> If you use a language in which buffer overruns
can't occur, and will
> either trigger exception handling or abort the program, [...]
> So if simply by programming in a different
language you can
> substantially reduce the severity of an entire class of bugs, why
> wouldn't you do it?
That's a question with multiple passably obvious answers, most of which
amount to "use of that language comes with other, unacceptable, costs".
Perhaps those costs are performance costs (such languages are usually
much heavier-weight); perhaps they're programmer time costs (learning a
new language or working around its deficiencies); perhaps they're
system redesign costs (maybe the target system has no implementation of
the language in question); perhaps they're licensing costs (for the
implementation or perhaps even the language); perhaps lots of things.
There are a few other answers; the first one that comes to mind is "for
this task I don't care about that class of bugs". I've written at
least a few programs for which I don't give a damn about possible
buffer overflow exploits.
Anyone with enough experience will straight out admit
that they can't
for example manage mutable state with sufficient reliability, [...]
Sufficient reliability for what?
I've written lots of programs that manage mutable state with sufficient
reliability for the programs' design and use goals. (Perhaps I just
don't have enough experience. But, as someone with over 35 years of
programming experience, at least 30 years of which involved being paid
for programming or other work with a substantial programming component,
I find the bar ridiculously high if so.)
> Programming is *hard*, and debugging is even
*harder*. If you can
> use a tool that doesn't help much, or a different tool that helps
> more, why would you want to stick with the less helpful tool?
See above - usually, the "more helpful" tool carries other costs.
But here we are. Having to defend the idea that
"simple mechanical
checks of program properties"* are a bad idea [...]
I don't defend that idea. I do defend the idea that more compile-time
checking is not always good, that it has to be balanced against the
costs it brings. That's one reason most of my code these days is in C
(well, actually, a slight supserset of C) rather than strict
bondage-and-discipline languages like Ada or Haskell.
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at
rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B