← Back to context

Comment by pizlonator

2 days ago

I was going to link to this.

My interpretation of Geoff's presentation is that some version of profiles might work, at least in the sense of making it possible to write C++ code that is substantially safer than what we have today.

4 comments

pizlonator

Reply
tialaramex  2 days ago

Geoff's stuff is mostly about heuristics. For his purpose that makes sense. If Apple are spending say $1Bn on security problems and Geoff spends $1M cutting such problems by 90% that's money well spent. The current direction of profiles is big on heuristics. Easy quick wins to maybe get C++ under the "Radioactively unsafe" radar even if it can't pass for safe.

The most hopeful thing I saw in Geoff's talk was cultural. It sounds like Geoff's team wanted to get to safer code. Things went faster than expected, people landed "me too" unsolicited patches, that sort of thing. Of course this is self-reported, but assuming Geoff wasn't showing us a very flattering portrait of a grim reality, which I can't see any incentive for, this team sounds like while they'd get value from Rust they're delivering many of the same security benefits in C++ anyway.

Bureaucrats don't like culture because it's hard to measure. "Make sure you hire programmers with a good culture" is hard to chart. You're probably going to end up running some awful quiz your team hates "Answer D, A, B, B, E, B to get 100%". Whereas "Use Rust not C++" is measurable, team A has 93% of code in Rust, but team B scored 94.5% so that's more Rust, they win.

  • pizlonator  2 days ago

    > Geoff's stuff is mostly about heuristics.

    That's not true at all.

    - The bounds safety part of it prevents those C operations that Fil-C or something like it would dynamically check. You can to use hardened API instead.

    - The cast safety part of it prevents C casts except if they're obviously safe.

    - The lifetime safety part of it forces you to use WebKit's smart pointers except when you have an overlooking root.

    Those are type safety rules. It's disingenuous to call them heuristics.

    It is true, however, that Geoff's rules don't go to 100% because:

    - There are nasty corners of C that aren't covered by any of those rules.

    - WebKit still has <10% ish code that isn't opted into those rules.

    - WebKit has JITs.

    • tialaramex  1 day ago

      I can't rationalize how "prevents... except" isn't still just heuristics.

      r/cpp is full of people with such heuristics, ways that they personally have fewer safety bugs in their software. That's how C++ got its "core guidelines", and it is clearly the foundation of Herb's profiles. You can't get to safety this way, you can get closer than you were in a typical C++ codebase and for Geoff that was important.

      1 reply →