Borrow Checking, RC, GC, and Eleven Other Memory Safety Approaches

184 pointsby PotatoPancakes5 months ago

23 comments

naasking5 months ago

More people need to read up on C#'s ref's:<a href="https://em-tg.github.io/csborrow/" rel="nofollow">https://em-tg.github.io/csborrow/</a>These kinda-sorta fall under borrow checking or regions, just without any annotations. Then again, Ada/Spark's strategy also technically falls under Tofte-Talpin regions:<a href="https://www.cs.cornell.edu/people/fluet/research/substruct-regions/ESOP06/esop06.pdf" rel="nofollow">https://www.cs.cornell.edu/people/fluet/research/substruct-r...</a>

评论 #42464438 未加载

评论 #42464429 未加载

评论 #42461449 未加载

chrismorgan5 months ago

> CursédWith an acute accent, that should be roughly /ˌkɜːrˈseɪd/ “curse-ay-d”. (Think “café” or “sashayed”.)The stylised pronunciation being evoked is roughly /ˈkɜːrˌsɛd/, “curse-ed”, and would be written with a grave accent: “cursèd”.

评论 #42464619 未加载

评论 #42460519 未加载

tialaramex5 months ago

The list gets very woolly by the end. CHERI exists (though not at volume), Cornucopia Reloaded is a research paper, "plus some techniques to prevent use-after-free on the stack" is entirely hand waving.It is really good as food for thought though.

willvarfar5 months ago

Meta comment, but I really like the formatting of the blog post!It reminds me of the early days of the web, when text was king and content was king. I particularly like the sidenotes in the margins approach.(Hope the author sees this comment :) Hats off)

评论 #42461224 未加载

评论 #42460479 未加载

评论 #42460823 未加载

bitbasher5 months ago

I'm kinda torn. It seems there are only three approaches.1. laissez-faire / manual memory management (c, c++, etc)In this approach, the programmer decides everything.2. dictatorship / garbage collection (java, go, etc)In this approach, the runtime decides everything.3. deterministic / lifetime memory management (rust, c with arenas, etc)In this approach, the problem determines everything.

评论 #42467094 未加载

mgaunard5 months ago

The fact that re-using a slot for a different object of the same type is considered a memory safety technique is ridiculous.

评论 #42460485 未加载

评论 #42466708 未加载

评论 #42463399 未加载

评论 #42466885 未加载

评论 #42463993 未加载

评论 #42464006 未加载

hawski5 months ago

That is very informational. Thank you.I am interested in Vale and it feels very promising, though because my interested in bootstrapping I don't like that it is written in Scala. I know, that is shallow, but that's a thing that limits my enthusiasm.If you are like me and don't like jumping around between notes and text and you prefer to read the notes anyway, here is a little snippet you can run in Web Inspector's Console:<pre><code> document.querySelectorAll(".slice-contents a[data-noteid]").forEach(e => {document.querySelectorAll('.slice-notes [data-noteid="' + e.attributes["data-noteid"].nodeValue + '"] p').forEach(p => {p.style.fontSize = 'smaller'; e.parentNode.insertBefore(p, e)}); e.remove() }) </code></pre> It will replace note links with notes themselves making them smaller, because they will not always fit smoothly.

alexisread5 months ago

Previous discussion:<a href="https://news.ycombinator.com/item?id=40146615">https://news.ycombinator.com/item?id=40146615</a><a href="https://news.ycombinator.com/item?id=41974185">https://news.ycombinator.com/item?id=41974185</a>

评论 #42468356 未加载

westurner5 months ago

From <a href="https://news.ycombinator.com/item?id=33560227#33563857">https://news.ycombinator.com/item?id=33560227#33563857</a> :- Type safety > Memory management and type safety: <a href="https://en.wikipedia.org/wiki/Type_safety#Memory_management_and_type_safety" rel="nofollow">https://en.wikipedia.org/wiki/Type_safety#Memory_management_...</a>- Memory safety > Classification of memory safety errors: <a href="https://en.wikipedia.org/wiki/Memory_safety#Classification_of_memory_safety_errors" rel="nofollow">https://en.wikipedia.org/wiki/Memory_safety#Classification_o...</a>- Template:Memory management <a href="https://en.wikipedia.org/wiki/Template:Memory_management" rel="nofollow">https://en.wikipedia.org/wiki/Template:Memory_management</a>- Category:Memory_management <a href="https://en.wikipedia.org/wiki/Category:Memory_management" rel="nofollow">https://en.wikipedia.org/wiki/Category:Memory_management</a>

tliltocatl5 months ago

Not mentioned: do not do any dynamic allocation at all. Never ever. Everything is either a global variable or goes on the stack. Doesn't work when you need to handle unknown input size, but when you need to make sure you don't OOM ever, it's the only way. Stack overflow is still a possibility, unfortunately, because existing languages cannot provide any guarantee here (Zig tried, but didn't got it done afair).The only real problem with this approach is code reuse, because library writers will insist on opaque structs and malloc rather than letting the caller allocate.

评论 #42479514 未加载

immibis5 months ago

MMM++ is a variation of standard malloc/free. You can still UAF, but only to another object of the same type, which may or may not prevent an exploit.Something that's missing is full-on formal verification where you write unrestricted C code and then mathematically prove it doesn't have any bugs. Nobody does this because proving a C program is correct is harder than mining a bitcoin block by hand, but it's useful to anchor one end of the safety/freedom spectrum. Many other approaches (such as borrow checking) can also be viewed as variants of this where you restrict the allowed program constructs to ones that are easier to prove things about.

nahuel0x5 months ago

It's surprising to see an article with such a large encompassing of different techniques, hybrid techniques and design interactions with the type system, but is more surprising that a whole dimension of memory (un)management was left out: memory fragmentation

评论 #42460226 未加载

eklitzke5 months ago

I don't understand why they say that reference counting is "slow". Slow compared to what? Atomic increments/decrements to integers are one of the fastest operations you can do on modern x86 and ARM hardware, and except in pathological cases will pretty much always be faster than pointer chasing done in a traditional mark and sweep VMs.This isn't to say reference counting is without problems (there are plenty of them, inability to collect cyclical references being the most well known), but I don't normally think of it as a slow technique, particularly on modern CPUs.

评论 #42469950 未加载

DanielHB5 months ago

I am not experienced with rust and borrow checkers, but my impression is that borrow checkers also statically ensures thread/async safety while most other memory safety systems don't. Is this accurate?

评论 #42461139 未加载

评论 #42461063 未加载

lilyball5 months ago

I don't see any mention of epoch-based garbage collection (see crossbeam <a href="https://docs.rs/crossbeam/latest/crossbeam/epoch/index.html" rel="nofollow">https://docs.rs/crossbeam/latest/crossbeam/epoch/index.html</a>). Generational References sounds like a related concept but it's not the same. I'm also surprised nobody's mentioned that one lance corporal goat yet.

pizlonator5 months ago

The way you make garbage collection deterministic is not by doing regions but by making it concurrent. That’s increasingly common, though fully concurrent GCs are not as common as “sorta concurrent” ones because there is a throughput hit to going fully concurrent (albeit probably a smaller one than if you partitioned your heap as the article suggests).Also, no point in calling it “tracing garbage collection”. Its just “garbage collection”. If you’re garbage collecting, you’re tracing.

评论 #42462099 未加载

评论 #42462114 未加载

评论 #42461518 未加载

the__alchemist5 months ago

After pondering, my single favorite capability of rust is this:<pre><code> fn modify(val: &mut u8) { // ... } </code></pre> No other language appears to have this seemingly trivial capability; their canonical alternatives are all, IMO, clumsier. In light of the article, is this due to Rust's memory model, or an unrelated language insight?

评论 #42463664 未加载

andrewstuart5 months ago

I’d love to see a language that kept everything as familiar as possible and implement memory safety as “the hard bit”, instead of the Rust approach of cooking in multiple different new sub languages and concepts.

评论 #42460579 未加载

评论 #42459400 未加载

评论 #42460304 未加载

评论 #42459532 未加载

评论 #42460056 未加载

评论 #42459254 未加载

评论 #42460011 未加载

评论 #42459771 未加载

xmcqdpt25 months ago

Not a fan of the framing of the article. Firstly, there are millions of Mayans alive today,<a href="https://en.wikipedia.org/wiki/Maya_peoples" rel="nofollow">https://en.wikipedia.org/wiki/Maya_peoples</a>and secondly, the reason why the pre-Colombian cultural texts and script are not in use today, even by the people who speak the 28 Mayan languages currently in use, is because of genocide by Columbus and those that followed. The Catholic church destroyed every piece of Mayan script they could get their hands on.The article reads like the author is not aware of these basic facts of American geography and history.

评论 #42463676 未加载

4ad5 months ago

> Interaction nets are a very fast way to manage purely immutable data without garbage collection or reference counting.[...] HVM starts with affine types (like move-only programming), but then adds an extremely efficient lazy .clone() primitive, so it can strategically clone objects instead of referencing them.This is wrong, Interaction nets (and combinators) can model any kind of computational systems, including ones that use mutation. In fact, ICs are not really about types at all, although they do come from a generalization of Girard's proofs nets, which came from work in linear logic.The interesting thing about ICs is that they are beta-optimal (any encoding of a computation will be done in the minimum number of steps required -- there is no useless work being done), and maximum-parallel with only local synchonization (all reduction steps are local, and all work that can be parallelized will be parallelized).Additionally ICs have the property that any encoding of a different computational system in ICs will preserve the asymptotic behavior of all programs written for the encoded computational system. In fact, ICs are the only computational system with this property.Interaction nets absolutely require garbage collection in the general sense. However, interaction combinators are linear and all garbage collection is explicit (but still exists). HVMs innovation is that by restricting the class of programs encoded in the ICs you can get very cheap lambda duplication and eschew the need for complex garbage collection while also reducing the overhead of implementing ICs on regular CPUs (no croissants or brackets, see Asperti[1] for what that means).Having a linear language with the above restriction allows for a very efficient implementation with a very simple GC, while maximizing the benefits of ICs. In principle any language can be implemented on top of ICs, but to get most benefits you want a language with these properties. It's not that HVM starts with affine types and an efficient lazy clone operation, it's that a linear language allows extremely efficient lazy cloning (including lambda cloning) to be implemented on top of ICs, and the result of that is HVM.> The HVM runtime implements this for Haskell.This is very wrong. HVM has nothing to do with Haskell. HVM3 is written in C[2], HVM2 has three implementations, one in C[3], one in Rust[4], and a CUDA[5] one. HVM1 was just a prototype and was written in Rust[6].HOC[7], the company behing HVM provides two languages that compile to HVM, Bend[8], and Kind[9]. Bend is a usual functional language, while Kind is a theorem prover based on self types.Haskell is not involved in any of these things except that the HVM compiler (not runtime) is written in Haskell, but that is irrelevant, before Haskell it used to be written in TypeScript and then in Agda (Twitter discussion, sorry, no reference). It's an implementation detail, it's not something the user sees.Please note that HVM adds some stuff on top of ICs that makes it not strictly beta-optimal, but nevertheless the stuff added is useful in practice and the practical downgrade from theoretical behaviour is minimal.[1] Andrea Asperti, The Optimal Implementation of Functional Programming Languages, ISBN-13: 978-0060815424[2] <a href="https://github.com/HigherOrderCO/HVM3/blob/main/src/HVML/Runtime.c">https://github.com/HigherOrderCO/HVM3/blob/main/src/HVML/Run...</a>[3] <a href="https://github.com/HigherOrderCO/HVM/blob/main/src/hvm.c">https://github.com/HigherOrderCO/HVM/blob/main/src/hvm.c</a>[4] <a href="https://github.com/HigherOrderCO/HVM/blob/main/src/hvm.rs">https://github.com/HigherOrderCO/HVM/blob/main/src/hvm.rs</a>[5] <a href="https://github.com/HigherOrderCO/HVM/blob/main/src/hvm.cu">https://github.com/HigherOrderCO/HVM/blob/main/src/hvm.cu</a>[6] <a href="https://github.com/HigherOrderCO/HVM1">https://github.com/HigherOrderCO/HVM1</a>[7] <a href="https://higherorderco.com" rel="nofollow">https://higherorderco.com</a>[8] <a href="https://github.com/HigherOrderCO/bend">https://github.com/HigherOrderCO/bend</a>[9] <a href="https://github.com/HigherOrderCO/kind">https://github.com/HigherOrderCO/kind</a>

nemetroid5 months ago

No mention of RCU?

评论 #42470285 未加载

amelius5 months ago

I like many of the ideas of Rust, but I still think it is an unsuitable language for most projects.The problem is that it is very easy to write non-GC'd code in a GC'd language, but the other way around it is much much harder.Therefore, I think the fundamental choice of Rust to not support a GC is wrong.

评论 #42460919 未加载

评论 #42460813 未加载

评论 #42460781 未加载

bluGill5 months ago

Why is garbage collection called memory safety? Garbage collection in whatever form is only memory safe if it doesn't free memory that will still be used. (which means if you actually get all your free calls correct C is memory safe - most long lived C code bases have been beat on enough that they get this right for even the obscure paths).Use after free is important, but in my experience not common and not too hard to track down when it happens (maybe I'm lucky? - we generally used a referenced counted GC for the cases where ownership is hard to track down in C++)I'm more worried about other issues of memory safety that are not addressed: write into someone else's buffer - which is generally caused by write off the end of your buffer.

评论 #42463710 未加载

评论 #42464550 未加载