Posts by fg_swe

Re: Not Magical - Sappeur

Type systems indeed sometimes force software engineers to use a different, often safer approach.

Re: Anti-Modular Feature C Preprocessor

Dont really get your point. M4 can run on any computer providing a Posix Api with or without shim ala cygwin. I assume it runs on zOS, too.

Re: Memory safety is a design issue

Heap allocation is neither hard realtime nor provably available. Consider heap fragmentation.

As pointed out in other comments, C++ has become a bit safer, but by no means fully memory safe. Just consider the accidently thread-shared global object problem.

Re: Ada

Actually Ada worked flawlessly in Ariane V first flight. It reported a variable overflow, instead of marching on. As written above, modern testing techniques will trigger such exceptions. Then software engineers can investigate the root cause and fix them. Which is exactly what you want from an engineering POV.

Compare that to C++ or C, where variable over- or underflows will go undetected until "funny behaviour" results. (Yes, I know you can bolt on range checking in C++, but Ada has it built-in)

Anti-Modular Feature C Preprocessor

More solid engineering approach is:

1.) Do NOT include a macro processor into the language

2.) Use a separate macro processor such as m4 to perform specialization of generic code.

3.) Expand the macros to disk. This makes crystal-clear what the macros do and debuggers can show what is REALLY going on.

Google already does a lot of Rust work in Android. With great success, it transpires.

Re: A question

Any Turing complete language can in theory be compiled by a compiler written in itself.

Rust uses a serious chunk of C++, but this is done for pure economics reason.

Rewriting llvm in Rust would prolly discover loads of memory errors inside llvm.

Re: Ada

They did not even perform a cursory HIL Test for Ariane V. This is standard for control units sine 2010 or so. HIL test would have found the Ada exception and the bug would have been fixed without much talk.

CPU Never Sufficient

Some integrity and strong typing checks can only be done by the compiler.

Also, an optimizing compiler can remove many bounds checks in properly written code.

Fast

...Food Code.

Quick, dirty, unhealthy.

Re: WRONG

TypeScript copied the Sappeur idea of strong typing and transpiling in a much weaker typed language. Sappeur was first.

Still Not Memory Safe

What you describe is the standard approach in any safety critical industry such as Automotive, Aerospace, Medical and Rail. Dynamic memory is impossible to make hard realtime or even "available at all times".

BUT - even with statically allocated memory you can and WILL have index errors, using C or C++. You can also have bad pointers, which were meant to be pointing to the static memory sections.

With Rust or Sappeur you allocate whatever memory you need in a startup phase and after that you can be sure there will be no memory errors any more.

No

C++ still has essentially the same Memory Bug Potential as C had.

http://sappeur.di-fg.de/WhyCandCppCannotBeMemorySafe.html

In real-world, large scale C++ based projects they usually run test cases with valgrind. A very slow way of detecting memory bugs in test code with test input. Still does not defend against other, well-crafted hostile program input.

Re: What kind of volunteers...

"language chauvinists"

Can I have that with some feminist pickle ?

Also Not Really Correct

A well designed program written in a memory safe language can indeed perform safe multithreading. It just requires the language to MODEL multithreading in the type system. As opposed to C and C++, which simply bolted on multi-threading to a single threaded memory model.

E.g.http://sappeur.di-fg.de/manual.pdf Section 9.2

Claim

"Memory errors haven't been a problem in code I shiipped for around 10 years."

Mr Ivan out of Tshelyabinsk might have a word with you after he stared at the decompilation of your code for 30 days.

WRONG

Memory Safety and dynamic memory management are NOT the same. Even in totally statically allocated systems (most realtime/embedded systems in Auto, Rail, Medical, Aerospace are of this type) you can still have Index Errors and Bad Pointers, if you use C.

Destructive Reasoning

Of course there must be a small part of the code which is unsafe. Your embedded periphery meddling (A/D converter, PWM, clock setup etc) cannot be covered by Memory Safety. But that does not mean the 99% of OTHER code should not be memory safe. Locking down 99% of code is definitely a very serious gain of safety and security. For example, you will discover dangerous memory errors during extensive Unit, Software and HIL testing.

Ada

The most successful fighter aircraft flight control software project(measured in fatal losses) STILL uses Ada. No loss of airframe so far. Hundreds of a/c flying for more than 20 years now. Certainly Ada is not magic pixie dust, but it surely is a major contributor to safety.

Wrong

Just because you THINK it does not have memory bugs, does not mean this is true. When "well tested" Unix Userland tools were first run with valgrind, tons of bugs were discovered. More bugs might be in them, just not discovered by the input data constellation.

Also see

http://sappeur.di-fg.de/Sappeur_Cyber_Security.pdf

Nonsense

1.) Rust(and other proper memory safe languages) DOES protect against the 70% of CVE exploits which are memory insafety bugs.

http://sappeur.di-fg.de/Sappeur_Cyber_Security.pdf

2.) An MMU can never be as fine-grained a protection as a proper memory safe language such as Rust, Sappeur or Java. Rather, MMUs operate on large chunks of memory, typically 4kByte or more.

3.) Memory safety should be enforced on the Type System level by the compiler. Very powerful things can be done there.

Completely Wrong

Entire operating systems have been written in Algol, C#, Java and Rust. They do need a certain amount of unsafe code for certain operations such as setting up a new process image. But all the things you mention can be done in a memory safe language. There is ZERO reason to parse data incoming from the network in C, except maybe "execution speed".

https://en.wikipedia.org/wiki/Burroughs_Large_Systems

https://en.wikipedia.org/wiki/ICL_2900_Series

https://en.wikipedia.org/wiki/Singularity_%28operating_system%29

https://en.wikipedia.org/wiki/JavaOS

For example, there exist lots of Java based web servers and the seem to be doing quite well. No need to use C for that.

Re: The software industry keeps digging its own grave

You are confusing them with the KGB.

Not Always True

There exists the possibility of a nicely written C program without any insane aspects. This program still contains exploitable memory bugs. A clean translation to a memory safe language will then defend the program against exploits that use memory errors. So your sweeping assertions are not right.

Re: Missing the point?

Thanks for your well reasoned post. The C and C++ memory models are very much impossible to make memory safe.

Impossible

See http://sappeur.di-fg.de/WhyCandCppCannotBeMemorySafe.html

Not Magical - Sappeur

The Sappeur type system forces the software engineer to clearly separate thread-local and thread-shared data structures. Thread global data can only be accessed via mutex-protected methods.

See http://sappeur.di-fg.de/manual.pdf, section 9.2.

WRONG

Depending on the C code style, it could be that it can be nicely translated into Rust. Rust then adds the runtime checking code that sometimes is required to ensure Memory Safety.

In other cases, the C code will use crazy pointer arithmetics and the like and manual translation into a sane and secure style will be required.

AMD is a totally different business than Infineon. High performance CPUs for PCs and Servers vs. low power microcontrollers for embedded applications.

MUSK

He is getting stuff done. Unlike Boeing and similar.

Of course with each elephant there is also a big "ejection hole"...

USAF Not Better

Their supa dupa F22 fighter had the following takeoff S.O.P:

1.) Accelerate to 120knots

2.) Rotate 10 degrees and get airborne

3.) Ignore Temperature

4.) Ignore Air Pressure

That "worked" until one "seasoned" pilot decided to also retract landing gear asap and made a belly landing.

They were told that their supermighty engines could essentially push them into the air in ground effect.

One belly landing later they discovered 60% of F22 pilots did this malpractice.

Then they figured out that rotation speed must be calculated for each airfield and weather individually. As is standard practice for all other aircraft.

Re: Titsup

Airbus is the undisputed king of flight control systems and flight safety.

Americans make rookie mistakes left and right, despite being exquisite in things like stealth, sensors, sensor fusion etc.

Re: Titsup

Well, if Trump will be smart enough, Boeing could simply license Airbus designs and copy them.

We Germans use tons of U.S. technology, why not reciprocate ?

Great Man Musk

Boeing, Lockheed Martin and the rest of the porkbarrel industry employed more engineers and scientists than Musk. They achieved very little compared to investor-entrepreneur-engineer Musk.

He made lots of great things happen, for example he rejuvenated the U.S. sat launcher industry, to great dismay of AIRBUS of Germany and France. Meanwhile Boeing bought Russian rocket engines and had no real intention to improve them. Porkbarrelers to the core.

Of course Marxists hate real entrepreneurs.

Stargazing

...can be done also from space, without the fluctuating refraction changes(flickering) of the atmosphere.

See Hubble and followers. Great success.