Just for fun: https://github.com/Speykious/cve-rs

"cve-rs allows you to introduce common memory vulnerabilities (such as buffer overflows and segfaults) into your Rust program in a memory safe manner."

On Thursday, 28 March 2024 at 13:35:27 UTC, RazvanN wrote:

Interesting to see that the language that acquired the public perception of having a monopoly on safety, is not in fact absolutely safe. Some say it cannot ever be[1]. I don't know Rust, and I know @safe D is not perfect either, but I do wonder how @safe D stacks up against these particular vulnerabilities. It could make for an interesting article.

-- Bastiaan.

[1] https://news.ycombinator.com/item?id=39440808

On Saturday, 30 March 2024 at 13:13:11 UTC, Bastiaan Veelo wrote:

The linked code works by exploiting a bug in the Rust compiler's lifetime inference. [1]

Certainly it's unfortunate for Rust that this bug exists, but I don't think it makes sense to pass judgement on the overall design of Rust's lifetime system based on the existence of an implementation bug.

If we were to hold D to the same standard, I do not think it would compare favorably.

[1] https://github.com/Speykious/cve-rs/blob/main/src/lifetime_expansion.rs

On Saturday, 30 March 2024 at 14:25:42 UTC, Paul Backus wrote:

In absence of a language specification, it is hard to judge whether a flaw is an implementation bug or not. The Hacker News thread that I linked to has an endless discussion on whether this one is more fundamental. The problem has been known for nine years.

You may be right.

— Bastiaan.

On Monday, 1 April 2024 at 14:11:58 UTC, Bastiaan Veelo wrote:

Are there any bugs with @safe where a viable solution is not known? Some bugs didn't get a solution because of breakage, but once we have editions, hopefully those can be fixed.