D enters Tiobe top 20
Timon Gehr
timon.gehr at gmx.ch
Fri Nov 8 12:11:26 UTC 2019
On 08.11.19 11:25, Walter Bright wrote:
> On 11/8/2019 2:09 AM, Timon Gehr wrote:
>> On 08.11.19 04:43, Walter Bright wrote:
>>> I don't see anything on that site that contradicts what I wrote. In
>>> particular:
>>>
>>> "Rust's core type system prohibits the aliasing of mutable state, but
>>> this is too restrictive for implementing some low-level data
>>> structures. Consequently, Rust's standard libraries make widespread
>>> internal use of "unsafe" blocks, which enable them to opt out of the
>>> type system when necessary. The hope is that such "unsafe" code is
>>> properly encapsulated, so that Rust's language-level safety
>>> guarantees are preserved. But due to Rust's reliance on a weak memory
>>> model of concurrency, along with its bleeding-edge type system,
>>> verifying that Rust and its libraries are actually safe will require
>>> fundamental advances to the state of the art."
>>>
>>> is saying the same thing.
>>
>> Indeed, but more importantly, this group is working on verification
>> techniques for unsafe Rust code, so it is likely that unsafe Rust
>> libraries will be proved correct in the future.
>
> I read it as ensuring the interface to the unsafe code is correct, not
> the unsafe code itself. I.e. "is properly encapsulated".
> ...
Read the next sentence after that. In general, feel free to read it any
way you like, but that's not going to change the goals of the project,
which correspond to my summary.
https://plv.mpi-sws.org/rustbelt/popl18/paper.pdf
Last sentences in abstract: "Our proof is extensible in the sense that,
for each new Rust library that uses unsafe features, we can say what
verification condition it must satisfy in order for it to be deemed a
safe extension to the language. We have carried out this verification
for some of the most important libraries that are used throughout the
Rust ecosystem."
> After all, if the unsafe code can be proved correct, then it is no
> longer unsafe, and Rust's ownership/borrowing system can be dispensed
> with entirely as unnecessary for safety.
> ...
That stance makes little sense. The proofs are manual. As an analogy,
it's a bit like saying "if it is realistic to audit @trusted functions,
we can just mark the entire codebase @trusted, obtaining memory safe
code without any of the @safe restrictions". The difference is that
here, the proofs can be checked by the computer, but that doesn't make
them much easier to provide.
> I'm happy to let the CS Phd's work on those problems, as I am way out of
> my depth on it.
> ...
I understand, but I can't help but notice that you often choose to
contradict what they are saying on those issues anyway. The bird's-eye
perspective you would get from an understanding of program verification
and dependent type theory would help a lot for the design of sound and
expressive type system extensions, such as O/B for D.
> I've convinced myself that the Ownership/Borrowing notion is sound, but
> have no idea how to formally prove it.
> ...
One way is to embed it into separation logic. It's in the paper below.
>> There is also this recent work on functional verification of safe Rust
>> code:
>> http://people.inf.ethz.ch/summersa/wiki/lib/exe/fetch.php?media=papers:prusti.pdf
>>
>
> I don't see any reason why the techniques used in the paper wouldn't
> work on D,
Indeed, separation logic "works" on any language:
https://vst.cs.princeton.edu/download/VC.pdf
https://vst.cs.princeton.edu/veric/
The reason why you want both @safe and @system code is that most
programmers are unable or unwilling to manually carry out memory safety
proofs for all the code they write.
> given O/B.
> ...
Sure. Given O/B of the same caliber, you would get a similar
simplification of correctness proofs. But right now we don't have
correctness proofs at all, and a lot of times when program verification
came up on this newsgroup it was rejected with a vague reference to the
halting problem.
> Note that the paper says: "We do not address unsafe code in this paper".
(I'm aware, having read the paper. Which is of course why I described it
as "functional verification of _safe_ Rust code". They also refer to
RustBelt for verification of unsafe code.)
More information about the Digitalmars-d
mailing list