Heartbleed and static analysis

Paulo Pinto pjmlp at progtools.org
Fri Apr 11 04:36:19 PDT 2014


On Friday, 11 April 2014 at 10:33:52 UTC, Chris wrote:
> On Friday, 11 April 2014 at 10:09:48 UTC, Walter Bright wrote:
>> On 4/11/2014 2:47 AM, bearophile wrote:
>>> A nice blog post, about the Coverity scan not finding the 
>>> Heartbleed
>>> (http://heartbleed.com/) bug:
>>>
>>> http://blog.regehr.org/archives/1125
>>
>>
>> http://www.reddit.com/r/programming/comments/22ri2i/heartbleed_wasnt_found_by_static_analysis/
>
> So why don't you just write your own language? Uh, wait, you 
> did just that. Is there any chance that these issues will be 
> fixed in C some day, or is it too late, or is the C consortium 
> too narrow-minded, stubborn, indifferent?

This will never change as we (me and Walter) discussed on a 
parallel thread.

The way arrays decay into pointers cannot be fixed while keeping 
backwards compatibility.

Algol, PL/I and Mesa had bounds checked arrays, with the option 
to disable them if required, but C designers decided against it.

The idea was that developers would use lint for such purposes, 
what very few do, even in 2014.

I am convinced that this will only get fixed by a generation 
change.

--
Paulo


More information about the Digitalmars-d mailing list