Safety
Control
Haskell
C/C++
ML
Java
Browsers
Graphics
Operating Systems
Vulnerabilities originating as Buffer Errors
-- NVD
// C++
int main() {
vector<string> vec;
vec.push_back("Hi");
auto& elem = vec[0];
// State of memory ->
}
Stack
Heap
data
length
capacity
vec[0]
elem
vec
// C++
int main() {
vector<string> vec;
vec.push_back("Hi");
auto& elem = vec[0];
vec.push_back("there!");
// State of memory ->
cout << elem << endl;
}
Stack
Heap
data
length
capacity
vec[0]
elem
vec
vec[0]
vec[1]
// Java
public static void main(String[] args) {
ArrayList<String> vec =
new ArrayList<String>();
vec.add("Hi");
String elem = vec.get(0);
vec.add("there!");
// State of memory
System.out.println(elem);
}
Stack
Heap
elem
data
length
capacity
vec
vec[0]
vec[1]
Most languages achieve it through:
// C++
int main() {
vector<string> vec;
// populate the vector
for (auto& elem : vec) {
if (elem > "hi") {
vec.erase(elem)
}
}
}
Iterator Invalidation
How much safety is really achieved though?
Safety
Control
Haskell
C/C++
ML
Java
Safety
Control
Haskell
C/C++
ML
Java
How do programmers write C/C++?
int getaddrinfo(const char *node, const char *service,
const struct addrinfo *hints,
struct addrinfo **res);
void freeaddrinfo(struct addrinfo *res);
The getaddrinfo() function allocates and initializes a linked list of addrinfo structures, one for each network address that matches node and service, subject to any restrictions imposed by hints, and returns a pointer to the start of the list in res. The itemsin the linked list are linked by the ai_next field.
...
The freeaddrinfo() function frees the memory that was allocated for the dynamically allocated linked list res.
Programmers reason about who owns data:
These ideas ultimately made their way into the C++ STL:
unique_ptr<T>
shared_ptr<T>
weak_ptr<T>
auto_ptr<T>
int main() {
int* raw_p = nullptr;
{
unique_ptr<int> p = make_unique<int>(4);
cout << *p << endl;
raw_p = p.get(); // Get the underlying ptr
} // The destructor for `p` runs, freeing `*raw_p`
cout << *raw_p << endl;
// ^ Cry
}
C++ allows for ownership semantics, but cannot enforce them.
Learn about Memory Safety through Rust.
This talk draws heavily from the following talks: