Death to C

I&#x27;m sorry, but as a user and hacker of UNIX, POSIX and all things GNU&#x2F;Linux since 1996 I have to say this is just fruitless and counter-productive. Although, I will support the sentiment &quot;Death to C++&quot; :-)<p>The argument is over-simplified and rather than looking to the root of the problem tries to sweep it under the rug by also ignoring the fact that many new languages have their interpreters written in C. The root issue is that the C language needs an update, an overhaul, and that once the standard has been refreshed, C will continue to be the #1 language among programmers.<p>Sadly, nothing can be done for C++ and to lump C and C++ together is as upsetting as calling for programmers to cease the use of C! :-)<p>Last thought: There needs to also be more focus on teaching programmers how to write secure C programs. Every year new exploits are released that target insecure C programming styles, and the C community should make sure programmers are being educated on how to avoid these issues. Look to subsets like MISRA C as an example and a move in the right direction; advocating secure programming&#x2F;language subsets rather than changing languages ultimately makes more sense.

You&#x27;re not going to convince C programmers simply by beseeching them. The article is missing an entire component: the argument for Rust. There needed to be examples of C programs that one may write that are actually unsafe and of how Rust addresses that. There needed to be a discussion on the performance of Rust, and of its ability to call into C without overhead (or to be called by C without overhead). Everyone already knows what the problems of C are, what they need to know is what the alternatives offer and how in the end you are not giving up too much.

Well, there&#x27;s Go.<p>Java was supposed to fix all of these problems, but it&#x27;s a mess in its own way. There&#x27;s no perfect language.<p>Almost simultaneously with C the Pascal language was introduced, completely safe and easier to learn. It enjoyed a period of popularity, and for a while it was widely taught in high schools and universities. Some big systems were built in Pascal, but every big Pascal app I&#x27;ve ever seen relied on external code in C (or assembly language) because Pascal is hobbled to enforce safety (see Brian Kernighan&#x27;s article &quot;Why Pascal Is Not My Favorite Programming Language, <a href="http:&#x2F;&#x2F;www.lysator.liu.se&#x2F;c&#x2F;bwk-on-pascal.html" rel="nofollow">http:&#x2F;&#x2F;www.lysator.liu.se&#x2F;c&#x2F;bwk-on-pascal.html</a>). Some of Pascal&#x27;s faults were fixed in Modula and Oberon but those never got any traction.<p>To be absolutely safe the language is either crippled so it&#x27;s missing important features, or it requires a runtime to sandbox everything, check pointer references, do garbage collection, etc. And that slows things down.<p>I don&#x27;t see C going away any time soon in embedded software, which is where bugs and vulnerabilities can be most dangerous and where they are hardest to fix. It&#x27;s not much of a disaster for a video game to crash, but it can be very bad if piece of hospital hardware or a flight control system has a latent bug.<p>There are tools that can analyze C code both statically and dynamically -- the language is not just old, it&#x27;s mature.<p>I&#x27;m sure someone is already rewriting the Linux kernel and all of the Unix-y tools in Rust or Go or whatever. I won&#x27;t hold my breath.

Rather than &quot;death to C&quot; a better viewpoint is: minimize our use of C <i>and anything that looks like it</i>. We don&#x27;t need a better C, in which to write mega-projects.<p>There is a parallel here in assembly language. Once upon a time, programmers extended the viability of assembly language by building smarter assemblers with powerful macros and such. None of that is necessary if you minimize your use of assembly language, so that all you have in your system that is in assembly language is a few atomic instructions, some context saving&#x2F;restoring code, interrupt dispatch, and a speedy memcpy and whatnot.<p>Going from C to Rust (or Go, or C++ or whatever) is kind of like trying to use a deluxe assembler to write large assembly language programs with better reliability.<p>If I&#x27;m going to leave C behind for some task, it&#x27;s because I want to get away from <i>that sort of</i> semantics---any version of that semantics.

I personally don&#x27;t see Rust as a good replacement for C - it&#x27;s too complex a language, and it is especially easy to loose sight of what is happening at a low level due to all of the abstractions.<p>Even if you did decide to use Rust instead of C in C&#x27;s typical domain - operating systems, drivers, and constrained resource devices - you would be forced into using &quot;unsafe&quot; blocks anytime you had to interact directly with the hardware, manually manage memory, or issue ASM commands; at which point you&#x27;re as vulnerable to programming mistakes as C.

The C ecosystem has tools designed to compensate for its issues. There&#x27;s valgrind, static analysis, debuggers, asan, tsan, etc.. With its immense popularity, its flexibility and portability, and its mature, comprehensive ecosystem behind it, there&#x27;s no all-purpose programming language better than C (expect maybe C++).

Rust people, please don&#x27;t screw up. We desperately need a replacement for C. Rust could be it. But it&#x27;s not too late for the Rust crowd to blow it. Rust may have too much cruft at version 1.0 for C programmers.<p>Things that worry me about Rust:<p>* Too much mandatory metaprogramming. Basic things such as I&#x2F;O require generics, and even lambdas. Rust&#x27;s cruft level in this area picks up where C++ with Boost left off.<p>* Error handling is too verbose. Wrapping things in &quot;Result&lt;&gt;&quot; and &quot;Some&lt;&gt;&quot;, then unwrapping them with &quot;match&quot; is wordy. Wrapping that in generics makes it shorter but hides what&#x27;s happening.<p>* The type system and type inference are very complex, and type errors induced from another module can be hard to diagnose.<p>* Too much language churn. Supposedly &quot;stable&quot; modules still keep changing. I&#x27;m surprised when I recompile a program after a few weeks and it still works. This needs to settle down very soon.<p>* Resource Allocation is Initialization. Initialization isn&#x27;t that bad, but what do you do about an error discovered in a destructor? Destructors are always troublesome, and Rust doesn&#x27;t seem to have that area under control. A &quot;with&quot; clause approach would have been cleaner. The recent discovery of a soundness problem in Rust destructors is being handled in a way that bears watching. First, the actual issue reporting the problem was closed without a fix.[1] The discussion was &quot;moved to an RFC&quot; so as not to block the release of Rust 1.0.[2] Related issues are now being discussed to death. A good discussion of the issue is at [3].<p>While Rust avoids complex run-time abstractions, it has very complex compile-time abstractions. Rust has all the cool abstraction ideas - closures, generics, templates, type inference, RAII, functional programming, etc. This may be too much for the C crowd. The basic libraries use all these features, so you can&#x27;t restrict their use on a project.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;rust-lang&#x2F;rust&#x2F;issues&#x2F;24456" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;rust-lang&#x2F;rust&#x2F;issues&#x2F;24456</a> [2] <a href="https:&#x2F;&#x2F;github.com&#x2F;rust-lang&#x2F;rfcs&#x2F;pull&#x2F;1066" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;rust-lang&#x2F;rfcs&#x2F;pull&#x2F;1066</a> [3] <a href="http:&#x2F;&#x2F;smallcultfollowing.com&#x2F;babysteps&#x2F;blog&#x2F;2015&#x2F;04&#x2F;29&#x2F;on-reference-counting-and-leaks&#x2F;" rel="nofollow">http:&#x2F;&#x2F;smallcultfollowing.com&#x2F;babysteps&#x2F;blog&#x2F;2015&#x2F;04&#x2F;29&#x2F;on-r...</a>

Yeah. &quot;Stop using PostgreSQL and Redis. And Linux.&quot; Then these people usually go on to describe a completely different problem domain, it used to be something-lisp and now it&#x27;s ruby-whatever.<p>Problem is, sooner or later you need to be using the operating system for something more than just starting processes, be it controlling file handles or sandbox code or whatever. Then you need API compatibility and control over your mallocs. Which isn&#x27;t impossible in non-systems PLs, but it isn&#x27;t exactly a walk in the park either, as you&#x27;re basically left calling wrappers for syscalls instead of doing it directly, which means you have master both your runtime <i>and</i> your C-based operating system.<p>At least this time they have an answer that&#x27;s at least worth listening to. The newest crop of languages with Rust and Go actually make an effort towards system programming. That excites me! Now all you have to do is make something as secure and robust as Redis or Postfix, and let&#x27;s see how it fares in production. And if Servo grows to be a fully grown competitive web browser, applying binary deltas to itself, sandboxing GL code, and everything in between, that would be a great litmus test for Rust to actually compete with C++.

So for a mission critical or safety critical system, what&#x27;s the alternative? It looks like the options are:<p><pre><code> 1, assembler 2, C + validated compiler + static verification + coding standard (MISRA-C maybe) 3, C++ + validated compiler + static verification + coding standard (MISRA-C++ maybe) 4, Java + specialized VM with RTSJ + static verification + coding standard (RTSJ) 5, Ada&#x2F;SPARK + ??? </code></pre> So really, C&#x2F;C++&#x2F;Java&#x2F;Ada aren&#x27;t being used alone, it&#x27;s the language + validated compiler + verification tools + a coding standard that are being used.<p>How are Haskell, Rust, Go, and whatever other nouveau language of interest to the HN crowd tenable options for serious work when they lack the ecosystem of a formal standard, validated compilers and verification tools, track record, etc.?

I&#x27;ll confess, I have looked ever-so-briefly at D and Go and I figured that Rust was probably similar to Go but I just didn&#x27;t take the time to learn about it. I like the idea of D (especially design-by-contract), but I have difficulty convincing my colleagues (and myself) that a product with a garbage collector can perform consistently well enough.<p>Then I read this in TFA:<p>&gt; Despite guaranteeing memory safety, Rust does not have a garbage collector or runtime, and one of the benefits of this is that Rust code can be called from C with no setup at all.<p>Maybe I should think about it as &quot;you always enable ASan in your production binary&quot;? That suits me just fine, if that&#x27;s one of its major benefits. I will resolve today to follow up on Rust and try to learn more about it.

The whole fallacy with articles like this is that they all too often show why a language is unsuited for some subset of tasks and then proclaim &quot;death to $LANGUAGE.&quot; There&#x27;s a time and place for C, and while writing a web framework is probably not that place, I think for embedded C is going to be around for a while.<p>Sometimes you need to do things that could potentially cause problems (like every single pointer dereference) because there are deadlines for things to happen. If DMA had to check whether the place it&#x27;s about to write the next 4 sample from the ADC is ok every single time, you might very well miss it

I&#x27;m sure C will be still going for a while yet in embedded development ... microcontrollers, etc. There&#x27;s usually no other option except assembler.

Hardware level approaches to making C more secure are in the works at Intel. Hardware assisted bounds checking and the like...<a href="http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Intel_MPX" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Intel_MPX</a><p>The main thing that will finally convince people that a high-level of abstraction is OK for OS level programming is for someone to get off their a$$ and build one. (That&#x27;s actually usable. It would have to be SO usable that people could quickly build out the new user code to make something like *nix or windows seem like more of a hassle in contrast. That&#x27;s such an insanely tall order...not sure how you get there.)<p>I think that the best you&#x27;ll ever be able to do is to build systems with frameworks that are safe(r). People won&#x27;t give up C because it makes them feel smarter. The pile of code for C based systems will be with us forever. A new system would have to be able to do all that AND be safe.

My list of &quot;things I hate about C&quot; is about 4 pages long now, after many years in embedded development (and a few in scientific computing prior to that). As soon as a viable replacement for it comes, I&#x27;m going to get drunk, ritually burn K&amp;R&#x27;s &quot;The C Programming Language&quot; then get drunk again. But I&#x27;ve been waiting for that day for a long, long, long time, and there&#x27;s still no sign of it, not even with Rust (<i>maybe</i> with Go but we&#x27;ll have to see).<p>I cannot think of a single systems programming language that has not vowed to put an end to all this buffer overflow and dangling pointers mess. The ones I tried so far (I think there&#x27;s a dozen...) failed because of at least of one of the following items:<p>* Some of them mainly achieve safety by forbidding any unsafe read or write -- and then when you <i>have</i> to do a read or a write, they implement that by cleverly eschewing a protection mechanism or by isolating everything in an unsafe area. The former is disastrous because you can have bugs that eschew the protection mechanisms, too (see Heartbleed -- which can be <i>perfectly</i> replicated in Rust or Go); the latter, while useful in most application software, is next to useless in my day to day activity, where I have entire <i>modules</i> that consist of nothing other than unsafe reads or writes. At that point I might as well be using C.<p>* Others mainly achieve safety through a complicated system of annotations (&quot;this parameter must not be NULL&quot;) or a type system that makes certain guarantees (&quot;these parameter can never be NULL&quot;). The end result is a system of annotations and&#x2F;or types which you can describe in about as much space as The C Programming Languages takes to describe the whole language. Barring the fact that my memory is limited after ingesting C++, real life experience shows that &quot;more complexity&quot; is how bugs get introduced, rather than resolved. Except that the new problems don&#x27;t arise because a pointer is pointing where it shouldn&#x27;t, but rather because 1 == 1 returns False for certain types of 1 or something.<p>* Aaand some of them simply delude themselves through clever sandboxing and protected writes, ignoring the fact that the sandboxing back-end is C all the way and can be exploited. Except it&#x27;s so mind-boggingly complex that fixing it is incredibly complicated.<p>Historically, there have been many instances of <i>operating systems</i> written in high-level (ish) languages. Hell, there are operating systems written in Common Lisp. It can be done. People haven&#x27;t flocked towards high-level languages despite 30 bloody years, if not more, of operating systems written in high-level languages because it turns out you usually can&#x27;t do it unless you turn most of those fancy protection features off. At which point you end up with C, only with a more complicated syntax, and why the hell bother?<p>The key to writing secure software that doesn&#x27;t crash <i>is still</i> in correct programming. Tooling can help, but no language, no matter how fancy and hand-holding, is going to compensate for that.

Newbie here. Can anyone share their experiences with Rust?

Can anybody point me to a good &#x27;modern c programming&#x27; book?<p>I liked the approach of Learn C the Hard Way, (i.e. lesson 1: &quot;Now compile the hello.c with -Wall&quot;, lesson 2: &quot;Lets learn to write simple makefiles&quot;,..., lesson 4: &quot;Lets use Valgrind&quot;, ...)<p>But the latest revision of the last chapter that I remember had quite a good critique of K&amp;R&#x27;s C writing style, now contains just a rant on internet trolls (?). <a href="http:&#x2F;&#x2F;c.learncodethehardway.org&#x2F;book&#x2F;krcritique.html" rel="nofollow">http:&#x2F;&#x2F;c.learncodethehardway.org&#x2F;book&#x2F;krcritique.html</a>

In order for a language to replace C, it <i>has</i> to do two things: 1) be able to write an OS kernel competitive with Linux in this language. 2) get its compiler(s) ported to new architectures, including the Top500 supercomputers, where I work. Note that these two help each other: you make a new architecture, you either code a custom OS in C or port Linux, both of which start with a port of a C compiler. If your language can&#x27;t do the OS thing, C will remain out of necessity, and be too tempting and stable an alternative.

I think the article points out the real problem: overly complex code. If you make the effort to write sensible, simple, easy to understand code, it&#x27;s definitely possible to review every line of code to ensure there are no memory management bugs.

There is no way that any language can truly replace C at this point, C will still be around for the foreseeable future. We should learn to coexist with it not replace it.

And here&#x27;s hoping for the death of sensationalist articles with zero substance.

Safe programming is bogus programming.

Terrible title. A more useful dialogue would be along the lines of &quot;Death to C where it is inappropriate&quot;, but C isn&#x27;t used much these days where it&#x27;s the wrong tool for the job. Mostly, C is used for the things that C does very well. Maybe we&#x27;d agree on &quot;Death to C++ where it&#x27;s inappropriate&quot;, because C++ is much more often used (than C) where it isn&#x27;t appropriate. Then we have to go down the rabbit hole of <i>why</i> C++ often sucks, and we realize that it&#x27;s not even that it&#x27;s a bad language itself (not that it&#x27;s great, but it doesn&#x27;t have to be horrible) so much as object-oriented programming (OOP) has been bastardized by business, and misused by reactively-writing programmers under tight deadlines, to create obfuscation. Then we realize that this problem is even more severe in Java codebases. Then we wonder if a new language can really fix a problem (code quality) that is partially sociological and political...<p>The counterexample to the &quot;C is unsafe&quot; argument is that C is what people use for extremely high-reliability programming. I prefer Haskell, and Rust is promising, but the fact is that JPL uses C. The Mars Rover is probably running C code. While C is insecure as hell under typical corporate use (tight deadlines, unskilled programmers) it can be pretty damn reliable in the right hands.

Jon Evans, master complainer. C could be improved, but the amount of important C code out there (Linux...) militates against adopting a new C. Is someone going to pay to switch over the code base?<p>Ultimately if a newer, tighter, safer C is going to arise it must come fron the GCC or LLVM people.<p>Go: owned by google so it&#x27;s a no-go.