> Obviously! But my point was that that reasoning isn't additive

That's a very very strong claim without any supporting argument. And I'd be very surprised if it was true. (the success of the Stylo project on Firefox is a significant counter-example for instance).

> -- at a price.

once again, the abstract “price” is invoked, without any characterization… thousands of words later, we still don't know what price you're talking about…

> Except Zig takes that to another level. Rust has some brilliant innovations -- like the borrow checker -- but Zig's entire design is a quite revolutionary, and in multiple ways.

pron waves hands vigorously

You've shown a real difficulty so far to substantiate your argument with anything concrete (on the “price” of Rust, as well as on the “revolutionary” aspects of zig), though you've spent litterally thousands of words on the topic (and not just this discussion, but many before). As the French quote goes ce que l'on conçoit bien s'énonce clairement, et les mots pour le dire viennent aisément, it makes me think you've mostly a gut feeling (Rust bad, Zig good) about this things and not a rational argument.

> I don't need to justify why Rust isn't the best approach out there; the onus is on Rust.

Nope, Rust is the state of the art, and Rust has demonstrated significant benefits over the previous state of the art. Now if Zig comes and wants to challenge it[1], fine but the burden of the proof is on Zig. Want to prove that essential oils are better than antibiotics? Go ahead, but the onus is on you.

> BTW, there's another axis we need to consider. The goal of software correctness from the industry's perspective is not how to write more correct software, but how to write more correct software with the programmers we have.

> […]

> A language that improves correctness by X around for Y programmers contributes less overall to correctness than a language that improves it by X/2 for 5Y programmers.

Yup, and that's why garbage collected languages are the clear winners of the past three decades.

But Rust is especially well-placed in that regard, because most of its users (even the early adopters) are coming from a managed-language background. And anecdotally, making low level code accessible to more developers coming from a more general-computing background is the main reason why Linus Torvalds is interested to get Rust to the kernel.

[1]: in fact this has never been an explicit goal of Zig's creator, who just want to make his programming language without bothering anyone else. He has nothing to prove, and he's never shown any willingness to take part of the kind of silly arguments, this is only the reactionary “Rust bad, need a champion to rant against Rust in online forums” crowd, who does that.

> That's a very very strong claim without any supporting argument.

I'm afraid you completely misunderstand my position. I'm merely pointing out that because we know that more soundness is not always better, the claim that Rust is more effective than Zig is not obviously true. I'm not saying it necessarily isn't. We simply don't know yet.

> the success of the Stylo project on Firefox is a significant counter-example for instance

A counter-example for what? No one is saying that Rust doesn't work well or that it doesn't offer more correctness than C++.

> You've shown a real difficulty so far to substantiate your argument with anything concrete

But I don't have any hypothesis to substantiate. I'm pointing out what we don't know.

I did give concrete examples for cases where unsoundness worked better than soundness, but because we already know that the most effective approach is not on either end, we cannot extrapolate from any specific comparison to another.

If someone wants to say language X works better for correctness than Y, they must compare X and Y, not X and Z. But I'm not making any such claim about Rust and Zig.

> Now if Zig comes and wants to challenge it[1], fine but the burden of the proof is on Zig.

No one is claiming that Zig works better than Rust, no one wants to "challenge" Rust with Zig, and no one is challenging the claim that Rust works better than C++. I want both languages to challenge the status quo.

> But Rust is especially well-placed in that regard

Of course. Rust and Zig are both well-placed in that regard, and people who care about correctness want both:

First, we don't know which, if any, works better than the other.

Second, even if one of them does work better than the other, I think it's pretty uncontroversial that they both provide better correctness than C++ (they both provide stronger guarantees, and neither is significantly more complex than C++). But because it seems that there are people who don't like Rust, and there are people who don't like Zig, software will be better served by having both.

Those who say they want Zig to not exist (like pcwalton) are not serving software correctness. I want Rust; I want Zig. We don't know what works best, neither of them is for everyone, so we need both.

> in fact this has never been an explicit goal of Zig's creator, who just want to make his programming language without bothering anyone else

Indeed. More correctness than C and C++ is, of course, one of Zig's goals; more correctness than Rust isn't. But more correctness than Zig isn't a goal of Rust, either. We want both to exist, if only because different people would prefer different languages, and both are probably improvements over the status quo. It's pcwalton who said he doesn't think Zig should exist. So let's not bother anyone else by making unsubstantiated claims about which is better, and certainly not by saying that the other shouldn't exist. Okay?

> > That's a very very strong claim without any supporting argument.

> I'm afraid you completely misunderstand my position. I'm merely pointing out that because we know that more soundness is not always better, the claim that Rust is more effective than Zig is not obviously true. I'm not saying it necessarily isn't. We simply don't know yet.

This isn't in any way related to the claim that I qualified as “very strong”: you said “But my point was that that reasoning isn't additive”, which is a very strong claim and likely to be false. The Firefox team successfully shipping their multi-threaded CSS engine in Rust while they had failed to do so in two or three previous in C++ hints that implementing complex algorithms and at the same time having to be sure you don't mix things up with lifetime is harder than just implementing the same complex algorithm without having to think about mixing things up with lifetimes. The great shift towards Java in the 90s is also an indication of it. Taking the responsibility to manage memory manually is hard, very hard and adds a significant burden on the programmer. And this isn't “unknown”.

> and certainly not by saying that the other shouldn't exist. Okay?

Where in my comments can you find a single occurrence of this claim?

I'm just arguing that at this point your reasoning of saying “we don't know which is better” is as fact-based as people arguing that “we don't know if vitamin D or Hydroxychloroquine are better than vaccines”. Zig doesn't have to be on par with Rust to have its right to exists, there's no point overselling with on the “correctness” argument that has never been its main stated motivation. And you, the “Java guy who doesn't like Rust” are practically the only one having this argument on HN, you should try leaving Rust and Zig alone for once.

Anyway, you've long stopped giving arguments and have been parroting the same “we don't know” over and over and over without any attempt to add anything new to the discussion, so I'm not interested in pursuing. Too bad, I won't have a single example of how Rust incurs a cost in correctness, nor how Zig's design is so brilliant it will make thinking about memory more practical than C and avoid memory management to get in the way of correctness, so much virtual ink spent in vain.

> This isn't in any way related to the claim that I qualified as “very strong”: you said “But my point was that that reasoning isn't additive”, which is a very strong claim and likely to be false.

You've misunderstood. I am not trying to make a claim about how reasoning works, but to give possible explanations for why assumptions that more soundness is always better often turn out wrong, i.e. how it could work. The question of why it is that we get such "surprising" outcomes in software correctness is interesting, but we until we get an answer to it, we just know that we get surprising answers.

> I'm just arguing that at this point your reasoning of saying “we don't know which is better” is as fact-based

This doesn't make sense at all. Not knowing is the default. Until there's conclusive evidence, the fact is that we don't know.

> Too bad, I won't have a single example of how Rust incurs a cost in correctness

I don't know that it does. I gave you several examples of how it might: reading it is hard as it has implicitness and compiling it takes long making testing more burdensome. Maybe there are other reasons, maybe there are none.

Now, this is handwaving, but it's more than we need. It's okay to believe that Rust yields more correctness than Zig, the same amount, or less, but until we have empirical findings one way or the other, we don't know, even without any handwaving.

> nor how Zig's design is so brilliant it will make thinking about memory more practical than C and avoid memory management to get in the way of correctness

I explained that, too. Not only does Zig provide sound spatial memory safety -- which neither C nor C++ do -- but it also has precise pointers, i.e. you can soundly track where your pointers are, which is not the case in C/C++, where you can magically create bad pointers from good ones with pointer/array index arithmetic, or magically create pointers from non-pointers with silent casting (like unions). Zig, like Rust and GC languages has precisely tracked pointers. Good pointers can turn bad through user-after-free in Zig, but they can't be "born" bad as in C and C++.

> Where in my comments can you find a single occurrence of this claim?

Not in yours. In pcwalton. You've just tried inverting the rules of science by saying that if you assert something is true and someone else points out that it's an unsubstantiated hypothesis, the burden of proof is on them, thereby making your hypotheses true by default.

Again, I think there can be a wide consensus that both Zig and Rust provide more correctness than C or C++ because they both make stronger sound guarantees and neither is worse at reasoning or testing than C++, but the question of whether any of them is more effective at correctness than the other is unknown, and unknowable until we empirically compare the two. That something is unknown is not a claim that requires proof; until we have proof for something -- we don't know.

Here's what happened with Haskell: Some Haskellers kept insisting that Haskell yields more correctness than some other languages, and that that should be accepted as the null hypothesis until proven otherwise. Then there were a number of empirical tests that believed they'd be able to show it, and they couldn't find any large effect. So even after the empirical examination some Haskellers insisted their hypothesis should be taken as true by default, because the empirical tests weren't good enough. The result is that people who care to claim about correctness get sucked into these beliefs and not even empirical findings (or lack thereof) can shake them. That's not how we move correctness forward. Of course, Rust is not quite in the same position as Haskell because it hasn't been around the long, but it's important not to get too attached to religious beliefs that "this is the only way." Findings in software correctness frequently surprise us.

> This doesn't make sense at all. Not knowing is the default. Until there's conclusive evidence, the fact is that we don't know.

[…]

> You've just tried inverting the rules of science by saying that if you assert something is true and someone else points out that it's an unsubstantiated hypothesis, the burden of proof is on them, thereby making your hypotheses true by default.

You should definitely take epistemology classes on coursera or elsewhere, because by our definition of “knowing”, we never get to know anything.

And unfortunately this “but we cannot know it's too complex” is way too common nowadays, from climate change to pandemic management “we don't know” is a convenient fallacy. There are key things that we actually do know :

- that Rust is memory safe while Zig isn't (not even from a spacial perspective because there are escape hatches).

- that memory safety is a deep issue and tracking object lifetime by hand isn't something humans are good at, at all. (and use of Zig in the wild shows that the issue is unsurprisingly very common in Zig, as it is in C).

So, yes we cannot be sure that there aren't second orders or third orders effects that makes Rust less than optimal and compensate for this massive difference, but there exist no convincing list of such hypothetical effects that could have a significant impact in Rust's ability to build correct software (to take your examples about legibility and testing, Rust has a strong emphasis on explicitness and incremental builds are more than fast enough for efficient testing, so there's little margin for gains on these fronts).

So have clear evidences of a strong first order effect in favor of Rust, and no compelling evidences for adverse higher orders effects, that's what our current knowledge is.

That's a big difference with your Haskell example, because Haskell cannot really pinpoint a significant edge over other languages, it's more a collection of convenient little things, so the improvement is much more vulnerable to higher order effects. The same could be said if we had to compare Rust and Java for instance: I much prefer use Rust than Java because there are many things that I like but at the same time there are little things that are decisively in favor of Rust (Send and Sync trait for compile-time thread safety is nice, but really workload dependent) so I'd be very wary of saying that Rust leads to more correct code than Java.

But Zig carries a significant burden in that regard (and I believe it should really think about introducing a borrow-checker-like in its design before it's too late and compatibility with existing code makes it impossible, while eschewing the whole ML-style functional stuff that Rust has, because that part is definitely in the “nice to have but not really significant” category).

> because by our definition of “knowing”, we never get to know anything.

I was talking about the common scientific method. You can define "know" as "the vast majority of the target community is sufficiently convinced that something is true."

> and use of Zig in the wild shows that the issue is unsurprisingly very common in Zig, as it is in C

You've seen absolutely no such thing.

> So, yes we cannot be sure that there aren't second orders or third orders effects that makes Rust less than optimal and compensate for this massive difference, but there exist no convincing list of such hypothetical effects that could have a significant impact in Rust's ability to build correct software

I am not doubting Rust's ability to build correct software, just the claim that it's obviously the best approach.

> Rust has a strong emphasis on explicitness

I think you don't understand what "explicitness" means in this context, as Rust relies on more implicitness than most popular languages.

> So have clear evidences of a strong first order effect in favor of Rust, and no compelling evidences for adverse higher orders effects, that's what our current knowledge is.

Taken as is, you're once again claiming that your belief requires no evidence. Taken more charitably, what you're saying is that you believe it because it is very obvious to you. In that case, either it will be easily verified by the evidence and rather quickly, or it will be shown wrong just like previous "obvious" beliefs regarding software correctness.

What you can't do is is demand evidence from others because what's obvious to them isn't obvious to you, and at the same time claim that what's obvious to you and isn't obvious to others should be assumed true.

> because Haskell cannot really pinpoint a significant edge over other languages

I don't know if you're aware how this kind of argumentation sounds to others, but are you really comfortable making such arguments to support what is a scientific claim? Not only did Haskell supporters say the exact same thing (their edge over, say, Clojure was, of course the type system) but even after time and again we see how complex this subject is, how elaborate the interactions, you make an argument that is not much stronger than, "well, I have more money in my wallet than you, and since I can't immediately see any indication that you have more in your bank we can safely assume I'm richer than you."

> But Zig carries a significant burden in that regard

And Rust carries a significant burden, too: it hinders, in comparison, the two most effective assurance methods we have, tests and code reviews. Just as importantly, too many people find complex languages unappealing, and so the impact a language that not many people would use cannot be large.

Now, I am not trying to convince you that you're wrong, just that different things are obvious to different people, and unless something is obvious to pretty much everyone -- which clearly isn't the case here -- you cannot expect others to just accept your belief, however strongly you believe it, while demanding evidence from them for not accepting it.

The fact is that however obvious it may seem to you, other do not not seem to think that it is obvious that Rust leads to more correct software than, say, Zig. If you're trying to convince others of that, then you have to support it by their standard, not yours (of "faith alone suffices"). I would suggest not repeating arguments that are not only logically weak but have failed just recently, and prefer empirical evidence.

But hey, do what you want, and if you believe that everyone should be convinced or that perhaps everyone is already convinced -- that's fine, too. Just don't be surprised when others find such assertions of faith somewhat cultish and not a good look for programmers.

And you know what? If you think your argument is so scientifically convincing, try writing a science paper making the claim that Rust yields to better correctness than Zig.

Until then, programmers will use whatever language we find most aesthetically pleasing, enjoyable, or profitable.

It's funny to read you talking about “beliefs” and “cult” while at the same time being in such a denial:

> You've seen absolutely no such thing.

Just go ahead, grab a few popular projects in Zig (for instance Bun or the zig compiler) and their issue tracker and see how fine the situation is.

And as an epistemological conclusion to this discussion, I should note that while you use “beliefs” pejoratively, but “knowledge” is in fact nothing more than rationally founded “beliefs” that's open to perpetual questioning ;).

Here you just refuse to accept to even think about the rational arguments because they go against your beliefs, hence the reluctance to address the arguments when I've exposed them, falling back to parroting your common sense over and over.

FYI the Zig compiler that people are still using today is the C++ one. The self-hosted compiler hasn't been released yet. There's some Zig code running today in the C++ compiler, but hasn't been there for the full life of the project and isn't the main source of bugs by far.

To this day I think the top 3 popular Zig projects are Bun, as you mentioned, then River [1] and TigerBeetle [2].

[1] https://github.com/riverwm/river [2] https://github.com/tigerbeetledb/tigerbeetle

Up to you to decide how fine is the situation in those projects.

Most of the recent segfaults that have been fixed in Zig where Zig related, not caused by C++. (Without even mentioning the segfault in the std lib).

And about tigerbeetle, this gives you an idea of how compelling the zig memory safety story is today:

> All memory must be statically allocated at startup. No memory may be dynamically allocated (or freed and reallocated) after initialization.

And then both river and bun have their shares of segfaults, with river looking substantially better than bun, but it suspect it also has much less usage in the wild.

Overall, it looks pretty much like C as I said.

> Just go ahead, grab a few popular projects in Zig (for instance Bun or the zig compiler) and their issue tracker and see how fine the situation is.

I don't understand. Zig's approach to correctness means giving up on some sound memory safety guarantees in exchange for benefits elsewhere, i.e. it prefers some memory bugs in exchange for fewer others. What conclusion is it, again, that you're trying to draw from the existence of such bugs, and how do you conclude that they occur with the same frequency as in C? Your claim is statistical and I don't see what statistical method you used on the bugs you saw to support it.

> Here you just refuse to accept to even think about the rational arguments because they go against your beliefs

My only relevant belief here is that we do not have evidence supporting the claim that Rust yields more correct software than Zig, and the only rational argument that could go against that belief is the presentation of such evidence. I have no belief regarding which of Rust or Zig yields more correct programs (if either). The reason I have no such beliefs is that I know how complex and unintuitive software correctness is, and both languages have chosen interesting and novel approaches that are not directly comparable based on prior evidence, and so they themselves will have to produce that evidence over time.

Because you asked me to address your arguments (which aren't such a presentation of empirical evidence), the reason why they're unconvincing is as follows. When comparing both Zig and Rust to C++, it is reasonable to accept the claim that they both lead to more correct programs. Why? Because the claim is that they both dominate C++, i.e. they catch all the bugs that you'd catch in C++ plus more. They both make more sound guarantees, and their readability is no worse.

But that is not the same argument used to compare Rust and Zig, because they're incomparable: Rust makes more sound guarantees but it's more complex and requires more non-local reasoning to understand (and might appeal to fewer people), while Zig makes fewer sound guarantees but in exchange it strives to be easier to understand (and to appeal to more people). I.e., the argument for comparison here is not one of dominance but one of a more profitable tradeoff. Your claim that we should value the "hard", formal soundness aspects more than the "softer", informal, aspects is unconvincing because the history of software correctness shows it's a mistake to do so -- "soft" correctness techniques have proven at least as powerful as hard, formal ones, if not more. So, when the tradeoff involves both the formal and informal components of software correctness -- an interaction known to be complex and surprising -- it cannot be settled by simple argumentation, but only by empirical evidence.

That is my one and only argument: because the two languages are not directly comparable as they consciously make different tradeoffs in their chosen paths for correctness, comparing their outcomes requires an empirical test.

Since I've written about software correctness quite a bit over quite a few years now, I think the claim that I am not open to reason in that area is easily disproven by the available material. On the other hand, when someone tries to convince other professionals and fails to do so, saying "you're not convinced just because you're not open", does not lend more credence to the argument. I guess we could call that, "proof by plea", which is not, as far as I know, established as a legitimate form of knowledge gathering in science. But, like I said before, if you think the problem is me and not the strength of your argument, you can put that to the test: publish a scientific paper arguing that Rust leads to more correct programs than Zig (not C or C++), and see how many are convinced by it. If I'm the only holdout, then I'd know the problem is me; if not, then you'd know that the persuasive power of your argument is lacking.

> Why? Because the claim is that they both dominate C++, i.e. they catch all the bugs that you'd catch in C++ plus more. They both make more sound guarantees, and their readability is no worse.

You're talking about rigor but you keep making these laughably strong claims. This one is an extraordinary one, and it's most likely also false just because I'm pretty convinced that copy/move constructors can make some (rare) patterns much simpler and as such avoid bugs in practice. It's not clear if copy/move constructors are a net win, and the overall effect is almost certainly minimal anyway, but that's enough to refute the domination claim.

> I don't understand.

That's the key. And you don't want to understand, I'm afraid.

I have no idea what you're talking about. My one and only "claim" -- a simple statement of fact, really -- is that we lack any empirical evidence that Rust yields more correct programs than Zig, and that because the two languages consciously make different tradeoffs, they are not directly comparable, and so such empirical evidence is needed. That's it.

Everything else is just a response to you asking for more context and examples, as well as explanations for why your arguments are so unconvincing, which you then misunderstand as further claims that they are not (e.g. I do not claim that either Zig or Rust yields more correct programs than C/C++). In fact, I do not claim that any language yields more correct programs than any others (not that I don't think that could be true, I'm just hesitant to make such claims). All I did was explain why such an argument would be more convincing than the argument you're making for Rust vs. Zig.

Seems like we're stuck in a circle where you can't understand what I'm saying and I can't understand what you're saying.

In any event, we've gone full meta. Like I said, if you think I am the problem, that can be easily tested. Put your argument in a paper so that it can be properly critiqued. This way you'd at least know if it's me who doesn't want to understand or that your arguments are just not very convincing. If most software correctness people find it convincing -- yay for you; if not, you'll learn how to make your argument more convincing, so also yay for you.