Posts by fg_swe

Out Of Memory in C, C++, Java, Rust

In all the above languages, you will get a deterministic crash if heap allocation fails. You either get a NULL pointer from malloc() or new or some sort of OutOfMemoryException. Accessing a NULL pointer typically creates (some sort of) SIGSEV and stops the program. OutOfMemoryException typcially stops the thread.

This is exactly what you want. A deterministic, debuggable crash from a programming error/cybernetic attack. Much better than Silent Subversion from e.g. a buffer overflow.

How else could an out of memory condition be handled ?

(this applies to Windows, Linux, BSD, HPUX, Solaris, AIX, but maybe not to embedded systems)

Thanks

Your reasoning is the proper one. A deterministic crash is much better than Silent Subversion. See http://sappeur.ddnss.de/discussion.html section D9

Rust Not Different Here From C, C++ or Java

See http://sappeur.ddnss.de/discussion.html, section D9

FALSE

Please look at http://sappeur.ddnss.de/discussion.html , section D9 for why you are wrong.

FALSE

The macro processor of C is just one aspect of the language. There exists a modicum of type safety from a very basic type system in the C language. It just is not as comprehensive as it should be. Too many "undefined behaviour" cases.

Note that in C++ you can use a powerful macro processor to replace the convoluted STL system. And its crazy error messages.

E.g. use m4 to generate/instantiate container classes on the harddrive. If you have a bug, then you will get concise error messages inside the generated code. Much better to understand for mankind. If you are a masochist, you can even use cfront macro processor to perform this.

One could even perform generic programming in C using this approach (e.g. a typesafe generic_sort() instead of the void* abomination).

NOT

According to your assertion NOBODY should generate C code, as we are all "fallible". The best software engineers write a bug then and now. The most advanced static checker tools, unit testing, module testing, HIL testing and valgrind runs cannot find all of the bugs. We have seen them in the Linux Kernel, in VxWorks, in Windows kernel and user mode, in loads of application level programs developed by seasoned experts.

The first time Unix userland tools were run under valgrind checking were a revelation. Hundreds of bugs, which existed for decades in millions of actively used systems.

Here is a list of the memory safety issues of C http://sappeur.ddnss.de/SappeurCompared.html

I would argue that you are mostly correct, the amount of C code men generate should be very limited. There are NO perfect software engineers. There are only Code Generators (such as the Sappeur compiler) which are very close to memory safety perfection.

Wrong

Writing is first and foremost about CORRECT CONTENT, not about lyrical bullshit.

ChatGPT is good on lyrics and faulty on content. See my other post.

Re: AI is the new pocket calculator

We have created extremely reliable software systems you can entrust your life. ABS, ESP, Airbus flight control, software based railway switchyards, aerodynamically unstable aircraft which become stable due to software.

Re: Big Time Bullshit

They either updated the model, or the exact wording of the queries is super important. I would NOW grade

"tell me the difference between the Osprey V22 and the Dornier 31" - 4. One faulty sentence "The Do 31, on the other hand, used jet engines for VTOL capabilities and did not have the ability to fly like a fixed-wing aircraft."

"write the c++ code for Enigma" - 5. Text is kind of OK, but the code is completely wrong.

#include <iostream>

#include <string>

const int NUM_WHEELS = 3; // Number of wheels in the Enigma machine

const int ALPHABET_SIZE = 26; // Size of the alphabet

// The mapping of each letter of the alphabet to another letter

// For example, mapping[0] is the mapping for 'A', mapping[1] is the mapping for 'B', etc.

int mapping[ALPHABET_SIZE];

// The current positions of each wheel

int wheel_positions[NUM_WHEELS];

// Initialize the mapping and wheel positions

void initialize() {

// Set up the mapping of each letter to another letter

// In this example, we just use a simple rotation of the alphabet by 3 letters

for (int i = 0; i < ALPHABET_SIZE; i++) {

mapping[i] = (i + 3) % ALPHABET_SIZE;

}

// Set the initial positions of the wheels

for (int i = 0; i < NUM_WHEELS; i++) {

wheel_positions[i] = 0;

}

}

// Encrypt a single character using the Enigma machine

char encrypt(char c) {

// Rotate the wheels

for (int i = NUM_WHEELS - 1; i >= 0; i--) {

wheel_positions[i] = (wheel_positions[i] + 1) % ALPHABET_SIZE;

if (wheel_positions[i] > 0) {

break; // Only rotate the next wheel if the current one has "carried over"

}

}

// Get the index of the character in the alphabet (e.g. 0 for 'A', 1 for 'B', etc.)

int index = c - 'A';

// Use the mapping and the wheel positions to encrypt the character

int encrypted_index = (index + mapping[index] + wheel_positions[0]) % ALPHABET_SIZE;

// Convert the encrypted index back to a character and return it

return 'A' + encrypted_index;

}

// Decrypt a single character using the Enigma machine

char decrypt(char c) {

// Get the index of the character in the alphabet (e.g. 0 for 'A', 1 for 'B', etc.)

int index = c - 'A';

// Reverse the encryption process to decrypt the character

int decrypted_index = (index - mapping[index] - wheel_positions[0] + ALPHABET_SIZE) % ALPHABET_SIZE;

// Convert the decrypted index back to a character and return it

return 'A' + decrypted_index;

}

int main() {

initialize();

std::string message = "HELLO WORLD";

std::cout << "Original message: "

Functional Safety

In the IT sphere, you are more or less right. A NULL pointer causes a deterministic, debuggable stop of program. Service will be stopped for an hour or so. Customer uses cash to buy a cup of coffee and comes again later to run the service again.

In other spheres such as auto, rail, aerospace and medical, you cannot just "stop the process and debug it". Imagine getting a NULL pointer inside an ABS brake algorithm, while the driver hits the brake pedal. How would you handle this as a software engineer ? Restart the process and maybe get another NULL pointer a few milliseconds later ? No, you must prove there will never be a NULL. One proper way to do this is to have the type system+compiler assuring this.

Economics

I do not believe in communism. And, if you cannot spend €300 on your tools, you should review your economic setup.

Re: Go Multithreading Issues

Do you have a Napoleon Complex ?

FALSE

Rust has already been used to create the Redox operating system. Surely it will contain some unsafe section, but in general it is a great improvement on the C based kernels.

Likewise, the Algol Mainframes of ICL, Unisys and Moscow had some Memory Safety features inside the kernel.

Instead of mysterious behaviour, memory safe languages will provoke a Debuggable Crash.

Re: Oh IT Man

Here is a great video on Wild Weasel https://www.youtube.com/watch?v=fHpsaasL5gM

It truly was an epic fight between soviet and american electronics engineers. A fight between Russian missile soldiers and American airmen/flying sailors. Not just the SAMs, also the radar controlled Flak and the ground-radar guided Mig19s, Mig21s.

America lost that one, because they were complacent.

After that, won over Iraq and Lybia almost with ease. They did not have the latest Russian electronics and not the Russian electronic soldiers.

Re: Oh IT Man

The modern Wild Weasel is the ECR Tornado and the EF18 GROWLER.

Apparently the USAF and RAF currently dont do this role, but this can change in a blink of an eye.

Oh IT Man

You think you know all when you know nothing.

In Viet Nam, russian made and operated SAMs were masterpieces of control and radio electronics then.

They blew something lin the order of 50% of US fighters and bombers out of the sky.

Read up on Wild Weasel if you want to know why they did not shoot 100% of US planes.

Automotive MISRA Experience

I was part of auto software engineering projects up to ASIL-D. I say this:

1.) MISRA C subset is definitely useful and makes sense for other domains, including datacenter, phone, PC.

2.) MISRA C will do little to prevent integer under/overflows or index errors. Static checkers (PC Lint, PolySpace) do help here. They are now mandated in most projects. Static checkers have limited power, though. Sometimes runtime checks are required to be memory safe. C cannot do that. MISRA or not. SPARK Ada, Rust, Sappeur, do dynamic index checks.

3.) Using C in safety-critical domains (auto, rail, aerospace, medical) is a second-rate decision. SPARK Ada is still superior in many ways. Engineers who can write C can be made to write Ada, but C can never be made as safe as Ada, even with static checkers tacked on.

Re: Singularity OS

All of the WNT kernel had serious memory error exploits, including the TruType font subsystem they dragged into the kernel. Visit a "bad" website with poisoned fonts, have a kernel exploit !

Re: Unisys MCP Algol Heap Memory

Unisys implemented lots of software in Algol, including compilers. I fail to see how they could have done that without heap memory.

And I can imagine that they built heap memory management into the OS. Essentially you declare a pointer, dereference it and MCP will allocate the object/array "on the fly". MCP experts please correct me if I am wrong.

They can then run mark+sweep in the MCP system, just like the JVM does.

https://www.informit.com/articles/article.aspx?p=1671636&seqNum=3

Unisys is not bound to limit themselves to the official Algol standard.

Automotive and Aerospace Software Safety

I hasten to add that modern software engineering processes (ASPICE, V-Modell etc) have several lines of defense against software engineering errors. Auto drivers do not have to worry too much, neither do AIRBUS passengers or pilots.

First, there is thorough documentation, secondly thorough design steps. Thirdly, upwards the V, there is a cascade of Unit, Software and HIL Test batteries. Even if we did not use static checkers, these comprehensive test efforts would most likely find dangerous bugs.

AIRBUS likewise has a an almost perfect record in both JÄGER90 and commercial airplanes since A310 and later. Not a single loss of aircraft due to flight control software and hardware !

They have even more measures in place, including the use of SPARK Ada. Much better than C.

Re: Android runs better when covered in Rust

As long as the p........ improve practical computer science, we should applaud them ;-)

Yeah, Rambling

I currently write code for automotive software, some of which is ASIL-B. I worked on electric/electronic power steerings, which are up to ASIL-D. All in C plus static checkers such as PC Lint and PolySpace. Both tools typically find plenty of issues(index errors, integer under/overflows,...) in the code of experienced engineers. Maybe your car contains this code and your life depends on it.

Apple Swift was inspired by my language

http://sappeur.ddnss.de

Even though Apple made serious shortcuts on efficient Reference Counting (all Swift ARC is MT safe, which is both inefficient and enabling one type of error).

If you want to see some of my source code, please feel free to look here

http://gauss.ddnss.de

Re: But

A) In many cases (e.g. for loops), the index checking of a Rust, Java or Sappeur program could be turned into an O(1) operation.

B) I was referring to: obtaining a pointer into the middle of an array, then incrementing or decrementing w/o any sanity check of the runtime system or the compiler.

B2) I have seen plenty of that cr4p, because some people did not know STL and abused an MFC integer array to store pointers. Oh yeah, and void* pointers and lots of other obscenities.

C) Multicore CPUs are now standard, even in laptops of the $1000 range. In the datacenter, we have multithreading since 1998 or so. Even the world of auto now uses multicore MCUs for demanding things like video processing.

Unisys MCP Algol Heap Memory

From

https://en.wikipedia.org/wiki/Burroughs_large_systems_descriptors

"Also, low-level memory allocation system calls such as the malloc class of calls of C and Unix are not needed – arrays are automatically allocated as used. This saves the programmer the great burden of filling programs with the error-prone activity of memory management, which is crucial in mainframe applications."

They do not need "new" or "malloc", as the CPU+OS will handle dynamic memory allocation and freeing !

In other words, the whole idea of explicit memory allocation is not the only viable one.

Yeah

When you don't write totally memory-error free C++ code, you do Perfect Braking, correct ?

Also when two wheels are on ice and the other two on concrete, you operate each wheel's brake independently using four finger switches ?

Re: Static C++ Checkers

There are very few languages which model multithreading in the type system. Sappeur is one of the first to do so.

Re: Real World

The quick+dirty Huawei stuff is especially dangerous, because it is coded in C and C++.

I was responding to your claim that telephone software would be somehow more robust. Maybe that was a feature of the past.

From the Trenches

https://groups.google.com/g/comp.sys.unisys/c/5apvpaA2fZs

Burroughs Algol Mainframes

https://www.digm.com/UNITE/2019/2019-Origins-Burroughs-Algol.pdf

Definitely a much better concept than C+Unix and the IBM/360 world of untyped memory. But alas, cheaper often wins over better. At least initially.

Really ?

Please have a look at the Algol mainframes. They definitely have very interesting memory safety features.

https://www.theregister.com/2020/05/15/algol_60_at_60/

https://en.wikipedia.org/wiki/Burroughs_large_systems_descriptors

Real World

In the real world, engineering managers are in most cases not the best+brightest engineers. Rather, they know how to "herd cats". Social skills.

If "all other engineering managers" use C, they will do that too. Regardless of the consequences.

In other words, improvements of software security and safety will come from engineers+scientists, not managers.

Modern day telephone software apparently is quick+dirty stuff, which is why the phone network now has one-day-crashes per three years or so. A long time ago, they aimed for "5 minutes in 30 years". The days of ISDN.

https://www.softwaretestingnews.co.uk/21345-2-gchq-director-huaweis-engineering-very-shoddy/

But

Both have very similar memory safety issues:

A) unchecked array access

B) funny raw pointer stuff

B2) super funny pointer casting (e.g. int to pointer)

C) lots of problems from a lack of proper multithreading safety model in the type system

Algol "heap" keyword

Look it up. It is comparable to Java's new. Implementations would use a mark+sweep collector to reclaim the memory after use.

Dornier 31

I never said it was cheap. But it still has the best performance of all planes in its class. And also the best safety record. Only slavery is cheap.

FALSE

You bring up the "good software engineers don't produce memory errors" argument once more. In reality, even the most seasoned engineers then and now have Covid 3333(a.k.a. "flu"), a fight with their wife, trouble with a teenage kid or the like. Bang, memory error.

It has happened in ALL major systems from HP/UX kernel to VxWorks TCP/IP stack. In between, WNT, Linux kernel, Unix user land, Solaris make, g++, YOU NAME IT.