> The first performance issue we hit was dynamic dispatch to assembly, as these calls are very hot. We then began adding inner mutability when necessary but had to carefully avoid contention. We found as we removed pointers and transitioned to safe Rust types that bounds checks increasingly became a larger factor. Buffer and structure initialization was also an issue as we migrated to safe, owned Rust types.
Based on their conclusions², each of those issues amounts to a few percentage points (total: 11%).
Based on the article, it seems that with highly complex logic, safety does come at the cost of raw performance, and it can be very hard to compensate (withing the safety requirements).
[¹]: https://www.memorysafety.org/blog/rav1d-performance-optimiza...
[²]: https://www.memorysafety.org/blog/rav1d-performance-optimiza...
In Rust. These are Rust issues, not issues with safety in general.
The issue with bound checks for exemple is entirely avoidable if you prove that all your calls are within bounds before compiling, same thing for partial initialization.
The core issue is that the strategies Rust adopts to ensure memory safety are neither a panacea nor necessarily the right solution in every case. That being said, I think it's a very nice idea to try to write a decoder in Rust and have a bounty for optimization. Rust is popular so work on producing fast and safe Rust is good.
The situation is more nuanced. The article dedicates a section to it:
> The general idea in eliding unnecessary bounds checks was that we needed to expose as much information about indices and slice bounds to the compiler as possible. We found many cases where we knew, from global context, that indices were guaranteed to be in range, but the compiler could not infer this only from local information (even with inlining). Most of our effort to elide bounds checks went into exposing additional context to buffer accesses.
(extensive information given in that section)
This is the WUFFS approach, for example. Formal verification, while very cool, is extremely tedious, which is why more practical languages try to find compromise rules that are simpler to implement, while also not too limiting.
You can't always know the bounds at compile time, though.
If you can’t, you just rewrite your code so you can because your code is not safe otherwise and safe code is what we are discussing here.
Note that all calls can trivially be made provably within bounds by explicitly bound checking yourself and providing an alternate path for out of bound calls which obviously doesn’t improve performances compared to bound checks inserted by the compiler but at least save you a panic in the worst case scenario.
You cannot draw general conclusions by the experiences of one project one time. There are too many confounding factors. There are also projects who have experienced the opposite.
Which is exactly this for video decoders.
In fact, a bounty will show us who really is serious or not and even some interviewers don't have a clue why they ask for 'optimal algorithms' in the first place. Maybe just to show off that they Googled or used ChatGPT for the answer before the interview.
Well, you can't do it for this one. The one who improves this and can explain their changes will have a impressive show of expertise which puts lots of so-called 'SWEs' to shame.
Software is a means of automation that's used in every industry of man. Someone not knowing a particular, very specific, problem space isn't something to be ashamed of.
if you can fund someone for at least 6 months of work it becomes reasonable to work for these.
Edit: Looks like many people are not understanding how overhead works. Your take home pay over a year is just over $100,000 since you end up so much unpaid time looking for the next gig.
Does that mean that rust devs earn 60k monthly minimum?
https://news.ycombinator.com/item?id=43862487
(also, to take your joke way too seriously: I lived in NYC so long my drivers' license expired, so I'm not driving my non-existent Mercedes anywhere!)
Sure when you work you make a lot of money, but you end up needing to spend the vast majority of your time looking for the next gig and that is all unpaid.
What kind of lunatic would pay that kind of money for a dev for a single week
I'm really surprised that a 5% performance degradation would lead people to choose C over Rust, especially for something like a video codec. I wonder if they really care or if this is one of those "we don't want to use Rust because of silly reasons and here's are reasonable-sounding but actually irrelevant technical justification"...
So I doubt it's any religious thing between c and Rust.
A farm of isolated machines doing batch transcoding jobs? Give me every single % improvement you can. They can get completely owned and still won't be able to access anything useful or even reach out to the network. A crash/violation will be registered and a new batch will get a clean slate anyway.
It's got bounds checking, lifetimes, shared access checks, enforced synchronisation, serious typed enums (not enforced but still helpful), explicit overflow behaviour control, memory allocation management, etc. etc. to help with safety. Far from "that's all".
> You can also write totally safe programs in C,
No you can't beyond trivial levels in practice. Even super human exceptions like DJB made mistakes and statistically nobody here is even close to DJB.
> use formal verification like this crypto library does
"Beware of bugs in the above code; I have only proved it correct, not tried it." -D.Knuth (That is - you can make mistakes in the spec too - see how many issues the verified sel4 had https://github.com/seL4/seL4/blob/master/CHANGES.md )
Also, dismissing bounds checking as "just bounds checking" shows how delusional you are.
See also: Gamers ready to shell out $$$ because of 1% lows.
1. Desktop - If both implementations run the same but one is faster, you run the faster one to stop the decode spluttering on those borderline cases.
2. Embedded - Where resources are limited, you still go for the faster one, even if it might one day leas to a zero day because you've weighed up the risk and reducing the BOM is an instant win and trying to factor in some unknown code element isn't.
3. Server - You accept media from unknown sources, so you are sandboxed anyway. Losing 5% of computing resources adds up to big $ over a year and at enough scale. At Youtube for example it could be millions of dollars a year of compute doing a decode and then re-encode.
Some other resistances:
1. Energy - If you have software being used in many places over the world, that cost saving is significant in terms of energy usage.
2. Already used - If the C implementation is working without issue, there would be high resistance to spend engineering time to put a slower implementation in.
3. Already C/C++ - If you already have a codebase using the same language, why would you now include Rust into your codebase?
4. Bindings - Commonly used libraries use the C version and are slow to change. The default may remain the C version in the likes of ffmpeg.
I wish big tech had to pay all the electron garbage they produce
I'm really surprised that because something is in Rust and not in C, it would lead people to ignore a 5% performance degradation.
Seriously... when you get something that's 5% faster especially in the video codec space, why would you dismiss it just because it's not in your favorite language... That does sound like a silly reason to dismiss a faster implementation.
Kind of a strawman argument though. The question is, is the 5% difference (today) worth the memory safety guaranties? IE, would you be OK if your browser used 5% more power displaying video, if it meant you couldn't be hacked via a memory safety bug.
Because it also means your battery drains 5% faster, it gets hotter, you will need to upgrade your media player device etc etc etc.
Seen on the scale of the actual deployment, this is HUGE.
Also glancing over the implementation of rav1d, it seems to have some C dependencies, but also unsafe code in some places. This to me makes banging the drum of memory safety - as it is often done whenever a Rust option is discussed, for obvious reasons since it's one of the main selling point of the language - a bit moot here.
Why especially video decoders?
> I wonder if they really care or if this is one of those "we don't want to use Rust because of silly reasons and here's are reasonable-sounding but actually irrelevant technical justification"...
I would have thought video decoders are specifically one of the few cases where performance really is important enough to trump language guaranteed security. They're widely deployed, and need to work in a variety of environments; everything from low power mobile devices to high-throughput cloud infrastructure. They also need to be low latency for live broadcast/streaming.
That's not to say security isn't a concern. It absolutely is, especially given the wide variety of deployment targets. However, video decoders aren't something that necessarily need to continually evolve over time. If you prioritize secure coding practices and pair that with some formal/static analysis, then you ought to be able to squeeze out more performance than Rust. For example, Rust may be inserting bounds checks on repeated access — where as a C program could potentially validate this sort of information just the once up front and pass the "pre-validated" data structure around (maybe even across threads) "knowing" that it's valid data. Yes, there's a security risk involved, but it may be worth it.
You're also right that performance is paramount. That's why it's non-trivial.
Codecs are a very common source of security vulnerabilities.
There is a reason for this sentence: > « The dav1d and rav1d decoders share the exact same low-level assembly code optimizations—you cannot modify this assembly ».
So, it, kind of, makes the work easier, but it stills very complex I think.
I’m sure both the dav1d and dav1d communities would appreciate improvements to the assembly code, but the goal of this contest is to improve the rust implementation only.
It's similar to job descriptions written for specific candidates they plan to hire. The question shouldn't be "why is this bounty so low?" but "what toolchain makes $20K reasonable for someone?"
Performance work in my experience has been largely organizational friction: running projects in various conditions, collecting evidence maintainers accept, maximizing that limited slice of attention people give my CLs, getting compiler improvements merged. These coordination tasks have become much easier to automate with LLMs (e.g., analyzing maintainer comments to understand cryptic 1 line feedback, what are they actually looking for, what do they mean).
My guess is there's an engineer who's either optimized their feedback cycle to under an hour through specialized tooling (more arrows) or is much better at finding the right signal the first time (more wood). I'd like to understand what tools enable that efficiency.
It has to be, you know correct?
> The contest is open to individuals or teams of individuals who are legal residents or citizens of the United States, United Kingdom, European Union, Canada, New Zealand, or Australia.
So most countries where putting in the effort would actually be worth the bounty offered is a no go...
I understand.
It's a decent bonus in large parts of the US too. Not everyone on HN works for a FAANG company.
Largely because optimizing the last 10% in such projects is extremely labour intensive and niche work.
Either way this feels like atleast 4-5 months of full time work minimum...
Creating a bounty which is essentially a zero sum competition and not including folks from countries where 20k can be living annual wage...
Means you are essentially excluding most folks who are working full time.
And honestly if someone can wrap this up in a couple months as a side hustle. And if they feel like 20K was more than worth their time..
Then not to argue but they are significantly under paid.
And if I had a company, I would definitely like to hire them. Even at 15-20K a month...
This is being done to prove a point, that rust is just as efficient as c while being memory safe.
Your idea is misaligned with the goals of the contest and more a moral complaint on “fairness”. Where do you get this notion that any entity offering their own funds in a contest needs to distribute it evenly?
> This is being done to prove a point, that rust is just as efficient as c while being memory safe.
I understand that, but it could just end up being a measure of how much money we are willing to pour into libraries. If you start putting money in to any language, you should see efficiency increase and bugs decrease.
A nice result would be them being about the same speed, but Rust offering greater protections.
> Your idea is misaligned with the goals of the contest and more a moral complaint on “fairness”. Where do you get this notion that any entity offering their own funds in a contest needs to distribute it evenly?
It was an intrigue, not a demand.
From what I can tell, way more than $20k has been invested into dav1d, and that investment has generated many performance optimisations already. Ostensibly, that's what this rav1d bounty is competing with.
I wasn't aware of it, in that case this could be a more interesting comparison.
> From what I can tell, way more than $20k has been invested into dav1d, and that investment has generated many performance optimisations already. Ostensibly, that's what this rav1d bounty is competing with.
Was rav1d a port of dav1d or developed from scratch?
It’s an open source platform (built in Elixir) for sharing bounties, contract work and full-time jobs with open source engineers
I’m one of the founders, feel free to reach out ioannis@algora.io
Almost universally, people attempting a bounty are in a dire financial situation. You’re just taking advantage of them.
I’m sitting at my desk doing 133t code challenges for free right now. The idea of optimizing something that both matters and could result in a payout of any amount sounds appealing given my context.
I think you underestimate the amount of people willing to do things for free or for the sake of knowledge itself.
And before you suggest that must mean I’m in a dire financial situation, I’m not.
> Solutions must be in either rav1d itself, the Rust compiler (inclusive of llvm), or the Rust standard library.
rav1d is transpiled c-to-rust version of dav1d, compiled using Clang18 for dav1d and relevant Clang18-LLVM backend code for rustc.
Measurements showed rav1d was 3.8% slower than dav1d. Hacking up a rustc to turn off bounds checking showed rav1d-no-bounds-check was 3% slower than dav1d.
So rustc bounds checking resulted in <1% total slowdown from dav1d.
Another theory about slowdown was due to overflow checking with signed arithmetic. Further tests showed only isolated incidents of slowdown due to overflow arithmetic checking.
According to perf counters, rav1d executed 7% more instructions than dav1d. Approximately 2% of 7% is due to bounds checking.
More info about subtle interactions with changing transpiled code to idiomatic Rust in the article.
"After applying the optimization techniques discussed here (and more), we have reduced performance overhead from a peak of about 11% when we started optimizing the safe Rust implementation in earnest to under 6% now on x86_64. We believe there is still room for further improvement, both in how the compiler optimizes Rust and in our implementation details. This will necessarily be a process of small, incremental improvements, as our profiling now indicates that the remaining overhead is spread roughly evenly across the largest, most complex functions in rav1d."Sounds like a bad way to port. Completely different languages. It took me some time to learn that one cannot simply write C code in Rust and expect the result to be any good. Should've started from scratch.
degurechaff•1mo ago
qalmakka•1mo ago
jaas•1mo ago
irf1•1mo ago
we can create a page for you like we did for the $25k Rust Prettier Bounty https://prettier.algora.io
lmk if interested ioannis@algora.io good luck!
rationably•1mo ago
> The contest is open to individuals or teams of individuals who are legal residents or citizens of the United States, United Kingdom, European Union, Canada, New Zealand, or Australia.
washadjeffmad•1mo ago
Turks are Asian. Russians are Asian. Indians are Asian. Etc.
They were probably just wondering why it's limited to Five Eyes + EU.
bArray•1mo ago
karn97•1mo ago
greggsy•1mo ago
> ...not located in the following jurisdictions: Cuba, Iran, North Korea, Russia, Syria, and the following areas of Ukraine: Donetsk, Luhansk, and Crimea.
Showing that the only explicit exclusions are aimed at the usual gang of comprehensively sanctioned states.
[1] https://www.memorysafety.org/rav1d-bounty-official-rules/
Still doesn't explain why the rest of the world isn't in the inclusions list. Maybe they don't want to deal with a language barrier by sticking to the Anglosphere... plus EU?
bpicolo•1mo ago
cess11•1mo ago
GolDDranks•1mo ago
zinekeller•1mo ago
hluska•1mo ago
zinekeller•1mo ago