Heartbleed and static analysis
Paulo Pinto
pjmlp at progtools.org
Fri Apr 11 04:36:19 PDT 2014
On Friday, 11 April 2014 at 10:33:52 UTC, Chris wrote:
> On Friday, 11 April 2014 at 10:09:48 UTC, Walter Bright wrote:
>> On 4/11/2014 2:47 AM, bearophile wrote:
>>> A nice blog post, about the Coverity scan not finding the
>>> Heartbleed
>>> (http://heartbleed.com/) bug:
>>>
>>> http://blog.regehr.org/archives/1125
>>
>>
>> http://www.reddit.com/r/programming/comments/22ri2i/heartbleed_wasnt_found_by_static_analysis/
>
> So why don't you just write your own language? Uh, wait, you
> did just that. Is there any chance that these issues will be
> fixed in C some day, or is it too late, or is the C consortium
> too narrow-minded, stubborn, indifferent?
This will never change as we (me and Walter) discussed on a
parallel thread.
The way arrays decay into pointers cannot be fixed while keeping
backwards compatibility.
Algol, PL/I and Mesa had bounds checked arrays, with the option
to disable them if required, but C designers decided against it.
The idea was that developers would use lint for such purposes,
what very few do, even in 2014.
I am convinced that this will only get fixed by a generation
change.
--
Paulo
More information about the Digitalmars-d
mailing list