This is the government's strongest stance yet on software security, which puts manufacturers on notice: fix dangerous coding practices or risk being labeled as negligent.
  • arendjr@programming.devOP
    31·
    6 months ago

    Using smart pointers doesn’t eliminate the memory safety issue, it merely addresses one aspect of it. Even with smart pointers, nothing is preventing you from passing references and using them after they’re freed.

    • refalo@programming.dev
      21·
      6 months ago

      To be fair, it’s entirely possible to make the same and very similar mistakes in Rust, too.

      • GetOffMyLan@programming.dev
        8·
        6 months ago

        I’m fairly sure use after free isn’t possible unless you explicitly use unsafe code right?

        It’s compiler enforced is the point.

      • robinm@programming.dev
        1·
        6 months ago

        Is it possible to do in Rust?

        Yes

        Is possible to do in Rust, by mistake, and not easily caught by a review?

        Definitively not.

          • robinm@programming.dev
            1·
            6 months ago
            void foo() {
    std::vector v = {0, 1, 2, 4};
    const auto& ref = v[1];
    add_missing_values(v);
    std::cout << ref << "\n";
}

void add_missing_values(std::vector<int>& v) {
    // ...
    v.push_back(3);
}

            Neither foo(), nor add_missing_values() looks suspicious. Nonetheless, if v.push_back(3) requires v to grow, then ref becomes an invalid reference and std::cout << ref becomes UB (use after free). In Rust this would not compiles.

            It is order of magnitudes easier to have lifetime errors in C++ than in Rust (use after free, double free, data races, use before initialisation, …)

              • robinm@programming.dev
                1·
                6 months ago

                That’s why I did not said it was impossible, just order of magnitude harder to catch in C++ compared to Rust.

                To have asan finding the bug, you need to have a valid unit test, that has a similar enough workload. Otherwise you may not see the bug with asan if the vector doesn’t grow (and thus ref would still be valid, not triggering UB), leading to a production-only bug.

                Asan is a wonderfull tool, but you can’t deny it’s much harder to use and much less reliable than just running your compiler.

              • robinm@programming.dev
                1·
                6 months ago

                I think you have a hard time understanding the différence between “not possible” and “much harder”.

                In Rust, the code does not compile.

                In C++ the code compile, but

                • if you have a test case
                • this test case triggers the bug (it is not guarateed to properly reproduce you production environment since it depends on the parameters of the allocator of your vector)
                • you use ubsan

                … then the bug will be caught.

                Yes it is possible, noone says the opposite. But you can’t deny it’s harder. And because its harder, more bugs get past review, most notably security bugs as demonstrated again and again in many studies. The