|
| ▲ | cibyr 5 days ago | parent | next [-] |
| Can a C program be memory safe as long as it doesn't have any relevant bugs? Yes, and you can even prove this about some C programs using tools like CBMC. |
|
| ▲ | Waterluvian 5 days ago | parent | prev | next [-] |
| This is way outside my domain but isn’t the answer: yes, if the code is formally proven safe? Doesn’t NASA have an incredibly strict, specific set of standards for writing safety critical C that helps with writing programs that can be formalized? |
| |
| ▲ | okanat 5 days ago | parent | next [-] | | There are safety recommendations / best practice standards like CERT. None of them will prevent you from making intentional looking but logically unsound memory unsafe operations with C and C++. The code can be very indistinguishable from safe code. The things that C and C++ allow you to do basically makes code written in those languages impossible to fully formally prove. Although there are subsets, the basic integer operations and primitive types are messed up with C. So without uprooting how basic integer and pointer types work, it is impossible to make C and C++ safer. Such change will make all C and C++ programs invalid. C and C++ always defaults to minimum amount of safety for maximum allowance of the compiler interpretation. The priority of the language designers of them is keeping existing terrible code running as long as possible first, letting compilers interpret the source code as freely as possible second. That's why many military and aerospace code actually uses much safer and significantly more formally verifiable Ada. | | |
| ▲ | uecker 5 days ago | parent | next [-] | | There is also a lot of formally verified in C. | |
| ▲ | spookie 4 days ago | parent | prev | next [-] | | > impossible to formally prove If you assume the entire lang, yes. If you use a large subset, no. Furthermore, compiler interpretation might actually be sane! There are more compilers out there than GCC, Clang or MSVC. I suspect many assumptions are being made on this claim. | |
| ▲ | Waterluvian 5 days ago | parent | prev [-] | | Thanks for explaining that. It really fills in a lot for me. |
| |
| ▲ | arto 4 days ago | parent | prev [-] | | https://david-haber.github.io/posts/the-right-stuff/ |
|
|
| ▲ | ratmice 5 days ago | parent | prev | next [-] |
| It just seems like a bad definition (or at least ambiguous), it should say "cannot", or some such excluding term.
By the definition as given if a program flips a coin and performs an illegal memory access,
are runs where the access does not occur memory safe? |
|
| ▲ | Ygg2 4 days ago | parent | prev | next [-] |
| Sure. It can be. In the same way, a C program can be provably correct. I.e., for all inputs it doesn't exhibit unexpected behavior. Memory safety and correctness are properties of the program being executed. But a memory-safe program != memory safe language. Memory safe language helps you maintain memory-safety by reducing the chances to cause memory unsafety. |
|
| ▲ | tremon 3 days ago | parent | prev [-] |
| There is a huge difference between "a C program can be memory safe if it is proven to be so by an external static analysis tool" and "the Java/Rust language is memory safe except for JNI resp unsafe sections of the code". |
