Statistics that support Rust's claims

Hi everyone,

In the lines of 6487, I am looking specifically for any metrics/statistics that justify rust’s safety mechanisms.

The language has been around for some time, it has stabilized and there are plenty of projects in Do we have any measure of improved software quality thanks to rust?

Thank you very much,

AFAIK we only have anecdotal evidence so far. Quality measurements across programming languages are really hard, because there’s no consensus what quality actually is, and metrics as 'defects per LoC` are hard to come by (besides the fact that those favor mature projects, of which there aren’t that many yet in Rust).

I think this would be an interesting thing to measure.

What kind of metrics or statistics would you find compelling?

@llogiq Sure, it is still very early for any serious conclusions to be drawn. I was thinking that maybe Mozilla or some other heavyweight projects (piston, glium) had some figures to share.

@BurntSushi I’m not really sure, maybe something like reduced number of reported bugs in a given period of time? If rust’s syntax mechanisms prevent faulty programs from even compiling that would otherwise become runtime bugs, I would expect rust projects to have less PRs than their counterparts. Quoting OpenBSD:

Only two remote holes in the default install, in a heck of a long time!

(it would say how long of a time in the early days, I believe).

For sure, quality metrics depend on too many factors to be easily produced. Still, having some empirical numbers would help in making informed rather than heart decisions.

I wonder if Coverity Scan’s C/C++ target could be coerced into scanning Rust projects?

It sounds hard. How do you choose comparable projects? :-/

Agreed. Even with two comparable projects a quality metric would be influenced by tooling, ecosystem, developers’ expertise, user base…

I feel that this leaves us with firefox before/after servo as the only project mature enough, big enough with a user base large enough to be worth looking at.

Is Mozilla totally commited to Rust already? How are they going to decide whether the language is worth it? I would love to see (yes, it’s hard, but wouldn’t it be cool?) something like: rust has changed our lives this and that way, hopefully with better performance and less (however you measure it) problems.

They do have some metrics: Firefox contains some newly-written Rust code that was replacing some battle-hardened C++ code. They ran both side-by-side for a while and found no errors in 1.000.000 executions.

Edit to clarify: That Rust code has seen some use in Servo, but was nowhere as much tested as the previous C++ solution at that time.


Anecdotal evidence that data could be collected:

heycam: it’s so rare that we get fuzz bugs in rust code
heycam: considering all the complex stuff we’re doing
*heycam remembers getting a bunch of fuzzer bugs from all kinds of style system stuff in gecko