Why Bloat Is Still Software’s Biggest Vulnerability

[H. S. Teoh]

On Mon, Feb 12, 2024 at 11:49:31PM +0000, deadalnix via Digitalmars-d wrote:
> On Monday, 12 February 2024 at 17:30:23 UTC, H. S. Teoh wrote:
> > All this not even to mention the insanity that sometimes specifying
> > just *one* dependency will pull in tens or even hundreds of
> > recursive dependencies. A hello world program depends on a standard
> > I/O package, which in turn depends on a date-formatting package,
> > which in turn depends on the locales package, which in turn depends
> > on the internet timeserver client package, which depends on the
> > crytography package, ad nauseaum.  And so it takes a totally insane
> > amount of packages just to print Hello World on the screen.
> > 
> 
> "Funny" example of that.
> 
> I wanted to learn of to do a react project from scratch. Not using a
> framework or anything, just pieces the stuff together to make it work
> myself.
> 
> So babel, webpack, react, jest for testing and stylex for CSS. That's
> it.  Arguably a lot by some standard, but by no means something wild,
> the JS equivalent of a build system and a test framework.
> 
> The project currently has 1103 dependencies. Voila. Pure madness.

Recently while working on my minimal druntime for wasm (one primary
motivation for which is to let me write D code when I absolutely can't
escape the tyranny of the browser instead of having to deal with the
madness that is the JS ecosystem), I noticed a lot of cruft in druntime
and Phobos, stuff that got piled on because we added this or that new
feature / type modifier / etc..  Code that used to be straightforward
acquired layers of complexity because now we have to deal with this or
that case that we didn't need to worry about before.  Also, past
mistakes that we're still paying for, like the ubiquity of TypeInfos in
internal APIs dating from when D didn't have templates.

The recent push to templatize druntime has actually been a great saver,
though: I got things like array operations working without incurring the
bloat of TypeInfo's thanks to the current compiler emitting template
calls instead of TypeInfo-dependent static calls for said operations. I
think this is a very important step to move Phobos/druntime toward a
pay-as-you-use model instead of the upfront cost of TypeInfo's.

If only more projects are built with the pay-as-you-use model instead of
the blanket "I need this dependency, let's pull in the whole hairball of
recursive dependencies too".  In an ideal world, things like std.stdio
would only import things like floating-point formatting code only if you
actually use %f and pass a float/double to format(). Otherwise it won't
even import the module and you won't pull in anything that you don't
actually need.  (I actually have an incomplete replica of std.format
written according to this philosophy -- it doesn't even instantiate
floating-point formatting code unless you actually passed a float to
format() at some point. In an ideal world the whole of druntime / phobos
would be built this way, tiny standalone pieces that only get pulled in
with actual use.  Not like the last time I checked, where a Hello World
program for some inscrutable reason pulled in BigInt code into the
executable.)


T

-- 
Democracy: The triumph of popularity over principle. -- C.Bond