How Safe is Your Programming Language

About c, c#, haskell, java, javascript, lisp, ocaml, programming, python, ruby and smalltalk

First, let me define what I mean by safe: the earlier a programming language catches a programming error for you, the safer it is. Haskell is extremely safe, whereas php is extremely unsafe. Some examples:

• Errors can be caught at compile time, such as mispelling of function names
• Errors can be caught at runtime, such as NullPointerExceptions, but it may be caught early or later in runtime, there's a continum
• Errors can be caught a type time if you have a method completion capable IDE, for exmple
• Errors can be caught a unit test time, but that out of the scope for this article, because I want to talk about languages and not testing practices
• Errors can be caught at QA testing time vs in production, these are also a bit out of scope

How do you measure the safety of a programming language? One can take specfic classes of errors and see how and when a language catches them. I will use the notation >> to mean safer than. A score is given for each language for each type of error corresponding to how safe they are.

Null Pointers

• Java, Ruby, Python, C#, Smalltalk, Javascript, LISP - catch at runtime when you try to derefernce the pointer
• C, C++ - never catches it, they merely core dump, which does not tell you what the specific error was
• Haskell, OCaml - catches it at compile time, because you cannot have Null values unless you specifically define it in the type, and the compiler requires you to handle the null case

So in this case: Haskell, OCaml (2) >> Java, Ruby, Python, C#, Smalltalk, Javascript, LISP (1) >> C, C++ (0)

Array Index Out Of Bounds

• Java, Python, C#, Smalltalk - catch at runtime when you try to index the array
• Ruby, Javascript - never catches it, merely returns null if you try to index an array with an out of bounds index
• C, C++ - never catches it, may or may not core dump.
  
• Haskell, LISP, OCaml - although you can use Arrays if you really want/need to, in which case the error is caught at runtime like Java, etc. The prefered practice of these languages is to use linked-lists instead, which will never have index out of bounds errors

So: Haskell, LISP, OCaml (2) >> Java, Python, C#, Smalltalk (1) >> Ruby, Javascript, C, C++ (0)

Type Errors

• Java, C# - these are caught at compile time if you never use casting in your program. But if you do use casting, these will be caught at runtime as ClassCastExceptions at time of cast.
• Ruby, Python, Javascript, Smalltalk, LISP - caught at runtime when a method on the object is accessed
• C, C++ - Compile time if you don't use casting. Never caught and possible core dumps if you do.
• Haskell, OCaml - Compile time always, casting is not allowed.

Haskell, OCaml (3) >> Java, C# (2) >> Ruby, Python, Javascript, Smalltalk, LISP (1) >> C, C++ (0)

Mispelled Named Parameters

• Java, C#, C, C++, Haskell, Javascript - these languages do not have this feature
• Python, Smalltalk - caught at time of method invocation
• Ruby - rubists employ a poor-man's named parameters by just passing in a Hash to methods, the languages supports syntactic sugar that make this style of method calling look like named parameters, but mispelled keys are never caught
• OCaml - caught at compile time

OCaml (2) >> Python, Smalltalk (1) >> Ruby (0)

Wrong Number of Parameters

• Python, Smalltalk, LISP - caught at method invocation
• Javascript - never caught, unsupplied parameters an simple set to null, and it never hurts to use too many parameters
• Ruby - caught at method invocation time for the normal cases, but blocks are a special type of parameter which is always optional. So if you supply a block to a method that does not require it, ruby does not complain
• Haskell, Java, C#, C, C++ - compile time

Haskell, OCaml, Java, C#, C, C++ (3) >> Python, Smalltalk, LISP (2) >> Ruby (1) >> Javascript (0)

So a language can be safer or less safe under different contexts. There obviously are other types of errors that I have not listed, but this will do for a simple comparison. I've already given scores for each language for each error type. Since some languages do not have the named parameters feature, I will average the score for each language over the error types that are relevant to it. So the Tally is:

1. Haskell - scores: [2, 2, 3, 3], average: 2.5
2. OCaml - scores: [2,2,3,2,3], average: 2.4
   
3. Java, C# - scores: [1,1,2,3], average: 1.75
4. LISP - scores: [1,2,1,2], average: 1.5
   
5. Python, Smalltalk - scores: [1,1,1,1,2], average: 1.2
6. C, C++ - scores: [0,0,0,3], average: 0.75
   
7. Ruby - scores: [1,0,1,0,1], average: 0.6
8. Javascript - [1,0,1,0], average: 0.5
   

It's not really fair that OCaml is scoring lower than Haskell, they should be the same, the difference is because Haskell doesn't have named parameters so the average is skewed - my scoring system is not perfect. Haskell is safer than OCaml in one aspect though. Which is that in Haskell, purely functional code is guaranteed to have no side effects and will never throw exceptions.

http://tobyho.com/How_Safe_is_Your_Programming_Language