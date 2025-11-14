Google has been using Rust in Android more and more for its memory safety characteristics, and the results on that front were quite positive. It turns out, however, that not only does using Rust reduce the number memory safety issues, it’s also apparently a lot faster to code in Rust than C or C++.
We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android’s C and C++ code. But the biggest surprise was Rust’s impact on software delivery. With Rust changes having a 4x lower rollback rate and spending 25% less time in code review, the safer path is now also the faster one.↫ Jeff Vander Stoep at the Google Security Blog
When you think about it, it actually makes sense. If you have fewer errors of a certain type, you’ll spend less time fixing those issues, time which you can then spend developing new code. Of course, it’s not that simple and there’s a ton more factors to consider, but on a base level, it definitely makes sense. Spellcheck in word processors means you have to spend less time detecting and fixing spelling errors, so you have more time to spend on actually writing.
I’m sure we’ll all be very civil about this, and nobody will be weird about Rust at all.
While I do think that some time is saved on fixing memory-related bugs, I do not think that is the primary driver of the increased productivity.
Rust is a modern language that feels familiar coming from other modern languages like Kotlin or Swift. It is much more expressive, allowing you to say more in fewer lines. I’m sure an argument can be made for the latest C++ on the basis of it bolting on some of these features onto an ever-increasing pile of features, but I would still take almost any language over C++ any day (and I used to write C++ for Microsoft).
C is respectable, of course, but it is very low level compared to Rust, so obviously it takes more time to write it.
Programs written in Rust have equivalent (or even better, due to the lack of harmful Undefined Behavior baked into the language) performance to C/C++. There’s no magic in compilers. If someone thinks that if they write code like “x++” or “++x” and the compiler will translate it directly to “inc eax” (and that it would make a difference in the final assembly code), then their knowledge about compilers is based on last century practices.
Yes, that used to be the case in the ’90s, but now it’s far from reality. Modern compilers operate on SSA (Static Single Assignment), and C/C++/Rust/whatever code is translated into the same Intermediate Representation for any of these languages. In modern compilers, the “x++” can even be eliminated completely.
Then multiple transformation and optimization passes are performed on multiple levels of IR until the compiler emits assembly code for a specific CPU architecture and model in the very final phases of translation. If low or mid-level optimization works in C, then it will also work in C++ and Rust, as these optimizations are not tied to the language.
C and C++ depend on the same horrible and severely outdated concepts, such as Undefined Behavior. If you wrote “int x = 0; if(y) x = 1; else x = 2” compilers from 30 years ago could generate different code depending on whether the x=0 initialization was there or not. Modern compilers will completely eliminate the x=0 initialization (by virtue of SSA and Dead Code Elimination). Rust requires developers to initialize x 100% of the time, while C and C++ allow horrible code, where code paths exist that leave “x” uninitialized. This was considered “optimization” in the last century, but not anymore. Concepts still defended by C/C++ are now harmful; they depend on assumptions of tooling from 1980, not 2025.
C/C++ assumes that all developers are Formula 1 drivers and don’t need seatbelts, ABS or ESP, and developers must take care of security and safety. In reality, 100% of developers are far from perfect and are prone to accidents, that’s why seatbelts are required in cars. If you really need to take the seatbelt off in Rust, you have to write an unsafe block, which explicitly states that the author of such code should be held fully accountable if that code causes a CVE that compromises security.
So what if you save one or two assembly instructions in purely theoretical, “yeti-like” code? The code will not execute faster in a significant manner; however, everyone else pays billions of dollars per year due to the cost of these harmful pseudo-optimizations, like uninitialized memory or out-of-bounds access.
Until C/C++ proponents decide to modernize the language itself to prioritize modern problems, not problems of the last century, C/C++ will become COBOL-ized, and all innovation will be done in memory-safe languages like Rust. Legacy code will not die, but it will be put into maintenance mode.
Out-of-bounds accesses or other memory safety issues must remain in the past and be merely a historical footnote. Nobody learns intricacies of punch card readers anymore; this must be the same for memory safety issues. Arguments that developers must experience a SIGSEGV because of a stack overwrite are harmful and invalid. No architect will learn to use garbage materials or unsafe design methods by experiencing the killing of everyone inside a building they designed.
kangseong,
We can agree that syntax is irrelevant to the generated binary code and doesn’t matter to performance. Although the assumptions and semantics specified by the language behind the syntax can have a performance impact. Pointer aliases come to mind. Despite C’s reputation for performance, Fortran’s no alias assumption leads to better optimization than C does by default.
https://www.jucs.org/jucs_9_3/alias_verification_for_fortran/Nguyen_T_V_N.pdf
https://developers.redhat.com/blog/2020/06/02/the-joys-and-perils-of-c-and-c-aliasing-part-1
C string processing is deficient due to the nature of C strings forcing a sequential byte scan whereas most other languages have strings with explicit lengths. Knowing the length ahead of time lets compilers use faster memcpy functions that can process several bytes in parallel. Of course C++ offers modern string abstractions, but there are mountains of C code still using slower algorithms.
When it comes to compilers, C may have an advantage at the moment. I think the GNU compiler comes out ahead of the LLVM compiler used by rust. Intel’s C compiler is even better than GCC at auto-vectorization. Of course this is about compiler implementation and nothing specific about the language. If ICC supported rust, that could outperform GCC as well.
I agree. Undefined behavior is one of the biggest sins of C/C++.
Perhaps you can look at it this way, although I’m hesitant to use this metaphor because it promotes a misleading idea that safe=slow and unsafe=fast. The primary reason to use unsafe code in practice is to interface with unsafe languages, not to improve performance.
Many C fans routinely dismiss the costs of C’s faults, but we keep finding them everywhere. The next video is tangential to our discussion, but it acts as yet another example of a major C code base (ffmpeg) with faulty code.
https://www.youtube.com/watch?v=fxtnI407djY
“why everyone is mad at google”
I don’t blame the ffmpeg author any more than anyone else for the faults in C code, it’s an industry-wide problem. I think it’s going to keep happening as long as we stick with unsafe languages.
Punch cards were typically used with high level programming languages like fortran/algol/cobol/simula. Despite being older and obviously hard to input, arguably these punchcard languages were safer than the C language. For better or worse, C and unix became conjoined and would rise together.. I view unix as a very positive contribution but C would end up subjecting the world to so many faults that I think it was a mistake. Still, it’s far easier to say this in hindsight. It’s hard to fault them for not knowing better at the dawn of computing.