On Tuesday, 27 April 2021 at 05:01:09 UTC, Walter Bright wrote:
>The checks are defeated by the @trusted function:
DMD doesn't catch the error even when making tempCString
and browse
@safe
(using appropriate @trusted
lambdas, ...):
April 25, 2021 Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
https://alexgaynor.net/2019/apr/21/modern-c++-wont-save-us/ Lists some perfectly reasonable code in Modern C++ style that has hidden memory safety bugs. |
April 26, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to Walter Bright | On Monday, 26 April 2021 at 01:28:35 UTC, Walter Bright wrote: > https://alexgaynor.net/2019/apr/21/modern-c++-wont-save-us/ > > Lists some perfectly reasonable code in Modern C++ style that has hidden memory safety bugs. Unfortunately, Phobos got bitten by exactly the same use-after-free bug as the article showcases: https://github.com/dlang/phobos/pull/7988/commits/08927149ccbb3a20fb7e97687065fe66a33e2cb8 |
April 26, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to Petar Kirov [ZombineDev] | On Monday, 26 April 2021 at 07:21:38 UTC, Petar Kirov [ZombineDev] wrote:
> On Monday, 26 April 2021 at 01:28:35 UTC, Walter Bright wrote:
>> https://alexgaynor.net/2019/apr/21/modern-c++-wont-save-us/
>>
>> Lists some perfectly reasonable code in Modern C++ style that has hidden memory safety bugs.
>
> Unfortunately, Phobos got bitten by exactly the same use-after-free bug as the article showcases:
>
> https://github.com/dlang/phobos/pull/7988/commits/08927149ccbb3a20fb7e97687065fe66a33e2cb8
Yeah. And were got it bitten?
In its f***ing C interface.
null terminated strings are a piece from hell that should be banned, not proliferated!
|
April 26, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to Walter Bright | On Monday, 26 April 2021 at 01:28:35 UTC, Walter Bright wrote:
> https://alexgaynor.net/2019/apr/21/modern-c++-wont-save-us/
>
> Lists some perfectly reasonable code in Modern C++ style that has hidden memory safety bugs.
Rust used for kernel/browser/database/UI, D also king able to work but not work good(no product or big projects).
Rust replace c++ jobs, go replace java jobs. D need better long-term strategy.
|
April 26, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to Walter Bright | STL can be reasonably seen as C heritage too as it was intentionally designed to be unsafe by default, and now it's kept for consistency. |
April 26, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to Dominikus Dittes Scherkl | On 4/26/21 7:44 AM, Dominikus Dittes Scherkl wrote:
> On Monday, 26 April 2021 at 07:21:38 UTC, Petar Kirov [ZombineDev] wrote:
>> On Monday, 26 April 2021 at 01:28:35 UTC, Walter Bright wrote:
>>> https://alexgaynor.net/2019/apr/21/modern-c++-wont-save-us/
>>>
>>> Lists some perfectly reasonable code in Modern C++ style that has hidden memory safety bugs.
>>
>> Unfortunately, Phobos got bitten by exactly the same use-after-free bug as the article showcases:
>>
>> https://github.com/dlang/phobos/pull/7988/commits/08927149ccbb3a20fb7e97687065fe66a33e2cb8
>>
>
> Yeah. And were got it bitten?
> In its f***ing C interface.
>
> null terminated strings are a piece from hell that should be banned, not proliferated!
Null terminated strings have nothing to do with it. The issue is not the null termination, but the use after free (change this to a temporary D array, and it still will have the same problem).
How do we fix it? tempCString is a horrifically unsafe construct. You can extract a pointer out of it without even trying, and now you have a reference that will easily outlive the thing it refers to.
The idea here is, tempCString must be stored, it can never be a temporary inside the expression. How do you express that in code? I'd start AT LEAST by removing the alias this, so at least it's not so trivial to violate safety.
I also can't see any marking of @system for anything, IMO, @system should be all over this type to avoid accidentally compiling in @safe code.
-Steve
|
April 26, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to Petar Kirov [ZombineDev] | On Monday, 26 April 2021 at 07:21:38 UTC, Petar Kirov [ZombineDev] wrote:
> Unfortunately, Phobos got bitten by exactly the same use-after-free bug as the article showcases:
>
> https://github.com/dlang/phobos/pull/7988/commits/08927149ccbb3a20fb7e97687065fe66a33e2cb8
Isn't this an error that should be detected by DIP25 / DIP1000? I was quite surprised that -preview=dip1000 accepted this code.
|
April 26, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to MoonlightSentinel | On 4/26/2021 1:20 PM, MoonlightSentinel wrote: > On Monday, 26 April 2021 at 07:21:38 UTC, Petar Kirov [ZombineDev] wrote: >> Unfortunately, Phobos got bitten by exactly the same use-after-free bug as the article showcases: >> >> https://github.com/dlang/phobos/pull/7988/commits/08927149ccbb3a20fb7e97687065fe66a33e2cb8 >> > > Isn't this an error that should be detected by DIP25 / DIP1000? I was quite surprised that -preview=dip1000 accepted this code. The checks are defeated by the @trusted function: @property inout(To)* buffPtr() inout { return _ptr == useStack ? _buff.ptr : _ptr; } https://github.com/dlang/phobos/blob/master/std/internal/cstring.d#L229 |
April 27, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to Walter Bright | On Tuesday, 27 April 2021 at 05:01:09 UTC, Walter Bright wrote: >The checks are defeated by the @trusted function: DMD doesn't catch the error even when making |
April 27, 2021 Re: Modern C++ Won't Save Us | ||||
---|---|---|---|---|
| ||||
Posted in reply to MoonlightSentinel | On 4/27/2021 2:37 AM, MoonlightSentinel wrote:
> https://issues.dlang.org/show_bug.cgi?id=21868
Thanks!
|