Typical security issues in C++: why the GC isn't your enemy
Walter Bright
newshound2 at digitalmars.com
Thu Dec 8 17:57:55 UTC 2022
On 12/5/2022 11:57 AM, H. S. Teoh wrote:
> Most interesting point here is that the largest category of bugs is
> use-after-free bugs, constituting 34% of the reported issues. (Arguably
> we should include "object lifecycle/lifetime" in this category, but I
> think those refer to bugs in the JS implementation. In any case, it
> doesn't change the conclusion.) This is strong evidence that memory
> management is a major source of bugs, and a strong argument for GC use
> in application code.
I'm a bit surprised at this, but maybe I shouldn't. C++ doesn't have a good
feature set to prevent use-after-free.
> D's bounds checks are often touted as a major feature to prevent issues
> with buffer overflow and out-of-bounds accesses. Interestingly, "buffer
> overflow" and "out of bounds..." add up only to about 14% of the total
> issues. Nothing to sneeze at, but nonetheless not as big an issue as
> use-after-free bugs.
The language here is C++, and C++ has touted that if you use the latest C++
features, you'll have fewer bounds problems. I suspect that is the cause of the
reduction. With C code, the percent is a lot higher.
More information about the Digitalmars-d
mailing list