Hacker News: uecker

New comment by uecker in "Show HN: Microcrad – Micrograd Reimplemented in C"

uecker — Sun, 21 Jun 2026 08:38:27 +0000

Reserved identifiers in general are not only for future use of the standard, but also for internal use of implementations and for extensions. The single-under bar rule is to give the programmer some part of the _... namespace which is otherwise reserved for the implementation. I.e. for use in macros, variables, or struct members. The intention is for use in hidden names in some API.

New comment by uecker in "Show HN: Microcrad – Micrograd Reimplemented in C"

uecker — Sat, 20 Jun 2026 21:07:04 +0000

In C, you would typically rely much more on tooling to find bugs (but there are different styles and opinions). Checking for null is not bad, but does not usually add anything. If you de-reference a null pointer, you get a segmentation fault (which is safe) and a debugger will give a nice backtrace. So why catch this by writing additional code if the right tool will give you this automatically? A sanitizer could also add such tests automatically.

For a similar reason, it makes sense to use signed integers. A signed overflow sanitizer will find the overflow bugs or safely terminate the program. Finding unsigned wraparound bugs is much harder.

New comment by uecker in "Show HN: Microcrad – Micrograd Reimplemented in C"

uecker — Sat, 20 Jun 2026 20:11:01 +0000

Also reserved as identifier with file scope, just not for "any use". In any case, the program used underbar + capital letter.

New comment by uecker in "Show HN: Microcrad – Micrograd Reimplemented in C"

uecker — Sat, 20 Jun 2026 19:12:05 +0000

Two things stick out as un-idiomatic for C. First, the casts before malloc are unnecessary. This you do in C++ but not in C. Second, names with beginning underscore are reserved, and the underscore + capital letter is specifically problematic.

The rest looks fairly nice but there are a couple of things I would do differently: I would not have the tests for NULL, but use signed integers for indices and dimensions, use a flexible array member to integrate the data into the vector type directly, and omit the capacity field (as long as benchmarking does not show it is really needed). I would also use variably modified types for bounds checking, and with C23 the include guards become largely unnecessary.

(edit: minor edit for clarity)

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Fri, 19 Jun 2026 05:02:58 +0000

By complexity I mean roughly the number of language rules / techniques / idioms a programmer has to understand and keep in their head to be able to program effectively. I would say this is far lower in C than in Rust. I do not see how the additional hoops Rust makes you jump through makes it easier to achieve a goal, but I see how it can help prevent certain errors (but not many others).

It also seems obvious that the problematic aspect of getting anything done in Rust is fully compensated by having a lot of libraries available quickly via Cargo, so people are essentially just assembling things at a high-level. And in principle, I think this is a very good thing, but in the way this is implemented it comes with severe supply chain risks.

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Thu, 18 Jun 2026 04:46:55 +0000

The check can not be removed if it becomes before the access because in this case the program has no UB.

If there were UB, a compiler in C is not allowed to move (time-travel) UB before any observable behavior. This was never allowed by in C (int contrast to C++), but the wording was not clear, which we fixed in C23.

If there is no check, you are right that the access itself is UB and there is no requirement to trap in ISO C, but this is something compilers explicitly support. (and it might be required by POSIX, but I am not sure)

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Wed, 17 Jun 2026 05:24:30 +0000

I did not know this was disputed, as even developer surveys in the Rust community highlighted complexity as a concern. But seems it is the overall summary of features that make it complex: lifetime, borrowing, a polymorphic type system, traits, multiple tools to manage lifetimes, macros, proc macros, async, unsafe, panic, unwrap, etc. But I agree it is much cleaner than C++.

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 16:03:50 +0000

I guess this depends on what you might corrupt (if it is not valuable but irrelevant intermediate state it might be ok) and what the consequences of an outage are.

In any case, I largely tend to agree with you that this is better in most scenarios (not for the cloudflare incident though). But a segfault in C for a null pointer dereference would have exactly the same result, which is why null pointer dereferences are a terribly example if you want to show the advantages of Rust.

The only example I know where I think Rust clearly has a real advantage are lifetimes.

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 15:51:53 +0000

Considering the amount of C programs that exist, the "we see severe bugs in C code seemingly every week" is on the same level of propaganda as we see "crime in the news every week" when the real societal problems are entirely different.

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 15:20:51 +0000

There are certainly good parts in Rust that force you deal with inherent issues explicitly. I do not think this justifies a language with the complexity of Rust, but I would agree it is preferable to C++ in this regard.

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 15:12:31 +0000

A major global internet outage can certainly considered a "clear signal". Still not sure this was a good thing though.

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 15:08:25 +0000

The check is removed only if you already dereference the pointer before doing the check. But then, you also get the trap before the check. So the compiler eliding the check is not making this worse - as long as the zero page is not mapped.

In any case, you can also configure GCC to not do this, and you can also configure it to insert explicit null checks before dereferencing a pointer. So C can offer you security and reproducibility (in this aspect).

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 05:14:13 +0000

Do you have any evidence for this? On GCC it should be safe.

(EDIT: what is not safe is indexing into a null pointer. For this you need to be safe you need -fsanitize=null)

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 05:04:35 +0000

There can be made very good arguments why C is less safe than Rust, but null pointer dereferences which are perfectly safe everywhere except on weird platforms (and usually could be made safe even there by turning on a compiler flag) seems a very misleading argument.

And as as the Cloudflare incident showed, a Rust unwrap can have equally bad consequences. (or as Ariane 5 showed, a safe overflow in Ada can have explosive consequences)

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 05:00:18 +0000

While it is undefined behavior on the C standard level it a null pointer dereference is guaranteed to trap on most platforms.

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 04:57:39 +0000

You need to turn it off by defining NDEBUG. While sometimes it is not for release builds, I am not sure this is common.

New comment by uecker in "How memory safety CVEs differ between Rust and C/C++"

uecker — Tue, 16 Jun 2026 04:56:03 +0000

The kernel is perhaps bit special. In the past they had bugs such as first derferencing and then checking for null and weird possibilities to map the zero page. But today I am not convinced this is really needed.

In general on a system where you trap when accessing the zero page, this optimization should be safe and a null pointer dereferences should (safely) trap.

New comment by uecker in "Orthodox C++ (2016)"

uecker — Sun, 14 Jun 2026 08:07:51 +0000

The license is indeed the big reason for many proprietary forks (not so much that llvm is written in C++). This is not a good thing though.

New comment by uecker in "Orthodox C++ (2016)"

uecker — Sun, 14 Jun 2026 07:45:20 +0000

The question is whether GCC is a good example of the benefits of C++ for compilers. Considering the code looks to 95% like C code and uses data structures that we originally implemented in C, I don't see this argument.

New comment by uecker in "Orthodox C++ (2016)"

uecker — Sun, 14 Jun 2026 07:37:18 +0000

There is a difference between "needing a library" and "implement my own". One can just pick one. And even when implementing things yourself, one has to do this just once.