Conversation

it's nice when someone over at hn gets it

explanation about why, in general, a C compiler can't reliably warn about potential UB

read image description

ALT

141

989

Replying to

This this this this this!

Replying to

I'm onboard with this comment if we expand "out of bounds" to encompass the temporal aspect as well

Replying to

I can't decide which is more fundamental. Which probably means they both are.

Replying to

and

Temporal safety becomes increasingly difficult as software scales up and is much harder to resolve by following good practices. Bounds safety is easier to maintain, easier to automate deterministically via instrumentation and the issues are also largely tied to integer overflows.

Replying to

and

If you start using automatic integer overflow checks for both signed and unsigned integers, it avoids tons of bounds-related vulnerabilities but only a few of the temporary safety ones. Bounds safety issues are almost always simple local issues if absurd things aren't being done.

Replying to

and

Temporal issues tend to be quite complex and can be hard to understand and fix even once you've discovered the issue. It can be hard to understand and verify a patch for the issues too. Object lifetimes are way more complex than passing around the right length and checking it.

9:10 PM · Jan 22, 2022Twitter Web App

Replying to

and

It can be hard to reason about integer overflow too but at least you can check for overflow locally. There's solid tooling including automated checks usable in production with the ability to mark operations as explicitly checked, unchecked or intended overflows with Clang/GCC.