Date: Mon, 09 Sep 2024 11:37:35 +0200 From: Olivier Certner <olce@freebsd.org> To: freebsd-hackers@freebsd.org Subject: Re: The Case for Rust (in any system) Message-ID: <5500620.vKySYWdmsc@ravel> In-Reply-To: <CAOtMX2iCNX5OkdeghnbmcMrO0UYWwm4zfxFSZGznOznu%2Bmh5rA@mail.gmail.com> References: <CAOtMX2iCNX5OkdeghnbmcMrO0UYWwm4zfxFSZGznOznu%2Bmh5rA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hello Alan, > And none of them wouldn't have happened if their respective programs had been written in a > memory-safe language. > Use after free > ============== > https://cgit.freebsd.org/src/commit/?id=62f40433ab47ad4a9694a22a0313d57661502ca1 > CVE-2024-43102 FreeBSD-SA-24:14.umtx As the person who analyzed and fixed this particular bug, I must point out that I don't see how Rust could have changed anything in this case. The Use-After-Free in this bug has nothing to do with a simple pointer dereference to an object that was freed earlier in the source code sequence. Instead, it existed because of a combination of several specific factors: concurrent accesses, a lock that has to be dropped and then re-acquired, reference counting and a special reference to account for the presence of an object in a registry. Persistence in this registry is up to deletion triggered by process exit or a specific call from userland, and the object has to be returned to userland on some other specific calls in the meantime. AFAIU, this is simply way beyond what the borrow checker and "linear" types are capable of expressing. Enthusiasm is great, and I hope you'll keep it, but subliminal messages (not necessarily by you) that Rust is a panacea with respect to solving all memory problems is a disservice to everybody. It is great that, in another response, you have given explanations of why some of the bugs you initially listed would not have happened in the first place. Quickly reading through them, it seems that most do not involve mechanisms specific to Rust (the borrow checker in particular), implying that these bugs would not have existed either if the code had been written in most of the other higher-level languages. And it seems that you yourself agree with that characterization: > In fact, of all the C bug fixes that I've been involved with (as > either author or reviewer) since May, about three quarters could've > been avoided just by using a better language. So I think we should also stay open to other options than Rust, as they may bring the vast majority of its benefits without most of its drawbacks (thanks to all people that have brought up valuable information in this thread). Thanks and regards. -- Olivier Certner [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAABCQAdFiEEmNCxHjkosai0LYIujKEwQJceJicFAmbewd8ACgkQjKEwQJce JidUShAAmbYF3XzPSGg4LtSplnr4F2mIxZhykTVaRVec69Ex16S94KAKuJqesLQP PBewsIFMyR/HwDAv49nIz2pw90iOfi+gOivTkU0HgU6PPs4IDHE01bc1umWOKrCy kcLaNXMjASzbYwRZ0eGY470AmZsL1yveqW4DdbjVEZanQKIqmQUOhDk5RNjoCY5f sjIhM5FkA7YzGqBMvosa/ACPZiC/5Y0l2Rs+OdDxRGq5lBLsljXmGiZeYV2sSlvL iPqG8zwaFMqpJ6xeQredEwFpQkEmvLqEfnegisfdEpESbI3+zImoPUm7u7REAtWC CuXBw4ej6dT4GZZphvgeYD1lcVV87K6YqSHnx2ima1gozMw4W4qoNDfUZdeP4d4J bkPTLvJWsnb3V5ZT6kmCGO7RzM9IS4VavalvIN1rTCOiKqarquHKMa1KVwoI0JUe 7sTGiWLpkrjHQZ1BJfusBWoSq4cgSYHcvbW/dI5a2RRjZ0jGcw4MkI5B5KEkJP1G uIbWjvShP7VObHogz69TvorEvdENlhYviG4bOoSNdKnSzPMhoaGirn1dU/PGOVGZ 4nh0GUi4GlPC5wQKPQ8zHVh5sz/ewA0vqsCVfrgycdVu2r3yppxA/8Oxafp6v29u LieqJQ2bzAo48CB9emNG8m8FDItwz3PCtZAIt0a+4418quBT+Y0= =kgK5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5500620.vKySYWdmsc>