* Posts by fg_swe

227 posts • joined 20 Nov 2021


Chromium's WebRTC zero-day fix arrives in Microsoft Edge


Lack Of Memory Safety: The Gift That Keeps Giving

C and C++ should be phased out of any software engineering project which is exposed to external input and/or security-critical.

In other words C and C++ are shoddy engineering, we already had it better in the Algol Mainframes.

Here are the details: http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf

2050 carbon emission goals need nuclear to succeed, says International Energy Agency


Back In The Rational World

..nuclear power has the lowest rate of victims per TWh of energy generated.

You can see why this is the case:

1.) Add up all the victims of Harrisburg, Chernobyl, Fukushima, Windscale,...

2.) Add up all the people burned to death in oil platform explosions, killed in coal mines, got cancer from the billions of tons of ash blown out by coal power plants.

3.) Add up all the people who died of the toxic fumes from solar cell production. Add the folks who died from the coal plants which provided the energy to create the solar cells.

Due to the extensive safety precautions, nuclear power is ALREADY the safest energy source.



If you cannot handle truth and rationality, my condolences.


Patriotic Energy Approach Links

https://de.wikipedia.org/wiki/Braunkohle (we have enough to power all of our needs for the next 100 years)


https://de.wikipedia.org/wiki/Brutreaktor (burn the U238, which is 100x more abundant)



https://en.wikipedia.org/wiki/Underground_coal_gasification ( lots of coal beneath the north sea)

If only we used more than two brain cells, we could show the middle one to the commies and Mohammedic Oil Tyrants. I guess this is what happens when you betray your king.




"Coal is evil"

"Uranium is evil"

"glue yourself to the autobahn to protest coal"

Meanwhile the COMINTERN power centers Moscow and Beijing build out their coal and uranium power generation. In parallel, they have accumulated the best part of the world's manufacturing capability. Manufacturing needs cheap energy. Also, the NATO banksters have enabled the selling of virtually ANY high tech the communists need.

Germany is especially stupid, KGB Colonel PUTIN has us at the balls after the MethanWende (sold as "EnergieWende" by our GREENIES).

Well done KGB, you are true masters of messing with other people's minds. May your wickedness one day be your downfall.

FBI warns of North Korean cyberspies posing as foreign IT workers


The Power Of Suebi Education


Finnish open-source-as-a-service startup Aiven adds $1bn to valuation


Re: Can anyone explain

According to my understanding, yes.

Their customers can save manpower on setting up and running database servers.

The real challenge of designing schemas and optimizing queries will be left to the customer, I assume. Maybe they will provide a modicum of help with EXPLAIN PLAN...

Its all part of the Cloud Hype, where you hand over your data to people you have never personally met. What could possibly go wrong ?

RISC-V needs more than an open architecture to compete


Yeah Charity Will Work

India has been too corrupt to design, build and market their own processor and this will change because some do-gooders donate an ISA to them ?

That will work as nicely as donating tractors to a nation of illiterates.


Anglo Conjectures

"Even Russia has their own homegrown architecture, but probably are suffering such a brain drain from Putin's stupidity lately that effort will never advance any further."

If you knew a bit about ELBRUS, you would figure the opposite.

First, it is used mostly in olive green applications and secondly they are now forced to substitute American CPUs. Olive green gets more funding due to obvious and the second might be even more important to do.

Even though their elite has made very serious mistakes, they have figured that AI controlled technology is of strategic importance. In addition to the strategically important tech they build since U2s invaded their airspace.


Thanks !

I was not aware of a french FPGA. Thanks for telling me.


Maybe we get the IT Airbus after all !


Japanese Cars Full of PDP11s




Maybe it is of little use to compete in the traditional applications. But now imagine a very low power processor that will be powered by a small solar cell on the same chip. A device that costs 3cent/piece and can be attached to each tree in a forest, monitoring its vital parameters. It would run at very low speed and consume very little power.

Maybe this is a contrived example, but you get the idea.

There might be unheard-of niches were even tiny license costs are too much. In this space RISC V might be the right solution.



...was good enough to compete with anybody else.

Seems they still ARE: https://spec.org/cpu2017/results/cpu2017.html

They now switched to ARM ISA for their high performance computing, but I guess this is more a matter of fashion.

[No, I never worked for Fujitsu and have no economic or other relation, except a weak spot for japanese engineering]

China's Kylin Linux targets second RISC-V platform


You Mean

..they have a "Management's Engine" built-in ?

An "engine" which can never been totally turned off, has exploitable bugs, cannot be updated by users and has total control of the computer ?

MIPS discloses first RISC-V chips coming in Q4 2022


Nebulous Market Objectives

It is not really clear which markets they want to address. Auto/Aerospace/Rail is very much different from computing or networking. The bread-and-butter control unit has integrated SRAM in the range of a few Mbytes; while computing uses thousands of times more external DRAM. Control units need very specialized A/D, D/A, pwm, watchdog, crypto peripery. Must all be on a single chip or it will be too big and too expensive.

Then you need support from Lauterbach (debugger) and Vector Informatik (AUTOSAR operating system) to be viable in automotive.

I suspect STM, NXP, Infineon, TI, Japan are so much entrenched in control units that MIPS does not stand a chance as a newcomer.

Computing and automotive are very much different, even though they sometimes use the same CPU cores (ARM and PowerPC, VAX come to mind).

Google tracked record 58 exploited-in-the-wild zero-day security holes in 2021


C and C++ Caused 70% of these Issues

Time and again, a lack of memory safety creates plenty of exploitable bugs.

Here is a systematic fix, as opposed to band-aids: http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf

And no, there are NO perfect programmers/software engineers who will write bugfree code.

Departing Space Force chief architect likens Pentagon's tech acquisition to a BSoD


Re: COTS - Crap Off The Shelf

Millions of LOC are almost impossible to secure. seL4 is like a frigate with 20 compartments - a single torpedo can only take out one compartment, but the ship stays afloat.

For example, a bug in the TCP stack of an seL4 system does not pwn the entire system. Your data stays secure, as it is decrypted in a different compartment. With Linux, it is Game Over.

Windows is even worse, as they run a c**pload of stuff in the Kernel, including font parsing+rendering, graphics rendering, several network stacks, a network file system and whatnot.

Likewise, Memory Safe Languages will contain the effects of programming errors in about 70% of cases. With C or C++, a single programming error typically hands the kingdom to the intruder. See http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf


COTS - Crap Off The Shelf



-C and PC Lint


-OpenSSL (and all other TLS implementations ?)

-JavaScript and its monstrous optimizers

-PHP the bugfest

Here is the light:


+Spark Ada

+KISS cipher systems

In other words, I respectfully disagree.

Climate model code is so outdated, MIT starts from scratch


Experimental Results

In the past I have created a moderately complex program which performs statistics on CSV files.

Program A uses Java Standard Library, does lots of "new String()"

Program B uses Sappeur strings, ("new String_16()"). They are refcounted and will be reclaimed in (pseudo) realtime.

The findings were:

F1) If the Java program should be competitive in speed with B, it needs 2x the RAM of B.

F2) If the Java program is only allowed to use 1.2x the RAM of B, it will become very slow (as compared to B), due to lots of GC runs.

That test was done on Solaris in 2011 with the then current Java version.

I should redo the experiment to see whether the Java GC has become better.

Regarding your argument "it will only create virtual memory load" - that is still serious system load, as the memory must be swapped to disk even if unused. Whether it can actually be swapped out depends highly on the allocation patterns. A single active object per page can thwart the paging to disk.


As A Matter Of Fact

GC-languages consume 100% more memory than reference-counted languages* (for heap memory). So it should be a conspiracy of RAM manufacturers :-)

* Rust, Sappeur


Static Typing / 2





Programming Fast Food

If your application cannot kill anybody and does not store anything of much value(say Facebook), then maybe it is justified to use a dynamically typed language.

In automotive, aerospace, trains and medical machinery you better use as much type safety you can get.


Apparently, many FORTRAN programs have issues with index errors, according to Sir Tony Hoare. Index errors are considered a typing problem, too.

Any fool can write a language: It takes compilers to save the world



I am not giving away the source, as I no longer believe in giving away work for free.



Sappeur programs are transformed into *memory safe* C++.

It's a simple predecessor of Rust, actually.


Re: F.U.D.

I am just precisely describing the resulting programs. There exist use cases where automatic locking of multithreaded data would be expensive. Planetary simulation for example.

In such cases, the performance-critical core should (currently) be done in a C++ library. There is no silver bullet, indeed.

Deadlocks are also possible, as with almost any locking mechanism. That's orthogonal to memory safety.


C++ And Lacking Memory Safety

How can you assure the memory safety of a C++ program ? By lots of human discipline and a minor bug can create heap cancer, as it happens in any non trivial program.


Male Cow Output

Just looked at the paper you reference. They claim PASCAL would be unsuitable for numerical processing, process control and operating systems.

I once wrote a planetary simulation in Turbo Pascal and found it perfectly fine for this purpose. The compiler was lightning fast on a 16Mhz 80286 (three seconds for a project of 1000 LOC).

HP wrote the MPE OS kernel in a Pascal dialect and the result "mini mainframe" went on to be highly successful in business settings such as corporate email, manufacturing management, inventory mgmt etc.

Currently I write auto control unit code in C and I see no reason why we could not use Pascal or Ada as a replacement for C. Pascal would be an improvement, because one can specify value domains for variables. This has to be grafted on top of C (using special comments), if you want to use static checkers for variable domains.

Arianespace, Leonardo and many others use Ada for aerospace control units and the issues they had were related to project execution (not doing a HIL Test for the Airanve V first flight, for example). Never heard they had issues with the language.

The lack of index checking in C is also a very real problem in real-world auto control units. Can be fixed to some degree using PC-Lint and PolySpace. Is also "fixed" by memory protection units. At least you can contain the cancer...


1990s Oracle

You could do

$ telnet oraserver 1521

Then type random characters into the keyboard.

The Oracle listener (Oracle 8 ?)would crash in a matter of less than a minute.

That demonstrates how much quick+dirty IT has been just 20 years ago.



C might be of use inside the kernel and drivers, but should be avoided for almost anything above the kernel. Even inside the kernel, the case for many memory safety features such as bounds checking can be made.


Sappeur vs C++

Conceptually, Sappeur is very similar to C++, except for the unsafe stuff such as unsafe casts, pointer arithmetic and so on. The good things such as stack allocation, RAII, destructors, ARC smart pointers, complex aggregate data structures are preserved.

Transforming Sappeur code to C++ is straightforward.

Please see page 7 of the following for an example:


This post has been deleted by a moderator


So ?

I am not interested in "own nothing and be happy".


In Other Words

Real-world programs are full of memory management errors and you should better have a type system plus runtime checking, which will find these errors for the developer.

valgrind and purify are only partial fixes, as they cannot find the problems which come from "creative input", as long as such input is not generated by an intelligent and well-resourced test engineer.

Also, valgrind will slow down by a factor of 100 and therefore does not expose multithreading issues under high load.


Really ?

Whatever nice design you have, you will have a bug then and now. If your language is not memory safe, chances are "good" you have an exploitable bug to be used by criminals and even higher powered adversaries.


Even Worse

Many software developers are of the myopic opinion that C and Unix are the pinnacle of practical computer science. Because that is what they heard in a slogan.

These folks are too lazy to do some research into the history of computers and software. They would find interesting systems such as the Algol Mainframes, HP MPE, S/360 and successors, Modula/2, Oberon, LISP workstations, Smalltalk.

S/360-derived computers are still a mainstay of financial and business transaction processing. The Algol mainframes had some sort of type safety in their instruction set. MPE was a very successful "small mainframe" written in a Pascal variant. Oberon has many great ideas and is very elegant.

Knowing history is important for software engineers, too.



If you want a free and lighting fast C compiler, use tcc. It does not optimize, though.



gcc Experience

As a user of gcc I cannot support your observations. I used gcc to good effect for at least 15 years now. It seems to be a bit slow, but the generated code was always sufficiently efficient for me. Also, I did not experience bad bugs. Using static code checks is highly recommended with ANY c compiler, though.

Current gcc is also the backend of the GNAT Ada compiler, which is successfully used in demanding aerospace projects such as Jäger 90.


In Other Words

Proper Software Engineering should avoid C.


Re: KISS 2: Generic Code

m4 worked nicely for me, but I never dared to use all of its features.



The Sappeur language defines a type system which enforces memory safety. The compiler parses the Sappeur code and checks the rules of the type system. If all is good, then memory-safe C++ code will be generated. Just try it out and see for yourself.


Re: Too Scary, Too Complicated

Sappeur is adding value by making your C++ code memory safe. Including multi-threaded code !

And it is indeed a compiler which performs type checking and has a very special type system. It just does not have an optimizer and a machine code generator of its own.

Compared to Java, Sappeur programs are lean and efficient. For example, you can write small Unix command line utilities with Sappeur. You cannot do this in Java, because of the excessive startup time of Java programs.



We should have never touched fire and continuing to live on the trees would be like a paradise. Except when the yellow-black devil cat shows up...


KISS 2: Generic Code

Some people say you need a dedicated generics mechanism, similar to C++ templates.

This is not true. A proper macro processor such as m4 can (for all practical purposes) do the same. Debugging is much easier, as the "instantiated" code can/will exist in a file to be inspected with a standard editor. No insane, cryptic C++ template error messages.

Not my invention, saw it when I worked for D'Assault on CATIA.



With the mentioned approach; the compiler can also run on ELBRUS, which does not have a gcc compiler. In fact, ELBRUS has a secret instruction set, but that does not stop me generating Sappeur programs for this CPU.


Too Scary, Too Complicated

As with every nontrivial technical endeavor, one should apply the KISS principle. Demonstrate your innovative idea in a way that is as straightforward as possible. You can always perfect it later.

What does this mean ?

Don't use the gcc infrastructure, instead generate C or C++ code and let existing compilers do the optimization and architecture-specific work. Debugging a compiler that emits C++ is way much easier than debugging ASTs and machine code. As an added benefit, your compiler will be able to run on almost any CPU, because almost any CPU has a C++ compiler.

This is what I did here


The innovative aspect is that this language is a memory safe C++ variant. All the goodies of C++ plus single- and multi-threaded memory safety, due to a type system which "knows" of single- and multi-threaded sections of the program.

There exist Eiffel compilers which use a similar concept of emitting memory-safe C.

C: Everyone's favourite programming language isn't a programming language


Re: Sorry, someone who found CORBA in any way praiseworthy?

Thanks for mentioning ASN.1. In the spirit of "one tool for one purpose", it should have been used by CORBA. Instead they created volumes of convoluted, stuff which has already been mostly forgotten.


Functional ?

First, the computer is a machine. To work correctly, it must be precisely controlled. You *could* instead "train an AI", only to find out the AI has some very funny behaviour in edge cases.

For example, you can train an AI to drive a car and it will work on 364 days of the year. On day 365 it will experience an untrained scene and make a spectacular crash.

Regarding loops, branches, instructions and function calls - they are the essence of imperative programming. Like a certain sweetness and acidity (and more) we know as apples.

Then there are other fruits such as functional programming with much more mathematical expressiveness. Think of the sweetness and acidity (and more) of an orange.

Some programming problems call for imperative, while others are best solved using functional languages. One day you want to eat an apple, the next day you prefer an orange. That does not mean oranges are categorically better than apples.

Also, there are many more fruits such as logic programming. They have their niches, too.

The wild world of non-C operating systems






MPE was a very successful business (as opposed to scientific and technical) computer operating system.



MPE had a rough start, but after a couple of years it developed into a rock-solid OS, loved by loyal customers of the corporate world.

It was in fact a kind of economic mini-mainframe which could connect thousands of end user terminals for transaction processing, email, order processing, manufacturing management and the like.

It was implemented in a kind of Pascal.

MPE would still be in use if customers had to make the call, because it was so reliable and secure.

We blocked North Korea's Chrome exploit, says Google


Possibly -> Likely

"Any nontrivial C or C++ program contains plenty of exploitable bugs. Even if program has been written by seasoned software engineers".




Biting the hand that feeds IT © 1998–2022