Posts by fg_swe

False

Large Scale Systems such as HP MPE or Apple LISA were built with Pascal-like languages.

HP MPE was highly successful and LISA is essentially the predecessor of all GUI computers we use today.

ALGOL

Algol compiled itself in the 1970s. Entire systems were built in Algol - from kernel to applications.

False

Proving a system "safe for life-critical applications" is only to a minor degree dependent on "certified tools".

What you must do is to prove that the system you built with the toolchain is "safe". This is done with processes like V-Model, ASPICE, ISO26262 or DO178. The railway folks have their equivalent standard and the medical folks, too.

Essentially: test the h3ll out of your system. If you have a relevant compiler bug, it will most likely crop up in this process. Of course you will track the issue down to assembly level.

So you can safely use Rust for ABS or flight control, IF your engineering processes are robust and faithfully executed. Today.

Or

...maybe America and friends are currently hit very hard in the crown jewels.

I see reports left and right how foreign actors are hitting NATO government institutions really hard. Some mid-level government entities completely encrypted or their laundry hang out to dry.

Having said that, indeed, one man's security is another man's security risk. That even applies to two men inside NSA.

Some government workers go back to paper for critical stuff(HR security), as far as I can see.

"unsafe" "Inline_cpp"

Judicious use of a small number of unsafe code parts is Good Engineering. Ideally, limit the unsafe code to system libraries such as File handling, TCP/IP, GUI and so on.

Much better than 100% unsafe C code. Or "modern" C++ code with some "accidental multithreaded sharing".

Engineering that has "life in hands" is about minimizing risk in an economic fashion. If 99% of your code is memory safe, that is much better than 100% unsafe C or C++.

Re: Complexity

Bingo. NEVER use the latest C++ feature, just because you have read about it. In extremis, write "C with classes" if that is the only way you know how to work reliably.

Not Really

The compiler of my memory safe language is about 10 000 lines of C++ code and takes about one second to compile 10000 loc on an RPI. Memory Safety is not expensive for the compiler.

Also, in the 70s they already had ALGOL, which was in many ways memory-safe.

C "won", because it was "given away for free".

Turning Turbo Pascal 3 in a single-threaded, memory safe language would be not hard either. It runs on an 80286, 8Mhz like a lightning.

Bull$hit

Memory Safety is an important tool in the toolbox, but it does not absolve you from executing a test battery from Unit to HIL Tests. Most importantly, it does not absolve you from cheating on test cases.

But that is true with each and every engineering product. If you test a car by opening and closing doors, you still don't know how it acts in a curve, how it acts over a pothole etc etc.

Handling Compiler Bugs

There are ways of controlling this risk. Not exactly cheap, but cheaper than losing a €100 000 000 aircraft and a man piloting it.

Use brains and drop penny-pinching. Then you find out.

Integer Overflow

Ideally, integer over- or underflows should terminate program(or at least thread) execution. In Ada and Pascal, you can have this.

Your program just exposes the dirty side of C.

Also see POLYSPACE, it is a way to find such perversions.

Missing return Value and Type Safety

A proper memory safe language will not allow this. See my language SAPPEUR as an example.

C++ compilers have been traditionally weak on this, for no good reason.

Explanation

"Memory Safety" is not a silver bullet. It only assures that memory errors are "locally contained" and do not propagate from one module to other modules. Like an ABS brake is not a silver bullet, either. You can still kill yourself with an ABS brake, if you try hard enough.

Not Entirely True

1.) Ada by itself is not fully memory safe. SPARK Ada could be said to be.

2.) There have been Ada programs which were carefully built, but produced an exception when lots of money was at stake. Ariane V, first flight is premier example.

3.) Exhaustive testing according to the V Model will bring you the confidence that your carefully designed and written system is also doing what it is supposed to do. Unit Testing, Software Testing, System Testing, HIL testing, careful operationalisation, massive datalogging/analysis and a bunch of other validation measures used by premier projects such as Jäger 90.

Of course, if you start cheating on testing, all bets are off. Tests must be first and foremost REALISTIC. And somehow "complete" according to the system use cases.

4.) Memory safe languages can detect quite a few "hidden" bugs during 3. That is exactly when you want to learn about them. Not when an airman's life depends on it.

Wrong

HP MPE was a successful multi-user, transactional OS written in a Pascal variant. Pascal itself is NOT memory safe, but you can of course limit yourself to not using pointers. Turn on bounds checking. Then you have sort-of-memory-safety. Still no support for multithreading, which is a critical feature these days.

Entire corporations ran their business systems on HP MPE and most of them loved it for reliability and security. It was axed because HP was run by people who preferred to be resellers of other companies such as SAP, Oracle and Microsoft. It would still exist(and make money for HP and customers) if it were not for these surrender monkeys.

MPE ran on powerful PA RISC servers with 16 or more CPUs. Thousands of parallel users. A mainframe OS in all but name.

False

First, PASCAL is a very good language, especially for students. Strong typing, simplicity, good string facilities. I like it a lot for its spirit.

BUT - it is not memory safe. heap memory is managed essentially the same way as C does, with consequentially the same "bug modes" such as "use after free".

You could create a memory-safe Pascal variant, complete with "smart pointers everywhere" and multithreading-aware type system. But that would no longer be Pascal, but something else.

No

Memory-Safe languages provide fine-grained protection of variables in the order of 10 to 100 octets. MMU pages are in the order of 1000 or more octets. Also, MMUs cannot reliably protect against randomly false pointers and "use after free".

False

There have been quite a few successful computers based on Pascal and Algol. Any Turing-complete language can perform self-hosting (compiling itself to binary code). And that is practice, not theory. The Algol mainframes and the C# based OS Singularity were (mostly) memory-safe in the kernel.

Jäger 90 / Typhoon

Apparently the most safe flight control software is written in Ada. Also see Spark Ada, which is a very interesting approach to safety.

The others you can find on youtube, crashing on landing. F22, Gripen, Su27, you name them.

Wrong

Algol was memory-safe around the same time C was invented. Actually quite similar to Java, with the VM being a specialized CPU. See ICL and Burroughs mainframes.

Memory Safety != Garbage Collection

Instead of GC, ARC can be used. I have done it, works nicely and is very efficient(almost no delays from heap memory). See http://sappeur.ddnss.de/

Wrong

Memory Safe Languages can be extremely compact in their implementation. My language SAPPEUR has about 10 000 loc in the compiler and about 5000 loc in the "base libraries". Just because Java and .Net are bloated means nothing.

Maybe

...they fear to be counter-hacked and want to eliminate their share of the 70% of exploits which come from the lack of memory safety of C and C++.

And

Japan learned to live without babies. All human energy and friendliness spent on flooding the world with great cars, great cameras, binoculars and video recorders. Facilitated by a bonfire of giant monetary expansion.

Future archeologists will call it the "Toyota Episode" followed by the "Phillipine phase". The latter is when a foreign people take over Japan, because the Japanese died of age and lack of children.

GNSS

Apparently they use this CPU also for GNSS and other sovereign/mil applications. For obvious reasons of security.

Well

The EU is a bunch of weaklings who need Uncle Sam to protect them from ANY REAL threat. Like the Russkies or the Turks.

They will degrade defense capabilities to zero* while talking childish-pacifist nonsense. When the threat pops up, they cannot even organize a Common European Defence Exercise. Easy to play Divide Et Impera with said weaklings.

So the lack of a satellite launcher is much less of an issue than LACK OF COJONES.

*Look up SENIOR GUARDIAN, Heeresfunkgeräte, EADS Barracuda, EuroHAWK, "Kampfdrohnen völkerrechtlich nicht verboten"