Sure they aren’t the same but not that different either. The tools available for “memory unsafe” languages (like asan, valgrind) catch the vast majority of memory bugs. Acting like it’s the wild wild west for C/C++ is silly.
Conversation
They detect memory corruption when it occurs at runtime not the presence of the memory corruption bugs. If the current usage of the program doesn't trigger memory corruption with those bugs, there's nothing for them to detect. They're far from detecting the vast majority of them.
1
In almost any mature program, the vast majority of memory corruption bugs will be latent issues not actually corrupting memory between objects during regular usage. ASan only detects memory corruption when it occurs, only between objects (not within) and nowhere close to all.
2
Do you have data to back this up? This has not been my experience.
1
The vast majority of my memory bugs have to do with pointer invalidation (like access after a realloc)
1
Finding bugs with ASan during regular usage / testing is a demonstration of the program having memory corruption bugs to the point that the bugs are corrupting memory during regular use, not just adversarial conditions. It's not relevant data or experience with this at all.
1
I can boot up AOSP and open Chromium to example.org with the kernel, userspace and browser compiled with ASan. There are no bugs detected. I can run a substantial portion of the massive CTS with none detected. Rate memory corruption bugs are found has not gone down.
1
Linux kernel is tested quite a bit with ASan these days and yet somehow there are hundreds of memory corruption bugs found every month on the SAME configurations that are tested ranging from ancient decades old ones to new ones. Flow of discoveries is accelerating not slowing.
2
The Linux kernel is an incredibly large and complex code base used by billions of applications each day, which obviously influences rate of bug detection. I’m not aware of any such project written in a memory safe language, so what are you comparing this with?
1
Linux kernel is one example of the overall example I was using which is Android, an OS that's largely written in Kotlin and Java with the other half of the OS written in C and C++. Half of the codebase for both groups of languages are externally developed open source projects.
1
1
Can even make comparisons on how things went for rewrites in both directions. The endless memory corruption bugs despite extensive use of ASan, UBSan, TSan, HWAsan, etc. (which were largely implemented for Android and Chromium) are nearly all of the remote code execution bugs.