the current language and library design, and these tools cannot catch all the ways in which you can mess up.

(What's more, Rust is substantially nicer to use than C++. The language, package manager, and compiler are all so much more straightforward than C++ that I would use it for that alone)


> Even the most novice Rust programmer who stays in the guardrails

I think this part answers your question. A novice could produce reasonably safe Rust code by just reading a book. I’ve no experience with either language and I can safely say I’d have no idea which switches to “just flip” in the compiler and what tools I should look up to write safe C++ code.

I do know that “Learn Language X” books do not include this information so as to not overwhelm the novice.


> I think this part answers your question. A novice could produce reasonably safe Rust code by just reading a book.

That blend of comments is at best grasping at straws. How long do you think a developer stays a "novice"? Does Rust have any problem that prevents developers from learning and improving their skills as fast as any other developers do? Are all Rust projects maintained by novice and junior devs where no one at all can claim to have any senior level skills?

If that's the best argument, that's not an argument at all.


> Doing this in C or C++ is possible, but the fact that even the best of the best programmers in these languages sometimes still make these mistakes shows the limitations of the paradigm.

Look, I’m not the one making these arguments, I’m just pointing out that all your objections seem to have been answered already. If you have a counter argument that shows Rust, as practiced, is no safer than C++, then I’d like to see it.


So why all the software is still so insecure?


> Your blend of comments makes it sound like no one knew or cared about these issues other than Rust fanboys.

That is a strange takeaway from my post. Of course people care, but the difference is that one language and its toolchain was designed and built specifically to avoid these bugs and one wasn't.

I have been writing C++ professionally since around 2000-2001, and have been working with Rust for about 18 months. For single threaded code, the code I write in both is about equivalent in terms of robustness and stability, but for anything multithreaded, I trust my Rust code's correctness substantially more, even with all the checkers and sanitizers enabled on my C++ codebase.

Would I choose Rust for everything? Hell no, for evolutionary and fast moving code bases like in games, C++ is plenty good enough.

For anything systems related that requires parallelism and robustness, I will 100% stick with Rust.


[flagged]


It is entirely unclear to me what point you are trying to make. Is your mundane solution to just add more sanitization and analysis to C and C++? If so, that's great, more safety in any language is fantastic. My issue with that is that it is an optional addition to the language rather than the default behavior.

The point I am making is that safe Rust _by default_ straight up disallows compiling code that has the potential for the vast majority of memory safety issues. Code with those issues is just a plain invalid program, and will not compile. If you want to bypass those protections, you need to explicitly opt-in with the unsafe keyword.

C or C++ code with the same issues is perfectly valid, will compile and run, but it has the potential to be incorrect. You can (and should!) bolt on tools to fix that, but the issue is that the language allows that behavior by default. Until these tools are the defaults, the problem is only partially solved - you have to opt-in to a large chunk of safety features, and even if you do, you get fewer of them to boot.

I'm not saying you should use Rust by any means. If you like C++, continue using it. But the fact here is that Rust solves a bunch of problems here and now today that C and C++ cannot, so it is baffling to me that people have such a visceral negative reaction to it.


> mainstream compilers provide support to detect and throw warnings/errors for some of these issues

You cannot detect all of these issues with static analysis. Rust does it by requiring the programmer to annotate lifetime dependencies in the source code. Without this additional semantic information, static analysis cannot fully reason about the lifetimes of variables.

There are efforts by some to introduce lifetime annotations to C++ (https://news.ycombinator.com/item?id=30888172), but any changes to the core language face a very steep uphill battle with the C++ standards committee, so any movement on this is likely to be compiler-specific attribute-based systems, adopted largely by companies invested in a particular compiler ecosystem (such as Apple or Google) to annotate their proprietary code.

On top of this, Rust is a very expressive language, with its features (like enum sum-types, traits etc) making it very easy to implement patterns such as compiler-checked state machines and polymorphism that doesn't involve the recognized downsides of class hierarchies.

It is not for everyone, and not for every kind of project, but its features resonate positively with a lot of people in systems programming because of their experiences with other systems languages and their downsides.

This is why Rust is popular today, particularly in certain communities.


Replying to your other comment.

> You are claiming that static code analysis tools extensively used in C++ cannot detect all conceivable and hypothetical memory issues. The weasel words in here is that it is possible to detect them, but some can conceivably slip through.

No, there are entire classes of memory vulnerabilities that are impossible to check with static analysis because checking them is equivalent to the halting problem.

> To drive the point home, there are already a few CVEs even from use-after-free bugs in Rust code. What does that make out of the all assertion? Would this be a reasonable argument to reject Rust as an unsafe language?

The CVE that you referenced in the other comment was Rust calling into unsafe C code, as I pointed out. If you have a real example feel free to post it.

> The problem with these claims is that they rely on weak strawmen arguments and a very superficial analysis of the problem space. I get the need to do marketing, but if the audience is technical them don't you think arguments should stand on solid technical ground?

The views I have laid out here are the consensus among compiler engineers and in theoretical computer science. You only have to look at the compiler group at Apple:

- heavily invested in static analysis - maintains the clang static analyzer - maintains number of runtime memory analysis tools in Xcode - not invested in rust at all and seemingly not interested

Yet they are adding lifetime dependency annotations to Swift, making it more like Rust: https://github.com/swiftlang/swift-evolution/blob/ef71df4158...

The reason for this is that static analysis simply cannot do it when the semantic information about lifetimes is lost, even for a group that knows how to write strong static analysis tools. Program flow is too ambiguous without it, so it becomes impossible to detect such memory vulnerabilities without running the program and fuzzing it – an expensive, time consuming, and probabilistic process.


> No, there are entire classes of memory vulnerabilities that are impossible to check with static analysis because checking them is equivalent to the halting problem.

This is the sort of goalpost-moving that lays bare how superficial and misleading these accusations are. You're trying to argue that some very specific types of memory vulnerabilities can't be detected with static code analysis tools. That is different than claiming that it's not possible to detect memory vulnerabilities in languages such as C or C++, isn't it? But somehow this strawman is used to imply that Rust is invulnerable whereas developers using any other language are prevented from ever learning that standard FLOSS compilers support out of the box things such as detecting use of uninitialized variables.

So what is it then?


Presumably because decades of experience has shown that it doesn't. Also insofar as avoiding certain pervasive security issues it can't.


> Presumably because decades of experience has shown that it doesn't.

What definition of "doesn't" do you adhere to? Because there are use-after-free CVEs from Rust code.

https://nvd.nist.gov/vuln/detail/CVE-2025-48752


This is not a very good example, because this Rust code is a thin wrapper around pthread_mutex, which is an unsafe API that can cause undefined behavior (such as use after free) if used incorrectly. The Rust code in question is using the unsafe C API incorrectly.

https://github.com/Forestryks/process-sync-rs/issues/3

One could say "Rust doesn't stop you from calling out into unsafe C code, so it's still possible to produce memory vulnerabilities in Rust", and it would be true, but it kind of misses the point and only really bolsters the Rust people when they say they want to rewrite everything in Rust.

In Rust, an API with a rule such as "you must check that the mutex is unlocked before you can destroy it" would be implemented using the type system in such a way as to make it impossible to drop it without checking its state. This is something that is not possible to do in C and cumbersome to do in C++.


> This is not a very good example

Feel free to pick an example that tickles your fancy.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust


There are a few interesting trends in that list. One of them is that there's an increasing amount of Rust. People are going to write many of the high level bugs (e.g. logic mistakes) in any language, but if they're not using your language they won't write any in your language. Lots are written in Rust.

But another is that the kind of things even reported is different. There's a case a while back where C++ and Rust have identical APIs which make an identical promise. The obvious way to implement that API on popular platforms introduces a TOCTOU race, and so that race was present in Rust's stdlib and in all three popular C++ standard library implementations. Rust reported the TOCTOU race and its fix, there's a CVE number. The three C++ libraries just decided it's a QOI issue and silently made equivalent changes over the next few months or years.

In C++ the argument goes like this: C++ says that if any other programs are running on your computer, all filesystem access is Undefined Behaviour. Simply do not run more than one program per computer, then there's no TOCTOU race, no bug. Rust says duh, obviously multi-processing has been a thing since the 1960s so we have to assume other programs may be running, the TOCTOU race is a bug and must be fixed.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: