Ask HN: Memory-safe low level languages?

Check out Nim. I'm using it to build an x86-64 kernel¹ (Fusion OS), and it satisfies a lot of the low-level system programming requirements with an elegant and expressive syntax. For memory management you can choose between ARC/ORC and/or manual. It has two downsides though: small community, and the BDFL can sometimes be rough to interact with.

¹https://0xc0ffee.netlify.app/osdev

I, too, have been looking for a unicorn systems programming language, but it doesn't exit yet. Here's what I looked at so far (only languages that don't rely on a GC):

- C: lots of UB, less safe (memory- and type-wise)

- C++: too complex, not a big fan of OO

- Rust: too complex, gets in the way when writing mostly unsafe kernel code

- Zig: Good, but syntax is too noisy; lacks interfaces/dynamic dispatch

- Swift: Doesn't have a good bare metal story

- D: Seems interesting, I may be looking at it (although need to use betterC mode, i.e. not all language features)

- Odin: Game programming focused, small but growing community

- Ada: Strong candidate, but it has too much ceremony

- Pony: I like the capabilities model, but tiny community

- Hare: Also tiny community, lacks polymorphism

- Hylo (Val): Experimental (mutable value semantics), too immature

- Vale: Experimental (regional memory management), seems stalled

- V: Good candidate, but mixed reviews on its claims vs. reality

- Austral: Experimental (linear types), tiny community, not much progress

- Jakt: Built for Serenity OS, not sure if it's getting enough attention

- Jai: Focused on game programming, good reviews, but currently closed source (beta)

- Mojo: (Python-like) Seems very interesting and I'd give it a try, but too focused on GPU/parallel programming; also too early for adoption

az09mugen · 4 months ago

Thanks a lot for that list ! It matches pretty much what I imagined.

On a side note and coming from high-level languages, D is the easiest to learn IMHO, as it is very dev-friendly, mature enough and has a good interoperability with C libraries.

I considered for a long time nim for its syntax and "low-levelness", but my lack of knowledge in low-level languages made the learning curve too much steep for me. I think I'll switch to it when I'll have more experience.

V [0] aims for something along those lines, but I've had a few issues with the safety aspects of the language. Breaking through the checker isn't that difficult.

I absolutely adore Ada [1], but the Pascal-syntax isn't for everyone.

I haven't used it yet, but have been hearing rumblings about Odin [2] a fair bit in these kinds of discussions. I tend to avoid too many symbol-heavy langs, but it's probably still less than Rust (I use a screenreader half the time).

[0] https://vlang.io/

[1] https://ada-lang.io/

[2] https://odin-lang.org/

arp242 · 4 months ago

I just so happened to use Odin a bit this week, and I hit several different problems: two compiler bugs and a stdlib bug. I'm not having a go at the Odin people, just pointing out it's very much an "in development" language with some fairly sharp edges.

baranul · 4 months ago

That's going to be the case with any of these languages which are still in beta (Zig, Odin, Jai, Vlang, C3, etc...).

Not saying you in particular, but it's weird, how too many won't tolerate running into some problems when they knowingly chose something still in beta. "Oh my, there was an issue with the beta software I'm using".

Maybe why JBlow refuses to release his beta to the public. Actually, it can be a good thing for the language, by people filing bug reports (so they can get fixed) or to do a PR (if they are at that level). That way, the language has more vetting, from more eyes on it.

n42 · 4 months ago

I see so much controversy every time V comes up; can someone explain why, without devolving into name calling and personal attacks? What specific design choices or implementation details are contentious, and what legitimate concerns exist beyond interpersonal conflicts?

andrewflnr · 4 months ago

Having only watched the discussion: The main problem seems to be grossly inflated claims about its capabilities. As in, the docs say it already does X Y and Z, and when you try them they plainly don't work. And then the creator starts with the personal attacks when you point this out.

detaro · 4 months ago

When it launched it proudly claimed to do a lot of things, some of which most people would consider still open research questions. Unsurprisingly, it didn't actually do these things or have a concrete plan of achieving them, and they didn't handle people pointing that out very well. Some other language developers were unhappy about the support V gathered based on these claims vs languages that were further along but honest about what they actually had.

(I have no idea what the current state is)

shakna · 4 months ago

V... Overpromised, and underdelivered, on what it could do. Promised complete Type Safety, before the type checker was even implemented, for example.

As for concerns... The main developer is a concern. Hard to trust them to support the language well, with some of the... Well, tantrums. This isn't aimed at a personal attack. But it is very hard to describe their responses in another manner.

This [0] thread on HN covers some of all of the above.

But, probably also important to point out that V and its drama have had dang threaten to ban the topic altogether [1]. There's a lot of drama.

[0] https://news.ycombinator.com/item?id=39492680

[1] https://news.ycombinator.com/item?id=37335249

mirashii · 4 months ago

https://news.ycombinator.com/item?id=39492680

See this article and the discussions, and if you’re so inclined follow along links in that thread from last time that show folks from the vlang team flaming all over HN.

baranul · 4 months ago

Most of it looks like unprofessionalism among language creators, throwing haymakers at a competitor. Of course languages have significant technical differences, but that also pertains to their different goals, purposes, and users.

hyperbrainer · 4 months ago

V looks exactly like one of the languages I was talking about. Some controversy about the project, it seems like, but very cool nonetheless. Even if it doesn't actually work like described, the description seems quite interesting.

> But I've had a few issues with the safety aspects of the language. Breaking through the checker isn't that difficult.

What do you mean? Can you "break through the checker" outside of unsafe blocks?

shakna · 4 months ago

Its... Buggy. For example, fmt can currently break mutable handles. [0] Or you can modify immutable structures [1].

But there was a time where autofree was just a compiler flag and wasn't actually implemented, even though the author claimed that it was.

[0] https://github.com/vlang/v/issues/24271

[1] https://github.com/vlang/v/issues/23509

square_usual · 4 months ago

At least as of 2024 [1], V relies heavily on a GC for memory management, so I wouldn't really call it low-level.

[1]: https://justinas.org/the-bizarre-world-of-v#memory-unmanagem...

baranul · 4 months ago

V's GC can be turned off. V's libraries do not rely on the GC. Check out their Vinix[0] project (where they built an OS). They have other such projects.

Better to review more balanced and neutral takes on V[1][2], where the reviewers are not just stirring up drama with their community or funneling traffic to their site.

[0] https://github.com/vlang/vinix

[1] https://www.youtube.com/watch?v=puy77WfM1Tg (Anthony GG reviews Vlang)

[2] https://www.youtube.com/watch?v=dmVKerNY-fQ (Mike Shah reviews Vlang)

Dead Comment

khaledh · 4 months ago

codr7 · 4 months ago

There have several attempts at cleaning up C without giving up too much of its simplicity; from what I can see, Zig is the only one even close to reaching critical mass.

A programming language is always going to make some kind of compromise; better at some things, worse at others.

Simplicity/power and safety pull the design in different directions.

nielsbot · 4 months ago

Related, Apple has a safer C variant they use to build firmware:

https://saaramar.github.io/iBoot_firebloom/

chrisrodrigue · 4 months ago

Zig hits on a lot of Zen of Python.

> Beautiful is better than ugly.

> Explicit is better than implicit.

> Simple is better than complex.

> Readability counts.

What really sets Zig apart from the usual suspects (C, C++, Rust) is that it has first class compile-time reflection capabilities built into the language (comptime, @field, @typeInfo, etc.) rather than bolted on as macros or templates.

90s_dev · 4 months ago

> Python

Funny you make that analogy. I remember back when the two contending C alternatives were Zig and Nim, with Nim being syntactically almost a Python clone.

It seems Nim has gone the way of Crystal (Ruby version of Nim) and is just kind of there but mostly forgotten and doomed to be abandoned unless it finds a niche.

> What sets Zig apart is compile-time

I see this claim a lot, but I'm not sure. I think it's the fact that Zig is more or less still C syntax and semantics, just... fixed. The way it does comptime does seem better than how other languages do it, but I haven't actually used it, much less for long enough to judge it properly.

I don't mind the language having substantially worse "something" as long as it can be a smaller alternative for Rust, for the lack of a better word. Of course, there always needs to be some compromise. I don't mind that. I just have two requirements, and am curious to see how people have tackled that problem.

Sure, and I'm just as curious.

But at the same time, I'm pretty sure that smaller/simpler is going to mean less safe.

tiffanyh · 4 months ago

SPARK (Ada) is about as memory-safe as it gets.

https://github.com/AdaCore/spark2014

andsoitis · 4 months ago

I was also going to suggest Spark https://www.adacore.com/sparkpro

There's also this paper, "Memory Safety in Ada, SPARK, and Rust"

https://www.adacore.com/papers/memory-safety-in-ada-spark-an...

I’ve always found the table comparison (Rust/Ada/SPARK) from that same source to be very informative:

https://blog.adacore.com/should-i-choose-ada-spark-or-rust-o...

F-star, which was used to build a verified TLS implementation. https://fstar-lang.org/ Though I guess that's actually on the far side of Rust relative to what you're looking for.

The full language is indeed even further ahead of Rust on the spectrum I am looking at, but this seems like a cool effort. I love proof-based languages and dependent types, so this is an absolute win.

What intrigues me quite a bit relative to the main topic of the HN thread is Low[0]

> Low

is not only a language subset, but also a set of F* libraries that model a curated set of C features: the C memory model, stack- and heap-allocated arrays, machine integers, C string literals, and a few system-level functions from the C standard library. Writing in Low, the programmer enjoys the full power of F for proofs and specifications. At compile-time, proofs are erased, leaving only the low-level code to be compiled to C. In short: the code is low-level, but the verification is not.

[0] https://fstarlang.github.io/lowstar/html/Introduction.html#t...

thih9 · 4 months ago

(link from the description, clickable)

https://austral-lang.org/

> Austral is a new systems programming language. It uses linear types to provide memory safety and capability-secure code, and is designed to be simple enough to be understood by a single person, with a focus on readability, maintainbility, and modularity.

fpoling · 4 months ago

Austral GitHub has not received any significant updates for the last two years so I suppose the language development stopped.

efficax · 4 months ago

https://dlang.org/articles/safed.html check out the safed subset of the D language

Unfortunately, it seems to use a GC for the safety, which makes it unsuitable for a variety of tasks in the systems programming domain. Seems to me like an alternative to Go more than Rust or C or Zig

skavi · 4 months ago

D has a “BetterC” subset that depends only on a C runtime. Presumably there is some overlap with the “SafeD” subset.

Curious if there are any D users here who try to stay within that intersection?

rurban · 4 months ago

On the contrary GC is very suitable to systems programming.

The bigger problem is guaranteeing concurrency safety, which you can only provide with nonblocking IO. Everybody loves blocks though, so that's far away.

ksec · 4 months ago

>it seems to use a GC for the safety, which makes it unsuitable for a variety of tasks in the systems programming domain.

That depends. It is really a Hard NO for GC?

Crystal is low level enough with a GC and people have written a complete OS with it. On my mobile now so I can't provide link. But it was featured on HN a while ago.

fithisux · 4 months ago

I second that

sn9 · 4 months ago

You might try OCaml [0] or SML [1] if you want speed, memory safety, and an expressive type system.

[0] https://ocaml.github.io/ocamlunix/index.html

[1] https://matt.might.net/articles/best-programming-languages/#...