In performing an assessment of which ecosystem and PL to use to develop our high-integrity automation software for mission-critical applications, we assessed Rust, Zig, and Ada/SPARK. Rust had the support behind it from a big corp., a passionate developer community, and some adoption by significant entities, but none with cyber-physical systems. And it has been interesting to see some developers leaving Rust for Zig for the sheer enjoyment of using it instead. Our software will be controlling machinery overhead and other close coupling with machinery and people. Rust does not have the legacy in these areas or the ecosystem to cover formal verification. Zig was considered, but was even more new than Rust, and had similar disadvantages as listed for Rust. SPARK, a relatively newer PL, a subset of Ada, has legacy in high-integrity, mission-critical applications, and formal verification tooling that along with human review, makes it the strongest choice to meet the government's latest push for such critical software, and the language though verbose, is low friction to learn and apply. I found Zig to be a great second choice, and look forward to both Rust and Zig's future. Glad to see Zig moving along since Andrew started it. Congrats Andrew and the team currently pulling this off!
Adacore is doing great work. They have a Rust compiler, but the static analysis and formal verification is not quite there for the Rust toolchain and it does not have any where near the legacy for high-integrity, mission-critical apps. Not that it is not heading that way, but for us it is not there by a longshot to select it for our product.
In a way, it's a return to simpler times. I remember learning programming C and it was about programming computers, not abstract concepts. As languages got higher level abstractions, we lost touch with the computer. That's why programs are so bloated today. Zig respects that we are programming a computer, with concrete behaviours, it doesn't try to abstract things away, doesn't hide complexity, and yet gives you tools for managing it. That's why I enjoy it.
I truly do not understand why anyone would think Rust is abstracting things away.
Like, to be clear: if you want to develop in Zig because you like it for whatever reason, you should do that. There is no world, nor will there ever be a world, where there's "one language to rule them all". This comment should not be read as "you should write Rust instead".
I just don't find any of your descriptions of Zig to be things that Rust is guilty of. You can (mostly) write the same things in each language, ship a static binary, and your users would never know the difference. IME you are generally as "in touch with the computer" in Rust as you are in Zig.
Well, for example, every function that allocates expects allocator as an argument, it is not abstracted away. Resource deallocation is not abstracted away, you have to explicitly free your resources. Ever function that uses IO expects it as an argument. It doesn't have operator overloading, which is also an abstraction.
I left the "mostly" in my comment because custom allocators is one area where Rust as an ecosystem is still in need of some work, and I'm aware of that - hell, in part because of TigerBeetle's blog posts on the subject.
Everything you're describing is a stylistic preference, though - and doesn't contribute to bloat, which is what the parent comment was implying. If your program is bloated, that's on you to clean up - it doesn't matter if it's in C, C++, Rust, or Zig. Every single one of these languages has nothing that stops you from getting it right.
(A weird aside but the downvotes on this chain are just odd to me. I'm not telling y'all to not write Zig, chill already)
Look, I'm working on an async I/O engine, not unsimilar to Tokio. I started running benchmarks only to realize that I'm significantly faster than Tokio. Go, which is a garbage collected language with preemptive scheduling, is also faster than Tokio on these benchmarks. And Tokio is fast, I'm not claiming it's not. Rust developers program in terms of traits, and borrow checker behaviours. That's fine if you want enterprise kind of safety by tooling. It's just not enjoyable to me and that seems fairly common view. There are people who enjoy languages like Rust, Scala, Haskell. They allow you to create your own world in the type system and that's fine, but it is more disconnected from the actual computer the code is running on.
Local allocators are also in the works for Rust, as well as a general effect system (including potentially an IO effect). Rust also doesn't have fully general operator overloading, it currently uses traits instead. (Though explicit local notations are generally a better way of handling operator semantics, and a future edition of Rust could potentially achieve this via macros.)
I think what happens is that people discover a new language, find that they really enjoy it and then struggle to explain why they like it. While they’re struggling they sometimes put down a “competing” language even if no one asked.
They could say it just really vibed with them but they don’t.
And so have the various editions of standard Fortran. In fact, ISO Fortran’s abstract floating-point model is so old now that it’s confusing, since it’s basically IEEE-754 but off by one in its exponents.
The PDP is remarkably similar to x86. The complaints that people have written at length about typically come down to superscalar features not being exposed in the instruction set, which means that it can't be exposed to the programming model.
On the other hand, every architecture that has tried to expose them so far has failed; nobody wants to manually apply the Tomasulo algorithm to their code, or manage shuffling data elements into and out of their cache hierarchy.
These arguments never really hold water for me. The C VM is flexible enough to apply to literally any piece of hardware with relatively few pains. For experienced systems programmers, it is also extremely easy to brain-compile C code. C++ and Rust are both much harder in this respect.
Most people stop feeling like they are fighting with rust a few months into using it. The borrow checker is something that becomes second nature and you still use the same techniques that would please the borrow checker outside of rust because it's generally better program structure in many cases and avoids bugs. If you want to do something that you know us correct that rust normally doesn't allow, just use unsafe. It's not the end of the world. You don't need to resort to a different language to achieve that same result.
This isn't to say it's better or worse than zig. If you're developing software and zig works for your needs, go for it. I'd like to see it used on a 100+ person project to see how it might hold up to the problems that I tend to see in c++, which largely arise for people not knowing about constraints that are not tracked explicitly by the compiler. On projects with less people, this doesn't happen as often.
The TLDR is that there’s all sorts of invariants that the Rust compiler internals assume about Rust code (eg pointers don’t alias). In C such assumptions can’t be made. Unsafe rust requires you to uphold all the same invariants that safe rust does without any guardrails and it has more such assumptions than C. C however is uniformly dangerous - there isn’t a safe subset to write your code in.
One example would be that you could have something like:
let x = 5;
do_something(&x as *const _ as *mut _);
Now do_something might dereference and write to the pointer. Now you have non-local safety to reason about because if the compiler realizes you’ve tried to dereference a mutable pointer to an immutable variable it’s free to declare that UB and do bad unsound things (the non-locality is because the unsafe is inside do_something but the problem is with the pointer cast in safe rust). There’s all sorts of subtle things like that.
> The TLDR is that there’s all sorts of invariants that the Rust compiler internals assume about Rust code (eg pointers don’t alias).
There are fairly straightforward ways to disclaim these invariants to a greater or lesser extent as appropriate, such as accepting &Cell<T> arguments (or even, e.g. Option<&Cell<T>>) in lieu of &mut T. But the Rust standard library is not yet comprehensively built with this in mind, so this might be an area where Zig's library facilities have a real advantage unless an effort is made to address this gap.
>Most people stop feeling like they are fighting with rust a few months into using it. The borrow checker is something that becomes second nature
People keep saying that, but I've also seen many who've used Rust for years, in big projects, say the opposite: it gets slightly better as you learn to oblige the borrow checker instictively, but it remains always a kind of annoyance and a friction.
Perhaps that's due to only learning how to treat the symptoms rather than the cause. Building intuition requires understanding why the compiler prefers something different. People coming from C++ tend to get this fairly quickly as they understand the problems rust solves for them, but folks coming from higher level languages don't always see it the same way because they may have not had to deal with those problems.
This is certainly a very controversial opinion. The two languages should not really be compared or grouped together, not for at least the last 15 years, but probably much longer. Modern C++ features have been developed specifically to address all sorts of things that most C++ developers want fixed from the "C" part of the language's history.
Nah, C should be nuked, C++ is TypeScript for C, Microsoft was right that C was done on Windows, unfortunely they had a change of heart and eventually decided to support up to C17.
Would you be able to elaborate on some specific ones? I’m just curious. My space is mainly data engineering and Rust is making major moves there along with the entire Python ecosystem.
Rust’s main point is memory safety which is why it’s also a preferred language to reengineer cryptography libraries.
I’m interested in the embedded space (along with AI applications) and believe rust will be a language of choice for the entire toolchain here.
So I’m definitely interested in what gaps you see.
There's more than just memory safety for high assurance apps. Personally, I think Rust is heading in the right direction, but I am not sure it's complexity will ever be smooth or enjoyable for some. I feel you get most, if not all, that Rust is trying to achieve with Ada/SPARK right now for high-integrity, mission-critical apps along with a proven legacy: jet fighter software, railway controls, avionics, embedded, space, etc...
Take a look at the Adacore site, especially the free books (PDF):
Are you trying to claim that Rust isn't safer than C++ for some kind of safety? I can't really see how you would argue that. It's memory safe, and it has a much stronger type system which reduces the chance of non-memory safety bugs. What type of safety are you thinking of?
Some people enjoy the relative simplicity and straight forwardness of C, some folks enjoy the flexibility and zero cost abstractions C++ gives you.
Some people can appreciate both. I actually like both languages for different reasons and I don't really understand why they're consistently being pitted against each other. Language wars are... for lack of a more appropriate and less-crass term... stupid.
With limited time and mental energy and I woukd say the languages are fighting for attention. The war is over why should I pay attention and for territory in my head.
Because this industry is a knowledge-based industry, and it's a good idea in general to always be honing your skills and learning something new.
Even if you don't have any intentions of using a new language in your day to day career, there's usually a few super-interesting morsels in there that you can add to your knowledge banks.
I've personally lost count of the number of times I took a concept I learned in another language or technology stack and applied it to my day job.
If you think that complaining about a language on the internet is an effective way to hamstring wider adoption in and of itself... I've gotta say the results leave much to be desired.
I started with 6502 assembly and PET Basic in 1977, so for me, Zig is simpler, and jives more with me than Rust. OTOH, I chose Ada/SPARK for our product for the high-integrity, mission-critical aspect of our automation software. I programmed in Pascal back in 1988, and it has the same syntax, which I always found verbose and boring, but it is clear and structured and the concepts to achieve this level of high assurance are not too difficult. For ultiimate fun, I program in J/APL and now mainly BQN, so I am not a fan of verbosity!
I would have been more attracted to Rust if it had kept ML-like syntax from OCaml and not the Algol-like curly braces of C/C++.
Trying to write Rust as a noob feels like being in a blackout swamp, waist deep in muck, fighting through thick air and trying, but failing to run from danger. Being utterly constrained in every direction.
Writing Zig as a noob feels like having the clouds part to reveal a bright, sunny Spring clearing and suddenly being able to cover land in a cheerful group with clarity, purpose and focus.
[Edit] Of course, this is purely subjective, obviously a skill issue and YMMV
I think most folks would agree that Rust is an "acquired" taste. You need to kneel to the borrow-checker and develop something like a Stockholm syndrome before you find the language delicious.
> You need to kneel to the borrow-checker and develop something like a Stockholm syndrome before you find the language delicious.
That was not my experience at all. I liked the language from the get-go. And the more i dug into it, the more i found to like. I really appreciated the design of Rust's iterators, and traits, and general language design, way before i stumbled into any major issues with the borrow checker.
I feel like this depends very much on the programming style and probably on the domain. But i found that programming in a mostly "functions and simple data structures" way, passing things down to other functions that need them, and just processing data instead of "modeling the domain" into mutable and confusing "objects", i didn't really come across many lifetime-related issues that the borrow checker warns about.
And the few that i did found, they were actually errors on my part, and Rust detecting them was quite helpful. Things like trying to mutate a collection while also iterating it.
OOP has many short comings (enough that I would say it has been the single worst design paradigm that afflicted this industry), so Rust felt like a breath of fresh air to a c++ dev. However, many basic patterns that are employed when you are building embedded software are just needlessly difficult. Zig is the better C, and it’s just the better language for getting stuff done with total control. If I need to be high level with more I’ll reach for something else (c# provides all the optimisations I need if I’m not bit bashing). Rust feels like it has this one great trick, no gc and memory safety, but nothing else to offer.
The problem I have with what I call "bondage and discipline" languages is that while it has value making sure the code is correct, it is not pleasant (for me) to work with.
Sometimes I just want to try out stuff, I know there is a bug, in fact, it breaks everything, but that's exactly what I want, I will revert it once my little expertement is complete. Strict languages will refuse to run anything unless you make sure that code follow all the rules, which is useless work as you know it won't stay (because it breaks things on purpose).
It is not just Rust, it is just that Rust has a lot of that. There is also C++ not allowing me to access private class members, or Python being annoying with its indentation, these are all good things for production code, but it gets in the way of experimentation.
Combine this with slow compilation times and it makes Rust not very experiment-friendly, which I think is the reason why many people don't have a good time with it.
As I understand it, Zig is more permissive and also has fast compilation as a design goal, which I think is a big contributing factor in making it more "pleasant".
You're right that rust is not experiment friendly, especially since it doesn't have a repl. I guess I must be into BDSM because my go-to language for experimentation is Haskell
Zig can also be annoying. For example, you cannot just ignore the return value, even in debug builds. Playing around with slices, c strings, arrays is also annoying in comparison to C.
Yes, that's a tradeoff, bondage and discipline languages like Ada and Rust are popular in some fields for a reason.
What I like the most is a middle ground: have a language that it permissive when it comes to generating code, but be strict with warnings. Again, problem is that too many people don't care about warnings. Way too many times, I had people call me to investigate their bugs, see a warning, point it out and tell them "here, that's your bug".
An interesting thought experiment would be a language/toolchain that would be permissive when generating debug builds, but hard-required warn-free to generate an optimized executable.
Put Claude code on top of it and now you have prototypes of what you have in mind written pretty much instantly and they are suitable for reshaping into production later if needs to.
Lol, not that it's any good, but here is a pretty much purely vibed zig NES emulator that I let Claude work on: https://github.com/RAMJAC-digital/RAMBO It renders something.
I'd guess that in 99% of cases, if the borrow checker is a problem for you in Rust then you are likely not ready yet for C or Zig, particularly when you need to work in a team where mainatainability by others is critical.
There are some cases the borrow checker requires you to go through hoops for but I see that as a win for adding friction and raising visibility of weird patterns.
And yes, there are cases that can't be expressed the same way,
It’s also true that people overestimate how often the “weird” patterns are needed. 9 times out of 10 it’s the programmer who is missing something, not the borrow checker.
That has not been my experience with it, but I understand if it is yours. I have often seen people use convoluted or slow patterns to satisfy the borrow checker when something slightly un-kosher would have been simpler, faster, and easier.
Using "unsafe" for things that really need it structurally is incredibly unwieldy and makes all your code a total mess. A single instance of "unsafe" is clean and fine, but if you want or need to use patterns that do not follow the religious "single ownership known at compile time" dogma, you end up spewing "unsafe" in a lot of places and having terribly unclean code as a result. And no, "Arc" is not a perfect solution to ths because its performance is terrible.
I encourage you to write a doubly linked list in Rust if you want to understand what I mean about "un-kosher" code. This is a basic academic example, but Rust itself is the rabbi that makes your life suck if you stray off the narrow path.
I write a decent amount of system-level software and this kind of pattern is unavoidable if you actually need to interact with hardware or if you need very high performance. I have probably written the unsafe keyword several hundred times despite only having to use Rust professionally for a year.
> Using "unsafe" for things that really need it structurally is incredibly unwieldy and makes all your code a total mess. A single instance of "unsafe" is clean and fine, but if you want or need to use patterns that do not follow the religious "single ownership known at compile time" dogma, you end up spewing "unsafe" in a lot of places and having terribly unclean code as a result.
It's only “unclean” because you see it that way. In reality it's no more unclean than writing C (or Zig, for that matter).
> And no, "Arc" is not a perfect solution to ths because its performance is terrible.
There's no “perfect solution”, but Arc in fine in many cases, just not all of them.
> I encourage you to write a doubly linked list in Rust if you want to understand what I mean about "un-kosher" code
I've followed the “learning rust by writing too many linked lists” tutorial ages ago, and I've then tutored beginners through it, so I'm familiar with the topic, but the thing is you never need to write a doubly linked list IRL since it's readily available in std.
> this kind of pattern is unavoidable if you actually need to interact with hardware
You need unsafe to interact with hardware (or FFI) but that's absolutely not the same thing.
> I have probably written the unsafe keyword several hundred times despite only having to use Rust professionally for a year.
If it's not a hyperbole, that's a very big smell IMHO, you probably should spend a little bit more time digging into how to write idiomatic rust (I've seen coworkers coming from C writing way too much unsafe for no reason because they just kept cramming their C patterns in their Rust code). Sometimes, unsafe is genuinely needed and should be used as a tool, but sometimes it's not and it's being abused due to lack of familiarity with the language. “Several hundreds times” really sounds like the latter.
Well said! Having a mental borrow checker running in background certainly helps a lot when coding in Zig. What also helps is that Zig safety checks generally catch lifetime bugs at runtime nicely. E.g., undefined memory is set to `0xAAAA`, which, if interpreted as a pointer, is guaranteed to be invalid, and fail loudly on dereference.
Having a well designed type system is a as addictive as sugar.
Also, Rust has a bunch of annoying warts but the borrowck ain't one of them (unless you're trying to write a linked list but it's not really something that happens IRL).
The funny thing is, in a language like Zig where memory allocation is explicit, linked lists are way more popular, just like they were in C. What happens IRL depends on your environment. :)
Linked lists are not popular in zig though. There are pages and pages of discussions about how linked lists are almost universally slower than an array. Zig devs are borderline obsessive about cache efficiency.
Linked lists are slower if you iterate over them fully, however, that's not the only use case. Removing something, while keeping things in order. That's an O(n) operation on vectors, unless you have some kind of fancy segmented structure. Adding might need an allocation, even ignoring the option of failure, that's an unpredictable delay. On the other hand, linked list insert is O(1) and has no allocation involved. These are the properties people use linked lists for.
Even if we set aside the performance consideration of using a linked list, if you have to re-implement a linked list, there's something wrong with your language ecosystem.
I strongly disagree. I can see why you would want to use Zig, especially if you absolutely need complete low level code and only care about pretty decent memory safety (which is valid in many scenarios). But if those don't apply Rust is much nicer.
Stuff like string manipulation is almost as painful as it is in C.
I strongly agree with your statement overall, but not in details.
Regarding string manipulation, Zig has slices and comptime-checked `printf`, so that makes string handling _massively_ more ergonomic than in C. But, yeah, managing the lifetime of the printf-ed is a pain in the back, and Rust is _massively_ more ergonomic there, if managing individual string allocations is what you want to do. (though one cool thing that Zig makes easy is comptime asserting that stack-allocated buffer has the right size for the given format string).
But, I do find Zig surprisingly ergonomic overall! For example, I have two Rust crate for writing glue code utilities, xflags (argument parsing) and xshell (shelling out). For TigerBeetle, I wrote equivalents:
What I found is that the Zig version is significantly easier to implement and to use, for me. In Rust, those domains require macros, but in Zig it's all comptime. And memory management is relatively easy --- flags live until the end of the program, shell is just using shell-scoped arena. I am contemplating rewriting my personal scripts at https://github.com/matklad/config/tree/master/tools/gg to Zig for that reason. Though, Zig not being 1.0 _is_ a problem in that context --- I touch my scripts only rarely, and I don't want to be on the hook for upgrades.
As far as I can tell, Zig's niche compared to Rust is to specifically cater to certain design patterns that C and C++ support, but other languages don't. E.g., anything that uses pointer manipulation for business logic.
I think it's more about low level control of allocation.
You can do "pointer manipulation" in safe Rust if you need to - anything that uses arena indices is basically that, e.g. petgraph.
The language wasn't really designed for it though so it isn't exactly integrated into the syntax.
But controlling allocation precisely is quite difficult in "normal" Rust.
Tbh I don't think it is actually that far away from Rust. It's aimed more at low level stuff, whereas Rust aims to do every level. It is more "trust me bro" than Rust's "no I'm going to check" safety. And comptime is pretty different to Rust's approach (arguably better).
But apart from that they seem to have very similar goals.
