Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Because Microsoft (and Google, who shares this opinion on memory safety in c++) are the groups that develop asan and similar tools, and who have some of the best practices around code review, testing, and CI.

Yet they still say rust is better in the long run. Why so you think that is?



Valgrind was not developed by Google and probably accounts for the main reduction. Asan has seen a way more recent takeup in OSS.

Microsoft and Google are not monoliths, and this particular submission is from a "cloud developer advocate", so I attach exactly zero importance to it as far as C/C++ are concerned.


> , so I attach exactly zero importance to it as far as C/C++ are concerned.

He's repeating statistics that members of the C++ committee will agree with, so I'm not sure what's controversial.

> Valgrind was not developed by Google and probably accounts for the main reduction. Asan has seen a way more recent takeup in OSS.

You miss the point. Despite these things, and despite aggressive compiler flags and everything else, the majority of bugs are memory safety issues. Whether you look at windows, chrome, or the Linux Kernal itself (KASAN). That seems fairly conclusive.

And yet here you are arguing, what exactly? That the person making the statement isn't technical enough for you, so it's all lies?

As a bit of an aside,

> Valgrind was not developed by Google and probably accounts for the main reduction

I never said it was. However one of the most active maintainers works at Mozilla, who's opinion on the safety of C++ is also probably in line with Google and Microsoft here, given their relationship with Rust.


I think this has been discussed here each time someone cites that infamous 70% statistic in a Rust thread:

This is about CVEs. CVEs are about exploitable vulnerabilities, and most of useful software in that area is in C/C++.

In the OSS project I'm familiar with, most critical issues are not memory safety issues. Most are logic bugs.

I'm not familiar with the safety testing in Windows, which for a start does not support Valgrind or the sanitizers.

Neither am I familiar with the feature oriented culture of Chrome.

If anything, I'd be interested in the numbers of the internal ad-critical C++ code in Google or a HFT bank.


> This is about CVEs. CVEs are about exploitable vulnerabilities, and most of useful software in that area is in C/C++.

I'm not sure what you're getting at here. The claim isn't that 70% of CVEs are memory vulns, but that 70% of CVEs in C/C++ are memory vulns. So how much or how little C/C++ is used is irrelevant.

> If anything, I'd be interested in the numbers of the internal ad-critical C++ code in Google or a HFT bank.

Do you think that Google wouldn't be pushing as hard as they are for improvements in this space if they thought things were fine and dandy?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: