site/blog/v-vaporware-2019-06-23.mark...

437 lines
15 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: V is for Vaporware
date: 2019-06-23
---
# V is for Vaporware
[V](http://vlang.io) is a programming language that has been hyped a lot. As it's
recently had its first alpha release, I figured it would be a good idea to step
through it and see if it lives up to the promises that the author has been
claiming for months.
The V website claims the following on the front page:
- The compiler compiles 1.2 million lines of code compiled per CPU core per second
- The resulting code is as fast as C
- Built-in serialization without runtime reflection
- Minimal amount of allocations
- Zero dependencies
- Requires only 0.4 MB of space to build
- Able to translate arbitrary C/C++ code to V and build it faster than C/C++
- Hot code reloading
- 2d/3d graphics support in the standard library
- Effortless cross-compilation
- A powerful built-in web framework
- The compiler generates direct machine code
As far as I can tell, all of the above features are either "work-in-progress"
or completely absent from the source repository.
## Speed
The author mentions that the compiler is fast, stating the following:
> Fast compilation
>
> V compiles ≈1.2 million lines of code per second per CPU core. (Intel
> i5-7500 @ 3.40GHz, SM0256L SSD, no optimization)
>
> Such speed is achieved by direct machine code generation [wip] and a strong
> modularity.
>
> V can also emit C, then the compilation speed drops to ≈100k lines/second/CPU.
>
> Direct machine code generation is at a very early stage. Right now only
> x64/Mach-O is supported. This means that for now emitting C has to be used. By
> the end of this year x64 generation should be stable enough.
This has a few pretty fantastic claims. Let's see if they can be replicated.
Creating a 1.2 million line of code file should be pretty easy:
```
-- lua
print "fn main() {"
for i = 0, 1200000, 1
do
print "println('hello, world ')"
end
print "}"
```
Then let's run this script to generate the 1.2 million lines of code:
```
$ time lua5.3 ./gencode.lua > 1point2mil.v
4.29 real 0.83 user 3.27 sys
```
And compile the resulting file:
```
$ time v 1point2mil.v
pass=2 fn=`main`
panic: 1point2mil.v:50003
more than 50 000 statements in function `main`
2.43 real 2.13 user 0.15 sys
```
Oh boy. It's also worth noting that it was more than 2 seconds to only compile
50,000 lines of code on my Core m7 12" MacBook.
## No Dependencies
V claims to have zero dependencies. Again quoting from the website:
> 400 KB compiler with zero [wip] dependencies
>
> The entire language and its standard library are less than 400 KB. V is written
> in V, and you can build it in 0.4 seconds.
>
> (By the end of this year this number will drop to ≈0.15 seconds.)
...
> Right now the V compiler does have one dependency: a C compiler. But it's
> needed to bootstrap the language anyway, and if you are doing development,
> chances are you already have a C compiler installed.
>
> It's a small dependency, and it's not going to be needed once x64 generation
> is mature enough.
AMD64 is not the only CPU architecture that exists, but okay I'll take that you
are only targeting the most common one.
Digging through the [readme](https://github.com/vlang/v/blob/8b08bf636acfba5af7f10e2bd0a646aaa71c16f5/README.md),
its graphics library and HTTP support require some dependencies:
> In order to build Tetris and anything else using the graphics module, you will need to install glfw and freetype.
>
> If you plan to use the http package, you also need to install libcurl.
>
> glfw and libcurl dependencies will be removed soon.
>
> Ubuntu:
> sudo apt install glfw libglfw3-dev libfreetype6-dev libcurl3-dev
>
> macOS:
> brew install glfw freetype curl
I'm sorry, but this combined with the explicit dependency on a C compiler means
that V has dependencies. Now, breaking the grammar down pretty literally it says
the _compiler_ has zero dependencies. Let's see what `ldd` says about the compiler
when built on Linux:
```
$ ldd v
linux-vdso.so.1 (0x00007ffc0f02e000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f356c6cc000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f356c2db000)
/lib64/ld-linux-x86-64.so.2 (0x00007f356cb25000)
```
So the compiler with "zero dependencies" is a _dynamically linked binary_ with
dependencies on libpthread and libc (the other two are glibc-specific).
Also of note, I had to modify the [Makefile](https://github.com/vlang/v/blob/master/compiler/Makefile)
in order to get it to build on Linux without segfaulting every time it tried
to compile code:
```
$ git diff
diff --git a/compiler/Makefile b/compiler/Makefile
index e29d30d..353824d 100644
--- a/compiler/Makefile
+++ b/compiler/Makefile
@@ -4,7 +4,7 @@ v: vc
./vc -o v .
vc: v.c
- cc -std=c11 -w -o vc v.c
+ clang -Dlinux -std=c11 -w -o vc v.c
v.c:
wget https://vlang.io/v.c
```
Otherwise it would segfault every time I tried to run it with:
```
$ ./v --help
fish: “./v --help” terminated by signal SIGSEGV (Address boundary error)
```
Before I added the `-Dlinux` flag, it also failed compile with the following
error:
```
$ make
clang -std=c11 -w -o vc v.c
./vc -o v .
cc: error: unrecognized command line option -mmacosx-version-min=10.7
V panic: clang error
Makefile:4: recipe for target 'v' failed
make: *** [v] Error 1
```
Implying that the compiler was _falsely detecting Linux as macOS_.
## Memory Safety
V claims to be memory-safe:
> Memory management
>
> There's no garbage collection or reference counting. V cleans up what it can
> during compilation.
So I made a simple "hello world" program:
```
fn main() {
println('hello world!') // V only supports single quoted strings
}
```
and built it on my Linux box with valgrind installed. Surely a "hello world"
program has no good reason to leak memory, right?
```
$ time v hello.v
0.02user 0.00system 0:00.32elapsed 9%CPU (0avgtext+0avgdata 6196maxresident)k
0inputs+104outputs (0major+1162minor)pagefaults 0swaps
$ valgrind ./hello
==5860== Memcheck, a memory error detector
==5860== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==5860== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==5860== Command: ./hello
==5860==
hello, world
==5860==
==5860== HEAP SUMMARY:
==5860== in use at exit: 1,000 bytes in 1 blocks
==5860== total heap usage: 2 allocs, 1 frees, 2,024 bytes allocated
==5860==
==5860== LEAK SUMMARY:
==5860== definitely lost: 0 bytes in 0 blocks
==5860== indirectly lost: 0 bytes in 0 blocks
==5860== possibly lost: 0 bytes in 0 blocks
==5860== still reachable: 1,000 bytes in 1 blocks
==5860== suppressed: 0 bytes in 0 blocks
==5860== Rerun with --leak-check=full to see details of leaked memory
==5860==
==5860== For counts of detected and suppressed errors, rerun with: -v
==5860== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
```
Looking at the [generated C code](https://gist.github.com/Xe/1afdd4c7e7c9cfa23d1aa87194ee5190#file-hello-c-L3698-L3705)
it's plainly obvious to see this memory leak. `init_consts` creates a 1000 byte
allocation and never frees it. This is a memory leak that is unavoidable in
any program compiled with V. This is potentially confusing for people who are
trying to debug memory leaks in their V code. They will always be off by 1
allocation and 1000 bytes leaked without an easy way to tell why that is the
case. The compiler itself also leaks memory:
```
$ valgrind v hello.v
==9096== Memcheck, a memory error detector
==9096== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==9096== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==9096== Command: v hello.v
==9096==
==9096==
==9096== HEAP SUMMARY:
==9096== in use at exit: 3,861,785 bytes in 24,843 blocks
==9096== total heap usage: 25,588 allocs, 745 frees, 4,286,917 bytes allocated
==9096==
==9096== LEAK SUMMARY:
==9096== definitely lost: 778,354 bytes in 18,773 blocks
==9096== indirectly lost: 3,077,104 bytes in 6,020 blocks
==9096== possibly lost: 0 bytes in 0 blocks
==9096== still reachable: 6,327 bytes in 50 blocks
==9096== suppressed: 0 bytes in 0 blocks
==9096== Rerun with --leak-check=full to see details of leaked memory
==9096==
==9096== For counts of detected and suppressed errors, rerun with: -v
==9096== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
```
## Space Required to Build
V also claims to only require 400-ish kilobytes of disk space to build itself.
Let's test this claim with a minimal Dockerfile:
```
FROM xena/alpine
RUN apk --no-cache add build-base libexecinfo-dev clang git \
&& git clone https://github.com/vlang/v /root/code/v \
&& cd /root/code/v/compiler \
&& wget https://vlang.io/v.c \
&& clang -Dlinux -std=c11 -w -o vc v.c \
&& ./vc -o v . \
&& du -sh /root/code/v /root/.vlang0.0.12 \
&& apk del clang
```
Except it doesn't build on Alpine:
```
/usr/bin/ld: /tmp/v-c9fb07.o: in function `os__print_backtrace':
v.c:(.text+0x84d9): undefined reference to `backtrace'
/usr/bin/ld: v.c:(.text+0x8514): undefined reference to `backtrace_symbols_fd'
clang-8: error: linker command failed with exit code 1 (use -v to see invocation)
```
It looks like `backtrace()` is a glibc-specific addon. Let's link against
[`libexecinfo`](https://www.freshports.org/devel/libexecinfo) to fix this:
```
&& clang -Dlinux -lexecinfo -std=c11 -w -o vc v.c \
```
```
Cloning into '/root/code/v'...
Connecting to vlang.io (3.91.188.13:443)
v.c 100% |********************************| 310k 0:00:00 ETA
Segmentation fault (core dumped)
```
Annoying, but we can adjust to Ubuntu fairly easily:
```
FROM ubuntu:latest
RUN apt update \
&& apt -y install wget build-essential clang git \
&& git clone https://github.com/vlang/v /root/code/v \
&& cd /root/code/v/compiler \
&& wget https://vlang.io/v.c \
&& clang -Dlinux -std=c11 -w -o vc v.c \
&& ./vc -o v . \
&& du -sh /root/code/v /root/.vlang0.0.12 \
&& apt -y remove clang
```
As of the time of writing this article, the image `ubuntu:latest` has an
uncompressed size of `64.2MB`. If the V compiler only requires 400 KB to build
like it claims, the resulting image size for this Dockerfile should be around
65 MB at worst, right?
the resulting `du` command should show 400 KB in total, right?
```
3.4M /root/code/v
304K /root/.vlang0.0.12
```
3.7 MB. That means the 400 KB claim is either a lie or "work-in-progress".
Coincidentally, the compiler uses about as much disk space as it leaks during
the compilation of "Hello, world".
## HTTP Module
V has a [http module](https://github.com/vlang/v/tree/master/http). It leaves a
lot to be desired. My favorite part is the implementation of [`download_file` on macOS](https://github.com/vlang/v/blob/master/http/download_mac.v#L60-L67):
```
fn download_file(url, out string) {
// println('\nDOWNLOAD FILE $out url=$url')
// -L follow redirects
// println('curl -L -o "$out" "$url"')
os.system2('curl -s -L -o "$out" "$url"')
// res := os.system('curl -s -L -o "$out" "$url"')
// println(res)
}
```
This has no error checking (the function `os.system2` returns the exit code of
curl) and it _shells out to curl instead of using libcurl_.
[Other parts of the http module use libcurl](https://github.com/vlang/v/blob/master/http/http_mac.v#L79-L191)
correctly (though the HTTP status code, headers and other important metadata
are not returned). There is also no support for overriding the HTTP transport,
setting a custom TLS configuration or many other basic features that
_libcurl provides for free_.
I wasn't expecting it to have HTTP support out of the box, but even then I still
feel disappointed.
## Random Number Generation
Randomness is important for programming languages to get right. Here is how V
implements randomness:
```
module rand
#include <time.h>
// #include <stdlib.h>
fn seed() {
# time_t t;
# srand((unsigned) time(&t));
}
fn next(max int) int {
# return rand() % max;
return 0
}
```
I mean I guess this is technically a valid implementation of randomness, but
this is how you get security vulnerabilities because people
[thought random values were random](https://www.rapid7.com/db/vulnerabilities/openssl-debian-weak-keys).
A correct implementation is commented out. Yay.
## Suggestions for Improvement
I would like to see V be a tool for productive development. I can't see it doing
that in the near future though. I would like to suggest the following to the V
developer in order for them to be able to improve in the future:
Firstly, do not make claims about disk space, speed or dependencies without
explaining what you mean by that _in detail_.
Do not shell out to arbitrary commands in the standard library for any reason.
If an attacker can somehow run code on a server with a V binary that uses the
`download_file` function, they can replace `curl` with a malicious binary that
is able to do anything the attacker wants. This feels like a huge vulnerability,
especially given that the playground allows you to run this function.
AMD64 is not the only processor architecture that exists. It's nice that you're
supporting it, but this means that any program compiled with V will be stuck on
that architecture. This also means that V cannot currently be used for systems
programming like building a system-level package manager.
Do not leak memory in "Hello world". You could solve the 1000 kilobyte leak by
adding the following generated C code and calling it after the user-written
main() function:
```
void destroy_consts() { free(g_str_buf); }
```
If you claim your compiler can support 1.2 million lines of code, do not make it
have a limit of 50,000 statements in one function. Yes it is somewhat crazy to
have 1.2 million statements in a single function, but as a compiler author it's
generally not your position to make these kinds of judgments. If the user wants
to have 1.2 million statements in a function, let them.
Do not give code examples for libraries that you have not released. This means
don't show anything about the "built-in web framework" until you have code to
back your claim. If there is no code to back it up, you have backed yourself
into a corner where you are looking like you are lying. I would have loved to
benchmark V's web framework against Nim's Jester and Go's net/http, but I can't.
Please fix the implementation of randomness. Holy crap that is a billion
security bugs waiting to happen.
Thanks for reading this far. I hope this feedback can help make V a productive
tool for programming. It's a shame it seems to have been hyped so much for
comparatively so little as a result. The developer has been hyping and selling
this language like it's the new sliced bread. It is not. This is a very alpha
product. I bet you could use it for productive development as is if you really
stuck your head into it, but as it stands I recommend against using it for
anything.