Wuffs the Language

187 pointsby bshanksabout 4 years ago

12 comments

oconnor663about 4 years ago

> There is no operator precedence. A bare a * b + c is an invalid expression. You must explicitly write either (a * b) + c or a * (b + c).Honestly I've often wished for this in mainstream languages. It seems like operator precedence should go the way of bracketless if and implicit int casts. (Though I wonder if they wind up making exceptions here for chains of method calls? I guess technically those rely on operator precedence sort of?)Edit: Yeah I see the example code has "args.src.read_u8?()". So it looks like they figured out how to keep the good stuff.

评论 #26744752 未加载

评论 #26743783 未加载

评论 #26743831 未加载

评论 #26744055 未加载

评论 #26744590 未加载

评论 #26748825 未加载

评论 #26744149 未加载

评论 #26745798 未加载

评论 #26746515 未加载

dangabout 4 years ago

Surprisingly little discussed so far, aside from these past related threads:Wuffs’ PNG image decoder - <a href="https://news.ycombinator.com/item?id=26714831" rel="nofollow">https://news.ycombinator.com/item?id=26714831</a> - April 2021 (135 comments)C performance mystery: delete unused string constant - <a href="https://news.ycombinator.com/item?id=23633583" rel="nofollow">https://news.ycombinator.com/item?id=23633583</a> - June 2020 (105 comments)That first one was just yesterday but this is a rare case where we would not downweight the follow-up post (<a href="https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sort=byDate&type=comment&query=follow-up%20by%3Adang" rel="nofollow">https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...</a>).

评论 #26743247 未加载

pnathanabout 4 years ago

This is a fascinating spin: a pure language, designed for libraries, not for complete programs. A tip of the hat to whoever was able to break out of the "a language has to do x y and z" thinking and perceive that this is a possibility.

评论 #26744271 未加载

评论 #26745195 未加载

评论 #26744506 未加载

评论 #26743503 未加载

peteretepabout 4 years ago

> Traditionally, the first program anyone writes in a given programming language is something that prints "Hello world". This doesn't work for Wuffs, for two reasons. One is that Wuffs doesn't have a string type per se. Two is that Wuffs code doesn't even have the capability to write to files directly, such as to stdout. Wuffs is a language for writing libraries, not complete programs, and the less Wuffs can do, the less Wuffs can do that is surprising (such as upload your files to the internet), even when processing untrusted input.

grawprogabout 4 years ago

To be honest, I'm not sure what to make of this. Wuff the library makes sense as a drop in for the C standard library, but the language, I'm not sure how it fits.It seems to offer some of the features offered by languages like D and Rust, while staying more C like, but also removing one of the few actual reasons to use C, which both D and Rust also provide on top of the other features offered by Wuff.It's cool and all but it seems confused as to whether it wants to be a library for C, an extension to C or a standalone language. As a stand alone language, I'm not sure I really see the benefits over alternatives as a C library, it does have some interesting ideas.

评论 #26743376 未加载

评论 #26743426 未加载

mjevansabout 4 years ago

The only part of the Wuffs spec I just read that I dislike:Strings. I would really prefer strings to work like existing C and 'bash' style quoting. At least the simple aspects of it, the parts of the rules that are easy to remember and simple. A string should always be a sequence of octets, but easily coerced by a casting operator to a numeric format from any index. I'm not sure what the syntax for that would be offhand.

评论 #26748671 未加载

评论 #26744667 未加载

incrudibleabout 4 years ago

I like the idea. The inability to do something is an often underrated feature.

ledauphinabout 4 years ago

I'm confused by the "all functions are methods" restriction. the "what" seems clear, but the "why" is eluding me, and I'd love to read an explanation.

mkjabout 4 years ago

How does error handling work in Wuffs? That seems to be an important aspect for a reliable language, it wasn't immediately clear from the docs.Edit ah found it, <a href="https://github.com/google/wuffs/blob/main/doc/note/statuses.md" rel="nofollow">https://github.com/google/wuffs/blob/main/doc/note/statuses....</a>

peter_d_shermanabout 4 years ago

>"Wuffs (Wrangling Untrusted File Formats Safely) is formerly known as Puffs (Parsing Untrusted File Formats Safely). Wuffs is a memory-safe programming language (and a standard library written in that language) for wrangling untrusted file formats safely. Wrangling includes parsing, decoding and encoding. Example file formats include images, audio, video, fonts and compressed archives.It is also fast. On many of its GIF decoding benchmarks, Wuffs measures 2x faster than "giflib" (C), 3x faster than "image/gif" (Go) and 7x faster than "gif" (Rust).Goals and Non-GoalsWuffs' goal is to produce software libraries that are as safe as Go or Rust, roughly speaking, but as fast as C, and that can be used anywhere C libraries are used. This includes very large C/C++ projects, such as popular web browsers and operating systems (using that term to include desktop and mobile user interfaces, not just the kernel).Wuffs the Library is available as transpiled C code. Other C/C++ projects can use that library without requiring the Wuffs the Language toolchain. Those projects can use Wuffs the Library like using any other third party C library. It's just not hand-written C.However, unlike hand-written C,Wuffs the Language is safe with respect to buffer overflows, integer arithmetic overflows and null pointer dereferences.A key difference between Wuffs and other memory-safe languages is that all such checks are done at compile time, not at run time. If it compiles, it is safe, with respect to those three bug classes.The trade-off in aiming for both safety and speed is that Wuffs programs take longer for a programmer to write, as they have to explicitly annotate their programs with proofs of safety. A statement like x += 1 unsurprisingly means to increment the variable x by 1. However, in Wuffs, such a statement is a compile time error unless the compiler can also prove that x is not the maximal value of x's type (e.g. x is not 255 if x is a base.u8), as the increment would otherwise overflow. Similarly, an integer arithmetic expression like x / y is a compile time error unless the compiler can also prove that y is not zero.Wuffs is not a general purpose programming language. It is for writing libraries, not programs. The idea isn't to write your whole program in Wuffs, only the parts that are both performance-conscious and security-conscious. For example, while technically possible, it is unlikely that a Wuffs compiler would be worth writing entirely in Wuffs."PDS: Would like to see a future AV1 / AOM / libaom / FFmpeg -- written/compiled in Wuffs...

chubotabout 4 years ago

Wuffs seems fascinating and I really wanted to like it. But when I look at the code for the JSON decoder it seems so low level, and full of places for bugs to hide. JSON is a pretty simple spec and this obscures it (although to be fair it's also handling UTF-8).<a href="https://github.com/google/wuffs/blob/main/std/json/decode_json.wuffs" rel="nofollow">https://github.com/google/wuffs/blob/main/std/json/decode_js...</a>Yes it prevents buffer overflows and integer overflow, but it can't prevent logical errors.I'd rather see efficient code generated from a short high level spec, not an overwhelming amount of detail in a language verified along a few dimensions.---Logical errors in parsing also lead to security vulnerabilities. For example, here is an example of parser differentials in HTTP parsing:<a href="https://about.gitlab.com/blog/2020/03/30/how-to-exploit-parser-differentials/" rel="nofollow">https://about.gitlab.com/blog/2020/03/30/how-to-exploit-pars...</a>The canonical example of this class of bug is forging SSL certificates to take advantage of buggy parsers, but I don't have a link handy. There should be one off of <a href="https://langsec.org/" rel="nofollow">https://langsec.org/</a> if anyone can help dig it up.Again, this has nothing to do with buffer or integer overflows.(aside: while googling for that I found the claim that mRNA vaccines work by parser differentials: <a href="https://twitter.com/maradydd/status/1342891437537505280?lang=en" rel="nofollow">https://twitter.com/maradydd/status/1342891437537505280?lang...</a> If anyone understands that I'd be curious on an opinion/analysis :) )At the very least, any language for parsing should include support for regular languages (regexes). The RFCs for many network protocols use this metalanguage, and there's no reason it shouldn't be executable. They compile easily to efficient code.The VPRI project claimed to generate a TCP/IP implementation from 200 lines of code, although it's not really a fair comparison because it hasn't been tested in the wild: <a href="https://news.ycombinator.com/item?id=846028" rel="nofollow">https://news.ycombinator.com/item?id=846028</a> .Still I think that style has better engineering properties. Oil's lexer, which understands essentially all of bash, is generated from a short source file<a href="https://www.oilshell.org/release/0.8.8/source-code.wwz/frontend/lexer_def.py" rel="nofollow">https://www.oilshell.org/release/0.8.8/source-code.wwz/front...</a>which generates<a href="https://www.oilshell.org/release/0.8.8/source-code.wwz/_devbuild/tmp/osh-lex.re2c.h" rel="nofollow">https://www.oilshell.org/release/0.8.8/source-code.wwz/_devb...</a>which goes on to generate 28,000 lines of C code. It's short, but it really needs a better regex metalanguage to be readable: <a href="https://www.oilshell.org/release/latest/doc/eggex.html" rel="nofollow">https://www.oilshell.org/release/latest/doc/eggex.html</a>A large part of JSON can be described by regular languages, and same with HTTP, etc.-----edit: An re2c target for wuffs could make sense. The generated code already doesn't allocate any memory, although it uses tons of pointers which could be dangling.And in fact that was a problem Cloudflare, which sprayed the user data of their customers all over the Internet back in 2017: <a href="https://en.wikipedia.org/wiki/Cloudbleed" rel="nofollow">https://en.wikipedia.org/wiki/Cloudbleed</a>That was with Ragel and not re2c, which perhaps has a more error prone API.

评论 #26744088 未加载

评论 #26744525 未加载

评论 #26748410 未加载

lancepiochabout 4 years ago

So a similar sense to Haxe: <a href="https://haxe.org" rel="nofollow">https://haxe.org</a>

评论 #26745425 未加载