Obviously the way to prevent this is by bounds checking, which is literally in the `770594e` patch. It's just a bug and they happen routinely in all languages. Since this is doing pointer arithmetic, it could just as easily happen in unsafe Rust, for example.
sure, but with unsafe Rust you have a very clear marking for the section of code that requires additional care and attention. it is also customary to include a "SAFETY" comment outlining why using unsafe is OK here
You actually kind of don't, I use like a zillion crates which have unsafe Rust in them and it's not like I'm sitting here reading every single line of their code. I like Rust for various reasons, but its memory safety is (imo) overstated, especially when doing low-level stuff.
But one would have to explicitly choose to use unsafe Rust for this instead of ordinary safe Rust. And safe Rust has no particular difficulty writing to slots in an array or slice or vector specified by their index.
> "No way to prevent this", Says Only Language Where This Regularly Happens
also see lib0xc etc.: https://news.ycombinator.com/item?id=47978834
NOTE: This is a design document and the feature is not available for users yet.
https://clang.llvm.org/docs/BoundsSafety.html
Obviously the way to prevent this is by bounds checking, which is literally in the `770594e` patch. It's just a bug and they happen routinely in all languages. Since this is doing pointer arithmetic, it could just as easily happen in unsafe Rust, for example.
Like they said, "no way to prevent this" (kind of bug from happening again).
Static analysis and other tools can find this, but they're expensive; wonder what the kernel team has access to?
10 replies →
sure, but with unsafe Rust you have a very clear marking for the section of code that requires additional care and attention. it is also customary to include a "SAFETY" comment outlining why using unsafe is OK here
You actually kind of don't, I use like a zillion crates which have unsafe Rust in them and it's not like I'm sitting here reading every single line of their code. I like Rust for various reasons, but its memory safety is (imo) overstated, especially when doing low-level stuff.
3 replies →
But one would have to explicitly choose to use unsafe Rust for this instead of ordinary safe Rust. And safe Rust has no particular difficulty writing to slots in an array or slice or vector specified by their index.
except nearly everyone uses unsafe rust
16 replies →
That's not prevention. That's remediation.
Surely nobody could create a better language in 50 years. Surely we can't fix these issues.
And you see a lot of other languages being used to create operating systems with complicated multiprocessor and locking semantics?