Re: The Case for Rust (in any system)

From: Olivier Certner <olce_at_freebsd.org>
Date: Mon, 09 Sep 2024 09:37:35 UTC
Hello Alan,

> And none of them wouldn't have happened if their respective programs had been written in a
> memory-safe language.

> Use after free
> ==============
> https://cgit.freebsd.org/src/commit/?id=62f40433ab47ad4a9694a22a0313d57661502ca1
> CVE-2024-43102 FreeBSD-SA-24:14.umtx

As the person who analyzed and fixed this particular bug, I must point out that I don't see how Rust could have changed anything in this case.  The Use-After-Free in this bug has nothing to do with a simple pointer dereference to an object that was freed earlier in the source code sequence.  Instead, it existed because of a combination of several specific factors: concurrent accesses, a lock that has to be dropped and then re-acquired, reference counting and a special reference to account for the presence of an object in a registry.  Persistence in this registry is up to deletion triggered by process exit or a specific call from userland, and the object has to be returned to userland on some other specific calls in the meantime.  AFAIU, this is simply way beyond what the borrow checker and "linear" types are capable of expressing.

Enthusiasm is great, and I hope you'll keep it, but subliminal messages (not necessarily by you) that Rust is a panacea with respect to solving all memory problems is a disservice to everybody.  It is great that, in another response, you have given explanations of why some of the bugs you initially listed would not have happened in the first place.  Quickly reading through them, it seems that most do not involve mechanisms specific to Rust (the borrow checker in particular), implying that these bugs would not have existed either if the code had been written in most of the other higher-level languages.  And it seems that you yourself agree with that characterization:

> In fact, of all the C bug fixes that I've been involved with (as
> either author or reviewer) since May, about three quarters could've
> been avoided just by using a better language.

So I think we should also stay open to other options than Rust, as they may bring the vast majority of its benefits without most of its drawbacks (thanks to all people that have brought up valuable information in this thread).

Thanks and regards.

-- 
Olivier Certner