undefined | Better HN

0 pointsbtilly2y ago0 comments

Which "they"?

C definitely considers a segfault as the intended result of bad user input. Perl actually has the dump function to create a segfault. Lots of configurations for lots of things have, "This gives you speed+flexibility but is unsafe."

In all of these cases, the intended result of bad user input is a segfault. It just comes with the territory. For example nginx allows third party modules to be loaded. There is no way to avoid the fact that some third party modules will dump core. Should nginx therefore stop allowing third party modules? How is that fundamentally different?

0 comments

1 comments · 1 top-level

winternewt2y ago

"They" as in the software developers. I disagree that C as a language has any opinion on whether segfault (or undefined behavior) is an acceptable outcome for user input. That depends on the use case.

Plugins are software, and all software can crash because validation is not just practically but even theoretically impossible for a Turing-complete language. But the fundamental difference is not in whether a crash can occur or not, but in your attitude to the crash: is it a software bug and hence should be fixed, or is it expected behavior and left as is? IMO the former attitude is almost always the correct one if the end user is anybody other than yourself.

There may be performance concerns that make it worthwhile to accept a crash (and that's the reason we run plugins as in-process native code instead of in a separate process or VM) but in the case of nginx I strongly doubt performance would be affected noticeably by validation of config files.

j / k navigate · click thread line to collapse