How does Ada's memory safety compare against Rust?
121 comments
·February 10, 2025mustache_kimono
ajxs
The history of computing has many examples of products and languages winning out over technically superior alternatives for non-technical reasons. Like Linux gaining a lot of momentum because of the BSD lawsuit. This[0] is one of my favourite comments on HN. It shows us one of the paths not taken in the evolution of operating systems.
> It's okay to like the project strictly because of the language chosen.
I think that the massive groundswell of interest around Rust will end up being positive overall. At this point I can't see us going back to the way things were. I can't imagine any new systems programming languages gaining traction that aren't at least as safe as Rust.
cardanome
> At this point I can't see us going back to the way things were. I can't imagine any new systems programming languages gaining traction that aren't at least as safe as Rust.
I see Rust being used in many context where it's safety features aren't really needed or even a hindrance like game dev.
Honestly the safety is overstated in importance. The amazing tooling, decent package manager, great error messages, the inclusive community, the type system that took the low hanging fruits from the academic functional programming world, are much more relevant for its success.
The problem with Rust is that it made using languages without automatic garbage collection acceptable again and I am not sure if this is good. The borrow checker is a neat solution and might be a good fit for certain niches but automatic garbage collection is just vastly more ergonomic to use.
We had Lisp Machines, we need to go back to future.
the__alchemist
I'm with you - I like Rust for the overall pros/con balance, in context of with its alternatives. Safety is one thing. The tooling, error messages, type system etc you mention is another. Having mutable references as function parameters is another big one, shared by surprisingly few alternatives.
tuetuopay
I've written Rust professionally for the past 6 years, and pretty much exclusively for stuff where memory safety is the least of my concerns (even speed!). I've made gRPC APIs, agents running on machines to setup configuration and such. The usual suspects for this work would usually be Python or Go.
You've pretty much summed up why I'm standing behind Rust for non-memory-critical applications: tooling, error messages, and the type system. For business logic, you cannot beat all that, as a lot of business errors can be avoided using those (all praise the Rust enums!). Also, you've summarized my feeling about the functional world embraced by rust: it provides quite a bit, without requiring a Haskell PhD to write it. Seriously, iterators and the associated trait are a godsend (even though having to always write .iter()....collect() is sometimes clunky).
As for the GC. I've yet to come to situations where the lack of GC was the real hindrance. It has more to do with futures adding not easy to grasp lifetime bounds to data, but one quickly learns to embrace it by moving data when needed. Combined with channels and Arc, there are many escape hatches making in my opinion the GC a non-issue.
IMHO, making GC-less languages acceptable again is a good thing, because it keeps diversity in the ecosystem and gives options. It also shows that doing without GC does not relegates written code to manual memory management like C/C++. In fact, Swift does the same and is pretty good at being a GC-less language. Both Rust and Swift are languages where memory management is opinionated by embedding it in the language, and thus ergonomic. Frankly, I rarely think about "oh hey, I wished I had a GC".
zozbot234
GC implementations are widely available in Rust. You don't have to use garbage collection in Rust, but it doesn't stop you either. You just have to import some custom crate and 'implement' tracing for your own data types.
Galanwe
> I can't imagine any new systems programming languages gaining traction that aren't at least as safe as Rust.
I don't think safety is a 1 dimensional spectrum (say from 0% to 100%). I view it more as a multidimensional thing, and tradeoffs between these dimensions.
Rust invested a lot on _some dimension_ of safety, which is essentially static borrowing and aliasing. And the tradeoffs for this are numerous: Dynamic safety is either much harder in Rust (due to unsafe being vastly more dangerous and hard to get right vs say, a C program), or at the expense of performance (I.e. just Arc<Mutex<>> or copy everything). That also comes at the expense of an immense cognitive burden for the programmer.
I see a lot of space for different tradeoffs on different dimensions of safety.
oneshtein
> due to unsafe being vastly more dangerous and hard to get right vs say, a C program
It's not true. Both C (clang), C++, and Rust use same LLVM compiler, so both have same constraints in the unsafe mode. C/C++ developers just not care.
bigstrat2003
That comment was great. It's so hard for me (raised on Windows and now immersed in Linux) to imagine something so foreign to the OS paradigms I'm used to. It just goes to show how much the things you are used to can limit your thinking.
beagle3
Windows NT was supposed to be a modernized VMS (And legend has VMS+1=WNT, each letter individually…) - and given a face similar to Win 3.1 (and then 95/98/Me and then they were unified in XP)
It has a lot of the VMS features, and most of them are unused or effectively only used by malware (e.g. alternate file streams).
I did not get a chance to use VMS myself, but I did use Unix (and VMS/CMS, and a bunch of other OSes) at a time VAX was still a viable alternative even for greenfield projects.
My impression is that it is sort of like J/K/APL - powerful, compact, coherent, got almost everything right from a technical standpoint - but not friendly, feels foreign, and not liked by anyone who has ever used a Unix, or Windows, or a Mac - which is 99% of the relevant population since about 1985.
(Added): Macs also had multiple file streams (“forks”). It doesn’t anymore, for many reasons, but the chief one is interoperability. Less is more, worse is better.
baranul
> The history of computing has many examples of products and languages winning out over technically superior alternatives for non-technical reasons.
Unfortunately, the history shows that such technically inferior languages and products winning out are also because of outright market manipulation by their corporate backers, tons of money in ads, or attacks on competitors. The elephant in the room, is to look at what's generating or paying for the hype and marketing behind recent programming languages like Rust and Zig (for example).
> I think that the massive groundswell of interest around Rust...
A review of the groundswell, around Rust or Zig, is its not attributable to just grassroots or genuine interest, and can significantly be the result of outright astroturfing and artificial brigading. Sadly, many people follow along with the marketing or are bombarded into submission, "must rewrite in X" or "GC all bad and manual all good" foolishness, versus actual use case and legitimate examination of language tradeoffs.
lII1lIlI11ll
> At this point I can't see us going back to the way things were. I can't imagine any new systems programming languages gaining traction that aren't at least as safe as Rust.
Zig seems to be gaining traction. Hard to predict whether it will succeed or slowly fizzle out after the initial excitement phase though.
dralley
Is Zig gaining traction? It almost seems like the project has gone radio silent in the past year. It's hard for a language to get traction when it's not even 1.0 and there's not much of a roadmap on how and when they'll get there.
bawolff
> The history of computing has many examples of products and languages winning out over technically superior alternatives for non-technical reasons.
While this is undoubtedly true, i suspect that there are also many cases where people presume the reasons are non-technical but when examined closly turn out to have hidden technical issues.
bbarnett
I can't imagine any new systems programming languages gaining traction that aren't at least as safe as Rust.
Am I allowed to sigh here? It's a good thought, but this is humanity we're talking about here.
All it requires is some big-project, some big-corp creating some essential ecosystem with lame-language-A, and now it's got traction.
And frankly, look at rust and its weird crates. Weird as in "Let's make a super-safe language, then import random stuff from unknowns, unaudited, and just hope it all works out."
If rust was really serious about security, only signed crates from validated developers, with code review would be the norm. Oh but wait, that'd be "not easy".
pdimitar
What's your suggestion, exactly?
Vetting code is extremely expensive in terms of human time and human energy. Sadly it's not only a problem for Rust, it's a problem for every single programming language out there.
pjmlp
Ada is also used in European transport infrastructure.
There are enough customers around the globe to keep 7 Ada compiler vendors in business, not many language ecosystems can claim that, in the age folks don't pay for their tools most of the time.
randomNumber7
ADA is really great. You can use it to safely blow rockets up in the air.
pjmlp
Caused by a logic error of using the wrong software on newer hardware.
ksec
Linus doesn't like Ada. His' opinion on Ada (vs Rust):
> We've had the system people who used Modula-2 or Ada, and I have to say Rust looks a lot better than either of those two disasters.
https://www.infoworld.com/article/2247741/linux-at-25-linus-...
bandrami
> Virtually no greenfield projects except for DOD
OTOH, DoD (and some public sector orgs in Europe) are extremely important customers of some of the companies that directly contribute the most support to the Linux kernel in a way that no Rust project is.
null
Yoric
Thank you very much!
I have been attempting to compare Ada and Rust for a while, but never got around to doing it quite so much in depth.
So, my take on this is that:
- out of the box, Rust is distinctly better at memory safety than Ada without SPARK
- Ada + SPARK is extremely powerful (but iirc, SPARK doesn't allow compositional reasoning, which makes it harder to use in a crate-based library)
- for this specific use case, Rust's error model makes much more sense than Ada's (with or without SPARK)
- Ada's tooling to avoid memory allocation remain more powerful in some dimensions than Rust's.
Also, I think that we all (should) agree that the move towards memory safety in system-level programming is a very good thing, whether it comes through Rust, Ada, or any other language.
pjmlp
Directly using Unchecked_Deallocation is frowned upon, either use ControlledTypes (which the article mentions), or Bound/Unbounded Collections (which the article misses).
Using it directly is similar to the usual discussion of using unsafe in Rust for double linked lists.
As of Ada 202x, SPARK covers most of the language, no longer a subset, and also does affine types, aka borrow checking.
ajxs
> Directly using Unchecked_Deallocation is frowned upon...
This is true. I admit that I didn't really acknowledge this in the article. I personally don't really like the Ada community's consensus on this matter. In many applications 'let memory leak and let the OS sort it out' just won't cut it. It's true that you can use controlled types for everything, but isn't this just moving the Unchecked_Deallocation somewhere out of sight? Also, if I'd have written 'You can't leak memory in Ada if you stick to using collections', wouldn't that just be like saying 'You can't leak memory in C++ if you stick to using the STL'? The point of the article was to show what Ada and Rust do to outrightly prevent you from shooting yourself in the foot, at the core language level.
There's a lot of misconceptions floating around the Ada community about memory being freed automatically when it goes out of scope, which I think have stemmed from the ARM leaving open the possibility for a compiler to implement its own GC. Admittedly even I was misinformed. In my defence, nearly all the Ada I write is for bare metal, and never touches the heap at all.
pjmlp
> ...'let memory leak and let the OS sort it out'..
I wouldn't be surprise to hear this from C or C++ folks, never heard this in Ada circles, there is always that missile meme going around, and I happened in the past to occasionally drop into FOSDEM Ada's rooms.
Speaking of which,
"Memory Management with Ada 2012 from FOSDEM 2016"
https://archive.fosdem.org/2016/schedule/event/ada_memory/
> Also, if I'd have written 'You can't leak memory in Ada if you stick to using collections', wouldn't that just be like saying 'You can't leak memory in C++ if you stick to using the STL'? The point of the article was to show what Ada and Rust do to outrightly prevent you from shooting yourself in the foot, at the core language level.
A programming language is seldom used without its standard library, I don't care what a plain grammar + related semantics check offer, if there is nothing on the standard library, IDE tooling, libraries to chose from.
Otherwise than you should also do a comparisasion using no_std against Ravenscar profile.
And yes, unless you are using a C++ compiler that offers the option to harden its standard library, you are going to some surprises, starting by having to use at() instead of operator[]() for bounds checking, and even with hardened one, stuff like use-after-free/move only when using a good IDE like VC++/Clion or static/dynamic analysis tooling.
randomNumber7
You can even "leak" memory in java if you keep references to objects you don't need anymore xD
Also what is the point of .at()?
try {
myarray.at(invalid_index);
// how do you handle a logic error in your code?
// does that even make sense philosophically?
Yet you could also enable bounds checking for debugging on operator [] or use address sanitizer.
bawolff
I don't program in rust or ada, however it seems like such a comparison is missing important details. After all, if memory safety was all that mattered we'd all be using python. The thing that gets people excited about rust is not just memory safety but the tradeoffs taken to make that happen.
pjmlp
What got Rust adoption if anything was human factor, most folks adopting it never programmed in Ada, Object Pascal, Modula-2, Delphi,...
They weren't even born when we were using them, or if they were their toys were actually toys not systems programming languages.
Rust was their first encounter with systems programming, and Standard ML linage, after lots of Python, Ruby and JavaScript, and most likely never seen anything else other than C and C++. Most likely that also believe the fairy tale of C being the very first systems programming language.
Yoric
To complete what you write, the people in the room during the design of Rust were all very much aware of memory-safe languages. Rust was largely designed by putting C++ developers (who were tired of undefined behaviors) and ML developers (who were aware that ML was not great at system programming) in the same room and have them negotiate a language together, in the hope of producing something that would convince C++ developers to migrate to something less risky.
I kinda vaguely remember Erlang being mentioned, but I don't recall Ada being discussed. To be fair, I didn't attend many of these conversations.
adrian_b
The Rust designers might have known that other memory-safe programming languages had existed, but certainly they were not familiar with them.
Otherwise Rust would not have inherited a ton of obsolete and useless features of C.
For example, when I have seen for the first time a "Hello, world" written in Rust, I have been appalled to see that in a language designed in the 3rd millennium one still has to specify whether function parameters are passed by value or by reference, which is the wrong thing to specify about function parameters, exactly like specifying in old C language whether a local variable was "register" or "auto" was the wrong thing to specify. (The right thing to specify about function parameters has been established in 1977, almost a half of century ago, by DoD "IRONMAN", which has been implemented only in a few languages, the most important being Ada. In my opinion, most difficulties and complexities of C++ have been generated by its failure to comply with "IRONMAN".)
In my opinion, attempting to design a new programming language without first studying carefully the history of programming languages, in order to know well the many good and bad choices that have already been used in various programming languages and to understand which have been their advantages and disadvantages, is an amateurish approach that cannot result in real progress.
Most recent programming languages have been built around some innovative great idea that makes that programming language better than the previous in some respect, e.g. Rust for compile-time checking of memory accesses, but because in the other areas of the language the best previous features have not been chosen, no language is uniformly better than older languages, all of them are better for something than older languages, but worse than older languages for other things, which makes the choice of a programming language very frustrating.
dakom
I'd agree it's largely the human factor, but maybe from a different angle. Rust has got the "there's a crate for that" factor, like JavaScript, which helps onboard people who are afraid of getting stuck writing everything from scratch.
For example, serde (and serde_json, toml, etc.) is a gamechanger, as is tracing, reqwest, and many others.
So, maybe less about the language itself for many people, but more about the human factor of overcoming fear of being stuck on an island
pdimitar
I clearly remember sighing deeply back in 2002 realizing I have to introduce yet another array type so my code could compile in Object Pascal. And this is just one example of many.
Rust is objectively better than what I tried before, in several ways.
From where I was standing several years ago, there was almost zero "human factor" in adopting Rust for many companies (and devs). People simply saw the better features, performance and security and got excited and wanted to work with that language. And then many mistook that for hype. Yourself included apparently?
Sometimes things get popular just because they are good, you know. Not super often historically, mind you, but it does happen. IME Rust is one of these outliers.
pjmlp
Open arrays would have been the answer, which I imagine is the point being made.
bawolff
The human factor doesn't just come out of nowhere.
pjmlp
Indeed, but it definitly matters, and it doesn't always pick the best technology.
IshKebab
I'm not sure what point you're trying to make. Do you think Object Pascal is as good as Rust?
chadcmulligan
Fun Fact - The NSA / White House regards Delphi (object Pascal) as a memory safe language - https://blogs.embarcadero.com/is-delphi-a-memory-safe-langua... in preference to C/C++. Not sure I agree, but I bow to their authority.
pjmlp
Nope, but definitly better than C in regards to safety in systems programming.
ajxs
I look at the problem the other way around: There are certain domains that significantly constrain the choice of programming language, for reasons like compatibility, or performance. If you're already limited to a small set of statically-compiled 'systems languages' like C, Ada, Rust, etc, then memory-safety is a secondary factor that will really influence your choice of which systems programming language you use.
lolinder
> if memory safety was all that mattered we'd all be using python.
I've seen more segfaults in my Python code than I have in any other language ecosystem. Yes, that's in the C modules that Python libraries so often wrap, but the result is still that Python is far from the best choice for memory safety.
JavaScript actually tends to be better at avoiding dropping into C unless absolutely necessary.
zelphirkalt
Python does not offer the same guarantees for safety when it comes to concurrency. Afaik Rust makes data races impossible, by forcing you to make use of specific types, when you have a concurrent scenario, and since everything has to type check (in contrast to Python) before you can run it, that limits you in what you can do, making it safe.
cyberax
Rust is the first (yes, first) mainstream language that offered reasonable and composable memory safety, without compromising on speed.
Ada does not offer anything similar. It's designed for programs that are mostly static. It also does not compose well, as you can't dynamically allocate without losing most of Ada touted advantages.
To be fair, they recognized it. Their plan is to adopt a borrow-checker.
tubs
In rust dynamic allocations usually just end up with runtime asserts from your ref counting gc implementation though.
IshKebab
No they don't. Most programs are full of dynamic allocations (String, Vec, etc.) with only rare use of RefCell (I assume that's what you're talking about).
palata
> Rust is the first (yes, first) mainstream language that offered reasonable and composable memory safety, without compromising on speed.
Is that true, though? Many memory-safe languages are very fast (fast enough for the vast majority of use-cases). Feels like mostly they compromise on memory, don't they?
Rust seems to be a good replacement for those use-cases where C++ is needed. But given the popularity of Rust, it seems to me that many people use Rust where they don't actually need it.
(Disclaimer: I do like Rust)
maleldil
> Many memory-safe languages are very fast (fast enough for the vast majority of use-cases).
That depends on what "fast enough" means. A better way would be to say "memory-safe with (near) zero overhead".
pdimitar
"Fast enough" is doing a lot of lifting in your argument. I've met plenty of embedded devs that said they'll only code either C or Rust and that nothing else comes close in terms of tooling / dev UX and speed.
For all my 23 years of work a language like Elixir (or even Ruby) was "fast enough" but there exist a ton of other world out there that needs more.
cyberax
Before Rust, the only way to achieve memory safety was to use a garbage collector. Or static allocations. Experiments with region inference like in Cyclone were impractical, because they often led to accidental memory explosions.
And adding a GC is a hugely impactful step.
zaphirplane
Surprising to hear this, life time and borrow checker have to be one of those in-spite of people still like rust
timeon
Maybe for those that have to use Rust. But borrow checker was sole reason why I wanted to learn Rust. And at that time (~2018) it was also reason why people were recommending it.
Thiez
And people like C in spite of the segfaults. It's the same disliked thing, Rust just moves it to compile time instead of production. Which many people prefer, since it avoids security issues, data loss, and mysterious crashes.
transpute
Ada+Rust (2022), https://blog.adacore.com/adacore-and-ferrous-systems-joining...
> Ferrous Systems and AdaCore are.. joining forces to develop Ferrocene - a safety-qualified Rust toolchain, which is aimed at supporting the needs of various regulated markets, such as automotive, avionics, space, and railway.. qualifying the Ferrocene Rust compiler according to various safety standards.. [including] development and qualification of the necessary dynamic and static analysis tools.. our long-term commitment to Rust and Ada extends to developers who will be using both languages at the same time. We are looking at interoperability between them - including, in particular, the idea of developing bi-directional binding generators.
Nvidia uses Ada/SPARK for formally-verified security firmware on RISC-V cores on GPUs [1] and SPDM attestation of devices like GPUs and Infiniband NICs [2].
[1] https://blog.adacore.com/when-formal-verification-with-spark... & https://static.sched.com/hosted_files/riscvsummit2024/fe/Key...
[2] https://www.adacore.com/papers/nvidia-using-recordflux-and-s... & https://docs.nvidia.com/networking/display/nvidiadeviceattes...
trott
> but Ada's real strengths lie elsewhere. Its strong typing,
Ada is not actually type-safe: https://www.enyo.de/fw/notes/ada-type-safety.html
adrian_b
As explained at your link, the example program that is not type-safe is based on a mistake of the 1983 Ada standard regarding the use of "aliased", which has been removed by a later Technical Corrigendum, where the program demonstrated at your link is explicitly classified as erroneous, so any compliant Ada compiler should fail to compile it.
As also explained at your link, the same type-safety breaking technique works in unsafe Rust. Both "unchecked" Ada and "unsafe" Rust do not provide type safety, while the safe subsets of the languages provide it.
trott
> a mistake of the 1983 Ada standard ... which has been removed
The article was written in 2011, and the trick still seems to work in a 2024 version of GNAT.
> Both "unchecked" Ada and "unsafe" Rust
But the `Conversion` function isn't using `Unchecked_*`. That's the point of the article. The type safety hole is in "safe" Ada.
null
ajxs
Author here: Thank you so much for posting! Happy to answer any questions anyone might have about the article.
valorzard
Do you think Ada would be good for game development? My main interest in the new wave of low level languages like Rust, Zig and Odin is to see which one would be good for game dev.
Out of all of them, the best would probably be Rust (great ecosystem) and Odin (the designer behind Odin is literally a game dev iirc)
ajxs
I've never done it myself, but I know it's possible! The GetIntoGameDev Youtube channel has recently done a few videos on the subject[0].
MrVandemar
I think there's a roguelike on steam maybe that is written in Ada.
kennysoona
The SPARK subset of ADA really seems the best here, but doesn't seem anywhere near as fun to write as Rust, or have anywhere near the amount of libraries available. The community is much smaller also, and I think community counts for a lot here. The takeaway is Rust, really is, really really great. It's fantastic there is so much documentation and such a strong community, and that so many people are invested in writing safe code because it's finally easy to do so.
tgv
SPARK offers more than Rust, and in my experience, writing Rust isn't fun (either). Rust has more documentation to get you going than Ada, and certainly more than SPARK, as well as a much larger community and more libraries, but the Ada/SPARK community is a nice, helpful bunch.
renox
> [about Ada] You never miss worrying about whether a parameter is passed by value or reference
Uh? I thought that Ada suffered from the "aliasing issue"(1): given that the compiler choose whether to copy or alias, there is a risk that the semantic of your program change when the compiler/optimisation change, am I wrong?
1: if you have a function with two parameters, one "in" and the other "inout" and you pass the same variable to the two parameters.
adrian_b
Even if the aliasing were not forbidden by default by the compiler, aliasing in Ada would have caused problems more seldom than in a programming language that allows the programmer to specify whether parameters are passed by reference.
The compiler may choose to pass by value the "in out" parameters in which case their aliasing may have no effect ("in out" parameters that are passed by value, typically in order to be passed in registers, are loaded upon function entry and stored back upon function exit).
In Rust, C or any other language with parameters passed by reference, you can always alias 2 parameters passed by reference, unless the language defines that as an error that must be caught at compile-time or at run-time. Usually aliasing will lead to errors if at least one of the 2 parameters is modified inside the function.
Because of this, aliased parameters which may be modified inside a function and which are not allowed explicitly shall always be flagged as an error.
tgv
You have to specifically state when parameters can be aliased. Otherwise, the compiler forbids it.
renox
Well godbolt doesn't think so.. 1) this example has an aliasing, no compiler error. https://godbolt.org/z/hzWfj37ef
2) The output value depends of the size of IntArray!
>> with Ada.Text_IO; use Ada.Text_IO; with Ada.Integer_Text_IO; use Ada.Integer_Text_IO;
procedure Text is type IntArray is array (1 .. 500) of Integer;
type MyStruct is record
Value : Integer;
A : IntArray := (others => 0);
end record;
function Compute (Value1 : MyStruct; Value2 : in out MyStruct) return Integer is
begin
Put_Line ("1 value1=" & Integer'Image(Value1.Value) & " value2=" & Integer'Image(Value2.Value));
Value2.Value := Value2.Value - 1;
Put_Line ("2 value1=" & Integer'Image(Value1.Value) & " value2=" & Integer'Image(Value2.Value));
return Value1.Value * 2;
end Compute;
Value1 : MyStruct := (Value => 10, A => (others => 0));
Value2 : MyStruct := (Value => 20, A => (others => 0));
Result1 : Integer;
Result2 : Integer;
adrian_b
The SPARK Ada tools detect this as an error, but not the free Ada compiler.
This should have also been detected as an error by the normal Ada compiler, but I assume that this is avoided in order to enforce market segmentation.
Those who are not happy with the reduced error detection abilities of the free Ada GNAT compiler are expected to pay for SPARK.
I think that the main reason why the use of Ada has remained restricted is that even today having access to complete Ada development tools is expensive, even if the free GNAT tools are enough when you do not need the better error detection provided by the paid tools.
tgv
My Ada is somewhat weak, but IIRC Value2 doesn't alias Value1. The parameters don't work like C. It's more like an assignment once the function returns, although the compiler is free to deviate from that.
vlovich123
> Nothing prevents you from writing Ada code that dereferences an access type after it's been freed; However any access dereference triggers a runtime check to ensure it's non-null. Unlike in C, freeing an access type in Ada automatically sets its value to null, and any subsequent attempt to dereference it will raise a Constraint_Error exception, which can be caught and handled.
> Ada has its own nomenclature for multithreading: Tasks, and provides its own built-in mechanism for preventing data races between them. Ada's Protected Objects encapsulate data inside an implicit mutex, allowing only one thread access at a time via a public interface.
I believe ADA doesn’t have a guarantee that you are accessing data thread safely. And that lack of guarantee is where use-after-free and double-free can hide. Heck, you don’t even need any threading.
1. Create an alias
2. Free the original value
3. Access the alias
If I read it correctly, the variable holding the original value is reset to null after a free but the alias can still access freed memory.
TLDR: Rust has almost no competitors when it comes to the very robust safety guarantees it makes and none when you combine with the performance niche it services.
adrian_b
Programming languages where you are not allowed to access directly any shared variables, but only inside protected data structures, so that complete thread safety is enforced, have existed already a half of century ago, e.g. Concurrent Pascal.
I have not noticed yet anything innovative in this aspect of Rust.
As explained in the article SPARK detects such double free or use after free, even if the standard Ada compiler does not.
The separation between Ada and SPARK in the power of detecting unsafe memory uses is just a market segmentation mechanism, not something intrinsic to the Ada language.
The SPARK development tools must be bought, while the free Ada development tools have less comprehensive error checking.
This is the main disadvantage of Ada vs. Rust. It is a question of money, not of technical qualities.
vlovich123
I think you’ve skipped important words that I’ve said:
> Rust has *almost* no competitors when it comes to the very robust safety guarantees it makes and *none when you combine with the performance niche it services*.
The almost is doing important work in that statement and the none is referring to systems programming. As another commenter noted, SPARK is more than just a cost thing - it fails to scale to non trivial sized projects.
I’m not saying there’s nothing to learn from Ada. All I’m saying is that Rust offers significantly stronger protection and memory safety out of the box than Ada and no language has managed to deliver such memory safety with the performance profile of C and able to target all the same variety of use cases in terms of systems programming (but then also scaling to web services which C/C++ can’t really reach unless you like trivial memory exploits)
> I have not noticed yet anything innovative in this aspect of Rust.
Innovation often times can be subtle like packaging up existing ideas in a friendlier package that can get more mass adoption. If you fail to see the innovation Rust has done with the borrow checker (which afaik is truly novel) and then making the entire language be able to scale from embedded to web services in a cohesive way and also making it a legitimate replacement to C++ in ways that other languages have tried and failed, I think you’ve been too dismissive.
zozbot234
AIUI, SPARK does not use a Rust-like borrow checker: it's based on formal verification which is a lot more difficult to program for, i.e. not really feasible except for smaller programs. This seems to be in sharp contrast to Rust - the safe subset of Rust enforces a set of rules that can actually scale up to larger programs while still preserving safety.
null
roydivision
I thought this would be comparing Rust to Ada Lovelace's code...
And I've coded in Ada...
Very interesting and timely especially since I see the following so often:
> Why wouldn’t the Linux kernel team choose Ada instead of Rust?
To which I say: Ada doesn't have a large user base beyond DOD projects. Virtually no greenfield projects except for DOD. Whereas there has been a Cambrian explosion of Unix kernels/tools/servers written in Rust.
More generally, these questions of the form "Why are you ignoring X?" where X is Ada or Zig or C++ are really "Why didn't you write/don't you rewrite this in Rust?" by a different name.
And my/that answer goes both ways. Notably, Roc recently has stated it is moving away from Rust. Ghostty uses Zig because Mitchell Hashimoto doesn't like Rust. But the answer is always someone has to show up and do the work, usually because they like doing the work in some language.
So -- it's okay to like the project strictly because of the language chosen. That being said -- I'm super interested in the more technical differences.