undefined | Better HN

0 pointspron4mo ago0 comments

> it's simply not interesting from a safety perspective

The reason memory safety is interesting in the first place (for practical, not theoretical reasons) is that it is a common cause of security vulnerabilities. But spatial memory safety is a bigger problem than temporal memory safety, and Zig does offer spatial memory safety. So if Rust's memory safety is interesting, then so is the memory safety Zig offers.

I'm a rabid software correctness advocate, and I think that people should acknowledge that correctness, safety (and the reasons behind it) are much more complex than the binary question of what behaviours are soundly disallowed by a language (or ATS advocates would say that from that their vantage point, Rust is just about as unsafe as C, and so is completely uninteresting from that perspective).

The complexity doesn't end with spatial vs temporal safety. For example, code review has been found to be one of the most effective correctness measures, so if a language made code reviews easier, it would be very interesting from a correctness/security perspective.

0 comments

Measter4mo ago

Zig only does bounds checking by default in Debug and ReleaseSafe builds. If you build with ReleaseFast or ReleaseSmall it will happily do an out of bounds read: https://godbolt.org/z/733PxPEPY

pronOP4mo ago

That's a matter of how policy is set. You can set it to on or off for a particular function, too. The point is that language offers sound spatial safety just as much as Rust does (and both allow you to turn it on or off in particular pieces of code).

the_duke4mo ago

Defaults and ecosystem approach matter a lot, though.

The whole Rust ecosystem is heavily biased towards prioritising memory safety and "safe by construction" .

This is evident in the standard library, in how crates approach API design, what the compilation defaults are, ...

In 6+ years of using Rust the only time I had to deal with segfaults was when working on low level wrappers around C code or JIT compilation.

Zig has some very interesting features, but the way they approach language and API design leaves a lot of surface area that makes mistakes easy.

throwaway17_174mo ago

I am very much inclined to agree with you, but do you have any sourcing for a claim that spatial is a bigger problem with regards to security vulnerabilities? Every time I feel like posting similar sentiments I just know that a reply linking to an article about how Microsoft and/or Google claim 70% of bugs are memory safety issues will be posted. Both of the ‘studies’ (code surveys) seem to claim use-after-free make up the majority of those bugs.

pronOP4mo ago

Mitre place spatial memory safety higher on the list: https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html (also >3x KEV)

j / k navigate · click thread line to collapse

0 pointspron4mo ago0 comments

> it's simply not interesting from a safety perspective

0 comments

Measter4mo ago

Zig only does bounds checking by default in Debug and ReleaseSafe builds. If you build with ReleaseFast or ReleaseSmall it will happily do an out of bounds read: https://godbolt.org/z/733PxPEPY

pronOP4mo ago

the_duke4mo ago

Defaults and ecosystem approach matter a lot, though.

The whole Rust ecosystem is heavily biased towards prioritising memory safety and "safe by construction" .

This is evident in the standard library, in how crates approach API design, what the compilation defaults are, ...

In 6+ years of using Rust the only time I had to deal with segfaults was when working on low level wrappers around C code or JIT compilation.

Zig has some very interesting features, but the way they approach language and API design leaves a lot of surface area that makes mistakes easy.

throwaway17_174mo ago

pronOP4mo ago

Mitre place spatial memory safety higher on the list: https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html (also >3x KEV)

j / k navigate · click thread line to collapse