Nice tricks. I’m still going to encourage a safe language without hacks or big gaps in type system handling more error classes. @tedu, what you think of Cyclone as a C developer? It was designed by academics rather than people in C’s trenches. What do you like and not like about the safer C? I’d say aside from dynamic, memory management which might build on Rust’s or Nim’s models in next iteration.
I think the problem with cyclone is it requires a fair amount of rewriting. It’s like C, but it’s not C. On the other hand, I really liked CCured. http://www.utdallas.edu/~hamlen/Papers/necula_ccured.pdf
Yeah, CCured was cool. Necula is also fairly badass in high-assurance security having invented proof-carrying code.
How far away from “like C, but not C” is acceptable in that case? Especially trying to damage-limit the risky features while still letting you use them where appropriate. I’m guessing you liked CCured since it works better with your legacy code (i.e. no rewriting). I always thought we could take something like that as default, profile it for where performance hit is too high, and then add annotations or restructuring (eg a borrow-checker) to reduce the runtime checks selectively.
Yes, drop in compatibility is a requirement. I don’t think ccured is going anywhere at this stage, but in the cases where it can’t prove a bounds and must insert checks, it could also issue warnings such that you can iteratively improve performance.
Do look at Checked C - it’s getting close to a place where “drop-in compatibility” is there, and then it has tools to do CCured-like analyses on the source code (rather than within the compiler), so you can slowly upgrade code from C. Hopefully it’s an answer to “What does CCured/Deputy look like when applied to real code, with 10 years more PL/Static Analysis theory”.
Thanks, I’ll check that out.
What’s your opinion on the CHERI architecture?
It seems like a ton of resource overhead to protect against bad code. I brought that up to someone presenting it (I believe he worked on it) and his response was that we’re never going to be rid of insecure buggy code, so better to add more protection at the architecture level. I’m still not sure where I stand on adding more compiler/language checks vs adding more hardware checks.
That is a very strange URL. Is there some sort of reasoning behind https://https.www.google.com.tedunangst.com anyone can think of?
It’s trolling (in the fun way, not the bad way).
See the recent post about displaying URLs: https://lobste.rs/s/2e5min/chrome_guidelines_for_displaying_urls#c_x2xv8k.
(sighs) Another victim of a cert strategy followed by a URL that’s partly intended to cause exactly these reactions in comment threads. Now, we’re 3 to 0 off-topic in comments as tedu watches with a wise-ass grin. There also may be no stopping this on any site with new users coming in. Gotta fix the 0 if nothing else.
If they’re going to go through the trouble of making that domain name they could at least take half an hour and make the site display with a reasonable font size on mobile. Sigh indeed.
The font is small, but not too small I think? Maybe I hold my phone too close, but I get kind of annoyed at sites that can only fit two sentences on a screen. Maybe it could go another .2 em or so.
As a Smug Rust Weenie (does that trope exist yet?) I am forced to say “yeah this is good, but you could just use a language with a real type system.” More seriously, the concept of any pointer being potentially NULL really is entirely awful, and these are useful ways to work around it.
I never related to the complaints about null pointers. Null pointers are a side effect to me, with the root annoyance being that you can have pointers to invalid memory. You can also have integers that are int_max orint_min. The only solution would be to create a language with no primitives, which could still theoretically be quite fast, but it completely sidesteps the inherent simplicity in a language like C.
My point being, C’s abstract machine was designed not to hide such things, and null pointers are a side effect. It fills a certain role and need.
Such types are very nice in C++ when doing Physics/Math to keep track of dimensions. The explicit keyword in the constructors can be used to control conversions between types that otherwise the compiler might implicitly convert.