| ▲ | thomasmg 3 days ago |
| I don't think it's odd statement. It's not about segfaults, but use-after-free (and similar) bugs, which don't crash in C, but do crash in Fil-C. With Fil-C, if there is such a bug, it will crash, but if the density of such bugs is low enough, it is tolerable: it will just crash the program, but will not cause an expensive and urgent CVE ticket. The bug itself may still need to be fixed. The paragraph refers to detecting such bugs during compilation versus crashing at runtime. The "almost all programs have paths that crash" means all programs have a few bugs that can cause crashes, and that's true. Professional coders do not attempt to write 100% bug-free code, as that wouldn't be efficient use of the time. Now the question is, should professional coders convert the (existing) C code to eg. Rust (where likely the compiler detects the bug), or should he use Fil-C, and so safe the time to convert the code? |
|
| ▲ | zozbot234 3 days ago | parent | next [-] |
| Doesn't Fil-C use a garbage collector to address use-after-free? For a real use-after-free to be possible there must be some valid pointer to the freed allocation, in which case the GC just keeps it around and there's no overt crash. |
| |
| ▲ | thomasmg 2 days ago | parent [-] | | Yes, Fil-C uses some kind of garbage collector. But it can still detect use-after-free: In the 'free' call, the object is marked as free. In the garbage collection (in the mark phase), if a reference is detected to an object that was freed, then the program panics. Sure, it is also possible to simply ignore the 'free' call - in which case you "just" have a memory leak. I don't think that's what Fil-C does by default however. (This would be more like the behavior of the Boehm GC library for C, if I understand correctly.) | | |
| ▲ | jitl 2 days ago | parent | next [-] | | I don’t think that’s how it works. Once an object is freed, any access will crash. You’re allowed to still have a reference to it. | | |
| ▲ | thomasmg 2 days ago | parent [-] | | Ok, you are right. My point is, yes it is possible to panic on use-after-free with Fil-C. With Fil-C, a life reference to a freed object can be detected. |
| |
| ▲ | cyberax 2 days ago | parent | prev [-] | | A free()-d object that is NOT garbage-collected during the next collection is a bug in itself. | | |
| ▲ | pizlonator 2 days ago | parent | next [-] | | The Fil-C GC will only GC a free'd object if it succeeds at repointing all capabilities to it to point at the free singleton instead. Don't worry, it's totally sound. | |
| ▲ | thomasmg 2 days ago | parent | prev [-] | | I'm not sure what you mean. Do you mean there is a bug _in the garbage collection algorithm_, if the object is not freed in the very next garbage collection cycle? Well, it depends: the garbage collection could defers collection of some objects until memory is low. Multi-generation garbage collection algorithm often do this. | | |
| ▲ | cyberax a day ago | parent [-] | | You can defer the actual freeing of the object until at least one GC pass finishes. Then alert if any of them are still reachable. |
|
|
|
|
|
| ▲ | cesarb 2 days ago | parent | prev [-] |
| > it will just crash the program, but will not cause an expensive and urgent CVE ticket. Unfortunately, security hysteria also treats any crash as "an expensive and urgent CVE ticket". See, for instance, ReDoS, where auditors will force you to update a dependency even if there's no way for a user to provide the vulnerable input (for instance, it's fixed in the configuration file). |
| |
| ▲ | thomasmg a day ago | parent [-] | | I agree security issues are often hyped nowadays. I think this is often due to two factors: (A) security researches get more money if they can convince people a CVE is worse. So of course they make it sound extremely bad. (B) security "review" teams in software companies do the least amount of work, and so it's just a binary "is a dependency with a vulnerability used yes/no" and then force the engineering team to update the dependency, even thought its useless. I have seen (was involved) in a number of such cases. This is wasting a lot of time. Long term, this can mean the engineering team will try to reduce the dependencies, which is not the worst of outcomes. |
|
