this post was submitted on 01 Nov 2024
84 points (100.0% liked)

Programming

19939 readers
454 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
84
Feds: Critical Software Must Drop C/C++ by 2026 or Face Risk (thenewstack.io)
submitted 6 months ago by [email protected] to c/[email protected]
28 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 25 points 6 months ago* (last edited 6 months ago) (5 children)

Seems excessive to convert everything to rust when you can use std::shared_ptr and std::weak_ptr to eliminate the memory safety issue?

[–] [email protected] 31 points 6 months ago* (last edited 6 months ago) (1 children)

Using smart pointers doesn’t eliminate the memory safety issue, it merely addresses one aspect of it. Even with smart pointers, nothing is preventing you from passing references and using them after they’re freed.

[–] [email protected] 1 points 6 months ago (2 children)

To be fair, it's entirely possible to make the same and very similar mistakes in Rust, too.

[–] [email protected] 8 points 6 months ago* (last edited 6 months ago)

I'm fairly sure use after free isn't possible unless you explicitly use unsafe code right?

It's compiler enforced is the point.

[–] [email protected] 1 points 5 months ago (1 children)

Is it possible to do in Rust?

Yes

Is possible to do in Rust, by mistake, and not easily caught by a review?

Definitively not.

[–] [email protected] 0 points 5 months ago (1 children)

I think you could argue the same point with C++

[–] [email protected] 1 points 5 months ago (1 children) 
void foo() {
    std::vector v = {0, 1, 2, 4};
    const auto& ref = v[1];
    add_missing_values(v);
    std::cout << ref << "\n";
}

void add_missing_values(std::vector<int>& v) {
    // ...
    v.push_back(3);
}

Neither foo(), nor add_missing_values() looks suspicious. Nonetheless, if v.push_back(3) requires v to grow, then ref becomes an invalid reference and std::cout << ref becomes UB (use after free). In Rust this would not compiles.

It is order of magnitudes easier to have lifetime errors in C++ than in Rust (use after free, double free, data races, use before initialisation, …)

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (2 children)

This would be caught by ASan and other tools though, which should be part of any review.

[–] [email protected] 1 points 5 months ago

That's why I did not said it was impossible, just order of magnitude harder to catch in C++ compared to Rust.

To have asan finding the bug, you need to have a valid unit test, that has a similar enough workload. Otherwise you may not see the bug with asan if the vector doesn't grow (and thus ref would still be valid, not triggering UB), leading to a production-only bug.

Asan is a wonderfull tool, but you can't deny it's much harder to use and much less reliable than just running your compiler.

[–] [email protected] 1 points 5 months ago

I think you have a hard time understanding the différence between "not possible" and "much harder".

In Rust, the code does not compile.

In C++ the code compile, but

  • if you have a test case
  • this test case triggers the bug (it is not guarateed to properly reproduce you production environment since it depends on the parameters of the allocator of your vector)
  • you use ubsan

... then the bug will be caught.

Yes it is possible, noone says the opposite. But you can't deny it's harder. And because its harder, more bugs get past review, most notably security bugs as demonstrated again and again in many studies. The

[–] [email protected] 21 points 6 months ago (1 children)

I wonder how many issues rewriting everything in another language will create?

[–] [email protected] 8 points 6 months ago

Just as many issues as not reading the article.

[–] [email protected] 11 points 6 months ago

I get what you're saying, but I think the issue with optional memory safety features is that it's hard to be sure you're using it in all the places and hard to maintain that when someone can add a new allocation in the future, etc. It's certainly doable, and maybe some static analysis tools out there can prove it's all okay.

Whereas with Rust, it's built from the ground up to prove exactly that, plus other things like no memory being shared between threads by accident etc. Rust makes it difficult and obvious to do the wrong thing, rather than that being the default.

[–] [email protected] 8 points 6 months ago

From the original document:

Software manufacturers should build products in a manner that systematically prevents the introduction of memory safety vulnerabilities, such as by using a memory safe language or hardware capabilities that prevent memory safety vulnerabilities. Additionally, software manufacturers should publish a memory safety roadmap by January 1, 2026.

My interpretation is that smart pointers are allowed, as long it’s systematically enforced. Switching to a memory safe language is just one example.

[–] [email protected] 3 points 6 months ago

I have never seen a single C++ codebase do that. It helps but it's not a practical full solution.