In a bunch of places :), . The media handling code has it on since that was the majority root cause of security bugs there.
I'm a huge believer in turning it on in prod. Rewriting miles of code isn't realistic, testing only finds so much, and it prevents exploits
Conversation
Yes! I will happily pay 1% perf for blocking shell code.
1
2
Do we know if these options will end up in gcc? Clang is a possibility for us but it’s a bigger lift.
Also wondering about force initializing to 0 options.
1
there's reasonable stuff in LLVM for forcing zero initialization but I do not know the status, or if GCC has anything analogous
cc
1
1
clang has: clang.llvm.org/docs/ClangComm
and you can force zero with: clang.llvm.org/docs/ClangComm
Which is the *best* name ever.
I believe that GCC was looking at this too? would know.
MSVC has InitAll: msrc-blog.microsoft.com/2020/05/13/sol
and
5
7
it has been literally less than a day since I was burned by uninitialized stack memory in C++, which somehow makes reasoning about this unreasonably difficult
2
6
I find that it can be very difficult to track down memory corruption in C++ in general. It's usually far easier for C code since there's a lot less magic and abstraction. Modern C++ is a paradise for latent use-after-free bugs. I'm really not convinced that it improves safety.
4
1
11
The whole topic is trivial in C if you don't do outright stupid things. Most code needs no complex lifetimes, and if it does, just use talloc or similar. The fancy abstractions make it orders of magnitude harder.
3
2
Depends a lot on what kind of code you're writing. I think it's hard enough to avoid memory safety bugs in C.
I don't think modern C++ actually succeeds at providing safety beyond avoiding memory leaks and that comes at the cost of implicit use-after-free bugs.
2
1
Main issue is that it's so ridiculously complex and I do not have a deep understanding of the language despite knowing so much about it. Being in the 95th percentile of knowledge about C++ among C++ programmers still means you have no clue how the language works.
1
2
C++ is a terrible language for building sophisticated abstractions. Lack of proper generics and all the complexity, subtle rules, etc. combined with the culture of layering abstraction upon abstraction doesn't play out well. It's ridiculously painful having to debug bugs we find.
Debugging UAF is hard enough when you can actually see the calls to free and the functions calling those. Figuring out what layers and layers of strange C++ template contraptions actually do at a low-level to figure it out is horrible. Makes me think the whole thing is crazy.
1
2
The abstractions are inherently super lossy, exposing tons of implementation details and weird subtleties. There's so much that can go wrong. It's not like doing it in a language with actual generics and memory / type safety where you can make a proper API handling edge cases.
1
2
Show replies