Sanitizers, like:
address sanitizer (ASAN);
undefined behavior sanitizer (UBSAN)
etc.
are frequently used during development and testing.
Are these tools used in released software?
Depends on your goals. Sanitizer developers suggest not to use them for production hardening (i.e. protecting against attacks) because instrumentation may enable different types of attacks. On the other hand they do recommend to occasionally run them in real workloads for detecting last 1% of bugs in released software (which e.g. only repro under heavy load).
Related
I am sure after WebAssembly Post-MVP, asm.js will be deprecated. Even now, a few existing asm.js projects already start to use WebAssembly. JS engine (V8) also starts to comiple asm.js to WebAssembly, so even if old projects never migrate, end-users will still get partial advantages from WebAssembly.
My question is, what about native-client then? It is not implemented in JS engine so that can be a problem. Native-client seems to be deprecated even now. Will native-client be completely removed from Chrome in foreseeable future? I would love to see some reduction in binary size of Chrome.
Side questions:
After thread/gc/simd/exception are included in WebAssembly, is there still something native-client has but missing in WebAssembly (blocking migration)?
It took WebAssembly about 2 years just to reach MVP, what is the expected time for any one of the Post-MVP to get finalized?
It seems like WebAssembly group is tackling multiple Post-MVP features at once instead of one by one, won't that make it slower to finalize one of them?
Answering the side-questions only, because I no longer work on Native Client. Google's plans are its own to speak for, so I'll make this a wiki.
Update as of 2017/05/20 NaCl isn't in glibc. This was the original libc which was supported, and took quite a while to clean up and upstream. It was only ever supported by NaCl's GCC toolchain. There's still support for musl libc, which works with the more up-to-date LLVM-based NaCl and PNaCl toolchain.
Update as of 2017/05/30 the Chromium team announced the fate of PNaCl and tentative roadmap of WebAssembly features.
Here are some Native Client features which you haven't mentioned:
Out-of-process, which many consider a bug because it forces asynchronous communication. It allows guaranteed address space, which with 64-bit isn't much of an upside, and was critical to Native Client's double-sandbox design. WebAssembly doesn't have processes yet.
Has blocking to and from the JavaScript event loop, through postMessageAndAwaitResponse. Also seen as a bug by many.
Has many APIs through Pepper. Many mirror the web platform's APIs.
Can do memory protection through mprotect (though execute pages are limited).
POSIX signals can be handled.
Supports computed goto and other irreducible control flow.
Has some Just-in-Time code patching support.
Supports weaker than seq_cst atomics.
Has support for inline assembly, as long as it follows the NaCl validation rules.
Not all of these are in Portable Native Client, though. There's official documentation of differences.
There's no timeline for any of the post-MVP WebAssembly features. We don't want to rush anything, but we want to deliver one the most useful things first. It's a community group, so priorities are really driven by whoever gets involved. Implementations won't be able to tackle features all at once, but exploration parallelizes well.
I'm looking for a development platform (language and set of libraries) that will allow me to develop a personal project. (In case anyone is curious, I'm looking at making a music library manager, similar to iTunes, that can work on multiple platforms and sync with Android devices).
I want the language to have the following characteristics:
Essential
The program must run flawlessly, with no (or very little) code changes on Mac, Linux, and Windows. That means, notably, that I need to have a cross-platform GUI framework, a consistent API for accessing files and directories, and a consistent interface for talking to USB storage devices
Important
A language that is easy to use, powerful, and expressive. Big standard libraries with a lot of built-in functionality. (I'd probably use C#/.NET but the portability isn't great)
Nice to have
Good tool support (on Linux if possible, but I'll do my development on Windows if needs be)
Not Java. (I have used it and just don't like it - I'm not interested in getting into a language war here).
Please help me choose a language!
Python
Cross platform GUI: more than one option, I'd use WxPython, but Qt bindings are also available (comparison between wxWidgets and Qt).
File System API: this gets into the os package, but there are also convenience methods for just dealing with I/O.
USB I/O: I confess to not having any knowledge here, but suspect if you're talking storage that Python will be able to read and write using its IO package.
Libraries, Ease of Use, etc..: there's a lot built in, but also a huge number of add-ons (called "packages"). Some of the most notable are SciPy and NumPy, used for scientific and numerical analysis.
Tooling: there are a number of IDEs out there, I use PyDev (but it's Eclipse based so you probably won't like it if you don't like Java).
Finally, Python is supported on Android via its scripting environment.
For cross platform GUI, you can explore QT. The back-end can be on c.
Have you explored anything so far?
Qt quick ?
Simple question, I want to know is Java free (especially for web development). Later on if I've build a large website, will the servers, databases cost me much like in .net for example?
Cheers.
Java is free. Check licences of frameworks you're using, but you shouldn't worry about that since most of them are free.
Servers (physical) will, of course, cost you.
There are free application servers like Glassfish and JBoss.
There are free databases like mySQL and PostgreSQL.
So, you can get away with everything being free except hardware and, possibly, hosting of your web app.
Yes and no - depending on how big your site gets, you may be required to invest more money into better servers/databases.
It's not really something that can just be answered, without looking into the future.
Update, as of 2021
Be sure to read the document prepared by pillars of the Java community, Java is Still Free. This document provides a short overview as well as a longer section with all the gory details.
Understand that Java is a set of specifications, not a product.
Java Language and Virtual Machine Specifications
JEPs and JSRs
Many vendors provide binaries or installers for an implementation of Java. Nowadays, all of those implementations are based largely or entirely on the OpenJDK project. Participants including Oracle, IBM, SAP, Apple, Azul Systems, and more have banded together to pool their best technologies for implementing Java as open-source free-of-cost.
The OpenJDK project provides only source-code. Various vendors build that source code to provide binaries or installers for you and me to conveniently put Java on our computers. Some of their distributions of Java are available free-of-cost, and some are commercial with paid support. Some are general-purpose JVMs, and some are special-purpose. Some are a basic JDK and some have bundled extras.
Here is a diagram I made to help you in choosing a vendor for a Java implementation.
And some considerations to think about when choosing a vendor.
When a new version of a framework or language appears (e.g. .NET 3.5, SQL2008), what approach do people take to when to adopt/upgrade?
Generally developers will say as soon as possible (they want it on their CV and from a management perspective giving them what they want provides a motivation boost) but commercially there is often little incentive (few clients demand the latest version) and from a cost perspective (retest, training) there is often a disincentive.
I'm particularly thinking of "on-going" systems and projects (such as in a software house) which exist and evolve over years where taking the "new projects use the new technology" approach doesn't work.
Are people driven by specific requirements (the need to use a new feature, a potential or existing client demanding support for it), do they formally assess it (in which case what are the criteria) or do they upgrade as a matter of routine (in which case when - leading edge vs. bleeding edge)?
Do people think that not being on the latest version of something should be considered technical debt and managed as such?
Or is "if it ain't broke don't fix it" a valid approach?
Read up on Technical Debt. This is a simple cost-benefit decision.
The "if it ain't broke don't fix it" is a common management policy that says "tomorrow's dollars aren't worth as much as today's, so don't plan for future improvements." Eventually technical debt accumulates to the point where the product can no longer limp along.
The most common breaking point is when some piece of the infrastructure is no longer supported. By then, incremental change is impossible.
Reinventing from scratch is a new capital investment. Fixing existing code is an expense. The accounts force management to make technically crazy decisions.
In the case of open source software, it requires careful technical management since there's no official "support sunset" announcement from Oracle/Sun. Bad technical management, of course, leads to technical bankruptcy.
We look at the support lifecycle costs. For how long are the older versions supported, and at what costs? Platforms like Windows and Java tend to move fast as compared to mainframe environments, and part of the cost of doing business on those platforms is to perform periodic upgrades. In a rational world, that is!
New versions can have killer features we need -- but that is rare in enterprise development. The main positive selling points of new versions (as opposed to negative ones such as expired support) tends to be greater developer efficiency, which is hard to measure. Against that, as you indicate, the cost of retraining must be considered, not only for the initial developers, but, crucially, for maintenance. In each upgrade, some applications tend to be left behind as too critical to retire, and too expensive/fragile to upgrade. Over time, the number of platforms and versions you have to support increases overall technical debt (no matter their age).
Another criterion for upgrading to new versions (which you note) is the ability to attract and retain staff. With the current economic phase, that's playing second fiddle, but still cannot be ignored completely. You want to have at least a seasoning of enthusiastic and knowledgeable developers.
I think the killer question is whether your app will survive long term if you NEVER upgrade the platform/language version. If you think it can't, you may as well upgrade sooner rather than later, as it will only become harder.
Think about how long your app should be actively developed until you need a full rewrite. If you never plan to rewrite it, I would upgrade continually. Consider how difficult it will become to find the best developers if you are working in an outdated technology. Consider how new framework/language features could speed up your development process in the long term, for a bit of short term pain.
When you really need to. .NET 1.0 was crappy, 1.1 was a nice upgrade, but Web development with VS2003 was not so smooth. Things improved with VS2005 and .NET 2.0 – and I see still many developers and companies are stick to .NET 2.0. Previous versions were so fresh, version 2.0 was mature tech. So, if you were happy with 1.1, why would you upgrade? If you are happy now with 2.0, why upgrade to 3.5 or 4.0?
When the benefits of upgrading (more features, or a bugfix you need) outweigh the risks/costs involved (new issues, breaking existing code).
When you develop for Microsoft based platforms, like a Windows Forms App for Windows or ASP.NET webapp for Windows Server, the nice time to migrate is for every two major versions of OS.For example, if your app has been developed for Windows 2000, you ought to migrate to Vista though XP can be neglected. Similarly, if it were designed for XP SP2, you can safely ignore Vista and target Win 7. Usually Microsoft never breaks (or rarely breaks) incremental OS updates. So an app running on today's OS will definitely run on the next. But never on the one following it. (It if runs how can M$ make money???)
Source: Self... Windows Developer for over 5 yrs)
I'm in the upgrade as soon as possible camp (though I might wait a month after a new version come out just in case for uncaught issues). There are a few things you need to think about:
1. Security Releases
Many of the people who tell me if it isn't broke don't fix it are also the same people who would close their 2 eyes when security patches get released. Think Equifax.
To me it is an ethical responsibility to at least be on security supported versions of a framework. We owe it to our customers to safeguard their data.
2. Attracting & Retaining Talents
There are lots of talk about how the programming language or framework used doesn't matter. But in my experience, the cleanest code and design for a web app are usually written by the people who are passionate about the framework & programming language used because of their experience & expertise with it.
These people are unlikely to stay around for long or join your company if you stick to a very old version. Please think about your developers' happiness.
3. Newer, simpler ways offered by the newer version
Very often newer versions of a framework make something hard in the past much easier. If we do not upgrade, we miss out on the good new packages/features and we write our code in the old frustrating way knowing there is a much simpler way to achieve the same feature. And when it comes time to upgrade, we may end up having to change again to the new way. So why not upgrade and use the new better way and waste less time?
There are many types of external dependencies. Interfacing with external applications, components or services (e.g. Outlook to send emails, TWAIN or WIA for scanning, ActiveX objects and Web services for various purposes, and so on).
What is your strategy for making sure that your application is robust, and can run even when such external dependencies (for innumerable reasons) are unavailable?
Note: Code from external sources included in your own source code is another type of external dependency, but that is not mainly what I am concerned about here.
Our strategy, is that our software may not except in exceptional circumstances. So we program quite defensively:
If there is no mail connection, the mail functionality is not available.
Graphic output depends on available graphics card.
Only the availability of a network enables the distributed functionality.
And there are more.
Also note, that with external interfaces, much as with user input, you should not trust that input. Always validate input, and check for consistency (or existence) when calling.