[Not really OT] Crowdstrike Analysis: It was a NULL pointer from the memory unsafe C++ language.

Don Allen donaldcallen at gmail.com
Sun Jul 28 16:12:24 UTC 2024


On Sunday, 28 July 2024 at 14:25:14 UTC, Timon Gehr wrote:
> On 7/26/24 16:59, Guillaume Piolat wrote:
>>>
>> 
>> Not really big on @safe (where is the RoI????
>
> Well, I am perfectly fine with people just not using `@safe`. 
> However, when I actually want some dependency to be `@safe` 
> because it has to deal with potentially adversarial input, I'd 
> prefer if the author actually took some care to make the 
> interface solid.
>
>> where are the products that beat the competition by being 
>> safe),
>
> Then why would you even care to lie to prospective users? Just 
> don't use `@safe` at that point.
>
>> but when currently used @trusted has 2 different semantic 
>> meanings:
>> 
>> 1 - @trusted that means "I've audited that the @system 
>> function I call are memoy-safe.
>
> This is what it's being advertised as.
>
>> do not grep this, there is nothing to see"
>
> You can still grep to see if you agree with the assessment.
>
>> 2 - @trusted that means "TODO, this is necessary because I've 
>> slapped @safe on top and must go on with productive things. 
>> I'll get back later! I should have marked this @system in the 
>> first place. I promise i'll get back and fix it!!1"
>
> What is even the point? If you think maintaining a memory-safe 
> interface is a waste of time and a non-feature, something that 
> nobody actually needs, don't even attempt to do it.
>
> Either `@safe` is a feature we want in the language, then it 
> should be solid, or we'd be better off just removing it. What I 
> am not on board with is making `@safe` a priority while at the 
> same time abandoning memory safety in `@safe` code. This makes 
> no sense.

I'm guessing that your issue with all of this talk about memory 
safety is that you have no sense of a coherent plan. If I'm 
right, then I share your concern. This is not intended as a 
criticism of Walter, because I see defining and enforcing memory 
safety in D as a very hard problem, so it doesn't surprise me 
that a clear plan isn't apparent.

I think the difficulty is that D has its roots in C and C++, both 
notably memory-unsafe. D adds the garbage collector to the mix of 
stack- and manually-heap-allocated memory. Trying to provide 
compiler-enforced guarantees in the face of these disparate 
options is not a simple matter. Reading the "Function Safety" 
section of the language reference made my head spin. I think its 
complexity flows directly from the memory-management options D 
provides.

Rust avoids this problem by providing a single memory-management 
methodology that is imposed on the user. There are no choices. 
You do it the Rust way or your code won't compile.

I personally like that D offers the choices it does and in my own 
code, I avoid malloc/free and use of pointers as much as 
possible. I stack-allocate when feasible and GC-allocate when 
necessary. Talking to C code complicates things, something that 
bit me when I was first learning D (I passed a GC-allocated 
string to sqlite as a binding and failed to read the warning in 
the toStringz documentation about the string vaporizing in a 
subsequent garbage collection).

My own preference would be to first focus on improving the 
documentation of what is already in the language. What types get 
stack-allocated? GC-allocated? It's not always clear in the 
current documentation, e.g., I believe static arrays are 
stack-allocated; where does it say that? There are many other 
examples of this information not present in the documentation. 
The programmer needs to know this information to avoid unsafe 
memory-management practices, because what is required of the 
programmer depends upon the type of memory in question.

I think one of the great features of D is the ability of D and C 
code to talk directly without the need for an intermediate 
interface. The current documentation is a good start, but could 
be improved with more explanation and examples of how to this 
safely.

I think improved documentation would help to make people happier 
with D. I don't think D needs to be compiler-guaranteed memory 
safe, which is good because I don't think it's possible. There 
may be opportunities for the compiler to provide *some* help in 
this area that it presently doesn't, but I doubt that D will ever 
be able to make the assertions about memory-safety that Rust 
does. Note that Zig provides only stack- and manual 
heap-allocation. It is not a memory-safe language. But there's a 
lot of interest in it, despite not being close to release and a 
growing issue list.


More information about the Digitalmars-d mailing list