XPost: comp.lang.c

On Sat, 2 Mar 2024 17:13:56 -0600, Lynn McGuire wrote:

The feddies want to regulate software development very much.

Given the high occurrence of embarrassing mistakes companies have been
making with their code, and continue to make, it’s quite clear they’re not capable of regulating this issue themselves.

I wouldn’t worry about companies tripping over and hurting themselves, but when the consequences are security leaks, not of information belonging to
those companies, but to their innocent customers/users who are often
unaware that those companies even had that information, then it’s quite
clear that Government has to step in.

Because if they don’t, then who will?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On Sat, 2 Mar 2024 17:13:56 -0600
Lynn McGuire <[email protected]> wrote:

They have been talking about it for at least 20 years now.

More like 48-49 years. https://en.wikipedia.org/wiki/High_Order_Language_Working_Group

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

Lynn McGuire <[email protected]> writes:

"White House to Developers: Using C or C++ Invites Cybersecurity Risks"

https://www.pcmag.com/news/white-house-to-developers-using-c-plus-plus-invites-cybersecurity-risks

"The Biden administration backs a switch to more memory-safe programming >languages. The tech industry sees their point, but it won't be easy."

No. The feddies want to regulate software development very much.

You've been reading far to much apocalyptic fiction and seeing the
world through trump-colored glasses. Neither reflect reality.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On Sun, 3 Mar 2024 12:01:57 +0100, David Brown wrote:

It is not languages like C and C++ that are "unsafe".

Some empirical evidence from Google <https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html>
shows a reduction in memory-safety errors in switching from C/C++ to Rust.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Den 2024-03-03 skrev Lawrence D'Oliveiro <[email protected]d>:

On Sun, 3 Mar 2024 12:01:57 +0100, David Brown wrote:

It is not languages like C and C++ that are "unsafe".

Some empirical evidence from Google
<https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html>
shows a reduction in memory-safety errors in switching from C/C++ to Rust.

I'm not surprised. I think it is pretty self-evident that a language
that is designed to reduce memory errors, if correctly designed,
will do just that.

It is very easy to go on about good and bad programmers, but that
really doesn't matter since statistics from the real world show that
memory errors are common and cause serious vulnerabilities.

Considering how hostile today's interconnected world has become with
security getting a higher and higher priority, I think we are bound to
see a decline of memory unsafe languages. C++ can be written to be
memory safe, but it is also very easy to write C++ that is not memory
safe. If C++ is to stay competitive, I think the C++ committee needs
to have a good and long think about what can be done to remedy these
issues.

Doing nothing, I could see initiatives like CHERI introducing hardware
based memory safety being a saviour. If the languages that enforce
memory safety through their type system are more difficult to use, C++
might be preferable if the memory safety is provided more or less
transparently through the hardware. Although a software solution is
probably seen as easier and cheaper than a hardware one. As the sales department at my last job informed me: "We can sell hardware, everyone
likes a shiny box! Software is supposed to be included for free!"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On Mon, 4 Mar 2024 15:41:43 +0100, David Brown wrote:

... Lady Ada Lovelace is often regarded (perhaps
incorrectly) as the first computer programmer.

She was the first, in written records, to appreciate some of the not-so- obvious issues in computer programming.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On Mon, 4 Mar 2024 13:15:20 -0800, Chris M. Thomasson wrote:

Would you trust a "safe" language that had some critical libraries that
were written in say, C?

The less C code you write, the easier it is to keep it under control.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On Tue, 5 Mar 2024 00:09:35 -0600, Lynn McGuire wrote:

... I actually have had a Professional Engineer's License in Texas for
34 years now and can tell you all about what it takes to get one and
what it takes to keep one.

Does that include any qualification in safety-critical or security-
critical systems?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On 05/03/2024 08:08, Lawrence D'Oliveiro wrote:

On Tue, 5 Mar 2024 00:03:54 -0600, Lynn McGuire wrote:

On 3/3/2024 11:43 PM, Lawrence D'Oliveiro wrote:

Did you know the life-support system on the
International Space Station was written in Ada? Not something you would
trust C++ code to, let’s face it.

Most of the Ada code was written in C or C++ and converted to Ada for
delivery.

Was it debugged again? Or was it assumed that the translation was bug-
free?

With Ada, if you can get it to compile, it's ready to ship :-)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On 05/03/2024 21:51, Chris M. Thomasson wrote:

On 3/5/2024 1:01 AM, David Brown wrote:

On 04/03/2024 21:36, Chris M. Thomasson wrote:

On 3/4/2024 12:44 AM, David Brown wrote:

On 03/03/2024 23:01, Chris M. Thomasson wrote:

On 3/3/2024 12:23 PM, David Brown wrote:

On 03/03/2024 19:18, Kaz Kylheku wrote:

Embedded systems often need custom memory management, not
something that
the language imposes. C has malloc, yet even that gets disused in >>>>>>> favor
of something else.

For safe embedded systems, you don't want memory management at
all. Avoiding dynamic memory is an important aspect of
safety-critical embedded development.

You still have to think about memory management even if you avoid
any dynamic memory? How are you going to mange this memory wrt your
various data structures needs....

To be clear here - sometimes you can't avoid all use of dynamic
memory and therefore memory management.  And as Kaz says, you will
often use custom solutions such as resource pools rather than
generic malloc/free.   Flexible network communication (such as
Ethernet or other IP networking) is hard to do without dynamic memory.

[...]

Think of using a big chunk of memory, never needed to be freed and is
just there per process. Now, you carve it up and store it in a cache
that has functions push and pop. So, you still have to manage memory
even when you are using no dynamic memory at all... Fair enough, in a
sense? The push and the pop are your malloc and free in a strange
sense...

I believe I mentioned that.  You do not, in general, "push and pop" -
you malloc and never free.  Excluding debugging code and other parts
useful in testing and developing, you have something like :

enum { heap_size = 16384; }
alignas(max_align_t) static uint8_t heap[heap_size];
uint8_t * next_free = heap;

void free(void * ptr) {
     (void) ptr;
}

void * malloc(size_t size) {
     const size_t align = alignof(max_align_t);
     const real_size = size ? (size + (align - 1)) & ~(align - 1)
                 : align;
     void * p = next_free;
     next_free += real_size;
     return p;
}


Allowing for pops requires storing the size of the allocations (unless
you change the API from that of malloc/free), and is only rarely
useful.   Generally if you want memory that temporary, you use a VLA
or alloca to put it on the stack.

wrt systems with no malloc/free I am thinking more along the lines of a region allocator mixed with a LIFO for a cache, so a node based thing.
The region allocator gets fed with a large buffer. Depending on specific needs, it can work out nicely for systems that do not have malloc/free.
The pattern I used iirc, was something like:

// pseudo code...
_______________________
node*
node_pop()
{
    // try the lifo first...

    node* n = lifo_pop();

    if (! n)
    {
        // resort to the region allocator...

        n = region_allocate_node();

        // note, n can be null here.
        // if it is, we are out of memory.

        // note, out of memory on a system
        // with no malloc/free...
    }

    return n;
}

void
node_push(
    node* n
) {
     lifo_push(n);
}
_______________________

make any sense to you?

I know what you are trying to suggest, and I understand how it can sound reasonable. In some cases, this can be a useful kind of allocator, and
when it is suitable, it is very fast. But it is has two big issues for
small embedded systems.

One problem is the "region_allocate_node()" - getting a lump of space
from the underlying OS. That is fine on "big systems", and it is normal
that malloc/free systems only ask for memory from the OS in big lumps,
then handle local allocation within the process space for efficiency.
(This can work particularly well if each thread gets dedicated lumps, so
that no locking is needed for most malloc/free calls.)

But in a small embedded system, there is no OS (an RTOS is generally
part of the same binary as the application), and providing such "lumps"
would be dynamic memory management. So if you are using a system like
you describe, then you would have a single statically allocated block of
memory for your lifo stack.

Then there is the question of how often such a stack-like allocator is
useful, independent of the normal stack. I can imagine it is
/sometimes/ helpful, but rarely. I can't think off-hand of any cases
where I would have found it useful in anything I have written.

As I (and others) have said elsewhere, in small embedded systems and
safety or reliability critical systems, you want to avoid dynamic memory
and memory management whenever possible, for a variety of reasons. If
you do need something, then specialise allocators are more common -
possibly including lifos like this.

But it's more likely to have fixed-size pools with fixed-size elements, dedicated to particular memory tasks. For example, if you need to track multiple in-flight messages on a wireless mesh network, where messages
might take different amounts of time to be delivered and acknowledged,
or retried, you define a structure that holds all the data you need for
a message. Then you decide how many in-flight messages you will support
as a maximum. This gives you a statically allocated array of N structs.
Block usage is then done by a bitmap, typically within a single 32-bit
word. Finding a free slot is a just finding the first free zero, and
freeing it is clearing the correct bit.

There are, of course, many other kinds of dedicated allocators that can
be used in other circumstances.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On Wed, 6 Mar 2024 13:50:16 +0000
bart <[email protected]> wrote:

On 06/03/2024 13:31, David Brown wrote:

On 05/03/2024 23:34, Chris M. Thomasson wrote:

On 3/5/2024 2:11 PM, Keith Thompson wrote:

"Chris M. Thomasson" <[email protected]> writes:
[...]

ADA is bullet proof... Until its not... ;^)

The language is called Ada, not ADA.

I wonder how many people got confused?

Apparently you and Malcolm got confused.

Others who mentioned the language know it is called "Ada".� I not
only corrected you, but gave an explanation of it, in the hope that
with that clarity, you'd learn.

Whoever wrote this short Wikipedia article on it got confused too as
it uses both Ada and ADA:

https://simple.wikipedia.org/wiki/Ada_(programming_language)

(The example program also includes 'Ada' as some package name. Since
it is case-insensitive, 'ADA' would also work.)

Your link is to "simple Wikipedia". I don't know what it is
exactly, but it does not appear as authoritative as real Wikipedia

https://en.wikipedia.org/wiki/Ada_(programming_language)

Here's also a paper that uses 'ADA' (I assume it is the same
language):

https://www.sciencedirect.com/science/article/abs/pii/0166361582900136

The article published 1982. The language became official in 1983.
Possibly, in 1982 there still was a confusion w.r.t. its name.

Personally I'm not bothered whether anyone uses Ada or ADA. Is 'C'
written in all-caps or only capitalised? You can't tell!

If only ADA, written in upper case, was not widely used for something
else...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On 06/03/2024 14:18, Michael S wrote:

On Wed, 6 Mar 2024 13:50:16 +0000
bart <[email protected]> wrote:

Whoever wrote this short Wikipedia article on it got confused too as
it uses both Ada and ADA:

https://simple.wikipedia.org/wiki/Ada_(programming_language)

(The example program also includes 'Ada' as some package name. Since
it is case-insensitive, 'ADA' would also work.)

Your link is to "simple Wikipedia". I don't know what it is
exactly, but it does not appear as authoritative as real Wikipedia

https://en.wikipedia.org/wiki/Ada_(programming_language)

Here's also a paper that uses 'ADA' (I assume it is the same
language):

https://www.sciencedirect.com/science/article/abs/pii/0166361582900136

The article published 1982. The language became official in 1983.
Possibly, in 1982 there still was a confusion w.r.t. its name.

It would have been know it was named after a person. (I think Lovelace
would have been better though.)

Personally I'm not bothered whether anyone uses Ada or ADA. Is 'C'
written in all-caps or only capitalised? You can't tell!

If only ADA, written in upper case, was not widely used for something
else...

I don't know what that is without looking it up. In a programming
newsgroup I expect ADA to be the language.

BTW it's a good thing that C, written in upper case, can never be
confused with anything else...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On 3/6/24 09:18, Michael S wrote:

On Wed, 6 Mar 2024 13:50:16 +0000
bart <[email protected]> wrote:

...

Whoever wrote this short Wikipedia article on it got confused too as
it uses both Ada and ADA:

https://simple.wikipedia.org/wiki/Ada_(programming_language)

(The example program also includes 'Ada' as some package name. Since
it is case-insensitive, 'ADA' would also work.)

Your link is to "simple Wikipedia". I don't know what it is
exactly, but it does not appear as authoritative as real Wikipedia

Notice that in your following link, "en" appears at the beginning to
indicate the use of English. "simple" at the beginning of the above link
serves the same purpose. "Simple English" is it's own language, closely
related to standard English. Read the corresponding Wikipedia article
for more details.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On 2024-03-07, Chris M. Thomasson <[email protected]> wrote:

On 3/6/2024 5:46 PM, Lawrence D'Oliveiro wrote:

On Wed, 06 Mar 2024 14:30:58 +0000, aph wrote:

Continuously-compacting concurrent collectors like those available for
Java aim for less than 10ms, and often hit 1ms.

What ... a 1ms potential delay every time you want to allocate a new
object??

GC can be a no go for certain schemes. GC can be fine and it has its place.

It is the situations where GC cannot be used that are niches that have
their place. Everywhere else, you can use GC.

--
TXR Programming Language: http://nongnu.org/txr
Cygnal: Cygwin Native Application Library: http://kylheku.com/cygnal
Mastodon: @[email protected]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

Lawrence D'Oliveiro wrote:

On Sun, 3 Mar 2024 22:11:14 -0000 (UTC), Blue-Maned_Hawk wrote:

Lawrence D'Oliveiro wrote:

On Sun, 3 Mar 2024 08:54:36 -0000 (UTC), Blue-Maned_Hawk wrote:

I do not want to live in a web-centric world.

You already do.

That does not change the veracity of my statement.

That doesn’t change the veracity of mine.

Then our collective fingertips have done nothing in their plasticsmacking.

--
Blue-Maned_Hawk│shortens to Hawk│/ blu.mɛin.dÊ°ak/
│he/him/his/himself/Mr. blue-maned_hawk.srht.site
FORE!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On Thu, 7 Mar 2024 11:35:08 +0100
David Brown <[email protected]> wrote:

On 06/03/2024 23:00, Michael S wrote:

On Wed, 6 Mar 2024 12:28:59 +0000
bart <[email protected]> wrote:

"Rust uses a relatively unique memory management approach that
incorporates the idea of memory “ownership”. Basically, Rust keeps
track of who can read and write to memory. It knows when the
program is using memory and immediately frees the memory once it
is no longer needed. It enforces memory rules at compile time,
making it virtually impossible to have runtime memory bugs.⁴ You
do not need to manually keep track of memory. The compiler takes
care of it."

This suggests the language automatically takes care of this.

Takes care of what?
AFAIK, heap fragmentation is as bad problem in Rust as it is in C/Pascal/Ada etc... In this aspect Rust is clearly inferior to
GC-based languages like Java, C# or Go.

Garbage collection does not stop heap fragmentation. GC does, I
suppose, mean that you need much more memory and bigger heaps in
proportion to the amount of memory you actually need in the program
at any given time, and having larger heaps reduces fragmentation (or
at least reduces the consequences of it).

GC does not stop fragmentation, but it allow heap compaction to be
built-in part of environment. So, it turns heap fragmentation
from denial of service type of problem to mere slowdown, hopefully insignificant slowdown.
I don't say that heap compaction is impossible in other environments,
but it is much harder, esp. in environments where pointers are visible
to programmer. The famous David Wheeler's quote applies here at full
force.
Also when non-GC environments chooses to implement heap compaction they
suffer the same or bigger impact to real-time responsiveness as GC.
So, although I don't know it for sure, my impression is that generic
heap compaction extremely rarely implemented in performance-aware
non-GC environments.
Performance-neglecting non-GC environments, first and foremost CPython,
can, of course, have heap compaction, although my googling didn't give
me a definite answer whether it's done or not.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On 07/03/2024 17:35, Kaz Kylheku wrote:

On 2024-03-07, David Brown <[email protected]> wrote:

On 06/03/2024 23:00, Michael S wrote:

On Wed, 6 Mar 2024 12:28:59 +0000
bart <[email protected]> wrote:

"Rust uses a relatively unique memory management approach that
incorporates the idea of memory “ownership”. Basically, Rust keeps >>>> track of who can read and write to memory. It knows when the program
is using memory and immediately frees the memory once it is no longer
needed. It enforces memory rules at compile time, making it virtually
impossible to have runtime memory bugs.⁴ You do not need to manually >>>> keep track of memory. The compiler takes care of it."

This suggests the language automatically takes care of this.

Takes care of what?
AFAIK, heap fragmentation is as bad problem in Rust as it is in
C/Pascal/Ada etc... In this aspect Rust is clearly inferior to GC-based
languages like Java, C# or Go.

Garbage collection does not stop heap fragmentation. GC does, I
suppose, mean that you need much more memory and bigger heaps in
proportion to the amount of memory you actually need in the program at
any given time, and having larger heaps reduces fragmentation (or at
least reduces the consequences of it).

Copying garbage collectors literally stop fragmentation.

Yes, but garbage collectors that could be useable for C, C++, or other efficient compiled languages are not "copying" garbage collectors.

Reachable
objects are identified and moved to a memory partition where they
are now adjacent. The vacated memory partition is then efficiently used
to bump-allocate new objects.

I think if you have a system with enough memory that copying garbage
collection (or other kinds of heap compaction during GC) is a reasonable option, then it's unlikely that heap fragmentation is a big problem in
the first place. And you won't be running on a small embedded system.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On Fri, 8 Mar 2024 08:25:13 +0100
David Brown <[email protected]> wrote:

On 07/03/2024 17:35, Kaz Kylheku wrote:

On 2024-03-07, David Brown <[email protected]> wrote:

On 06/03/2024 23:00, Michael S wrote:

On Wed, 6 Mar 2024 12:28:59 +0000
bart <[email protected]> wrote:

"Rust uses a relatively unique memory management approach that
incorporates the idea of memory “ownership”. Basically, Rust
keeps track of who can read and write to memory. It knows when
the program is using memory and immediately frees the memory
once it is no longer needed. It enforces memory rules at compile
time, making it virtually impossible to have runtime memory
bugs.⁴ You do not need to manually keep track of memory. The
compiler takes care of it."

This suggests the language automatically takes care of this.

Takes care of what?
AFAIK, heap fragmentation is as bad problem in Rust as it is in
C/Pascal/Ada etc... In this aspect Rust is clearly inferior to
GC-based languages like Java, C# or Go.

Garbage collection does not stop heap fragmentation. GC does, I
suppose, mean that you need much more memory and bigger heaps in
proportion to the amount of memory you actually need in the
program at any given time, and having larger heaps reduces
fragmentation (or at least reduces the consequences of it).

Copying garbage collectors literally stop fragmentation.

Yes, but garbage collectors that could be useable for C, C++, or
other efficient compiled languages are not "copying" garbage
collectors.

Go, C# and Java are all efficient compiled languages. For Go it was
actually a major goal.

Reachable
objects are identified and moved to a memory partition where they
are now adjacent. The vacated memory partition is then efficiently
used to bump-allocate new objects.

I think if you have a system with enough memory that copying garbage collection (or other kinds of heap compaction during GC) is a
reasonable option, then it's unlikely that heap fragmentation is a
big problem in the first place. And you won't be running on a small
embedded system.

You sound like arguing for sake of arguing.
Of course, heap fragmentation is relatively rare problem. But when you
process 100s of 1000s of requests of significantly varying sizes for
weeks without interruption then rare things happen with high
probability :(
In case of this particular Discord service, they appear to
have a benefit of size of requests not varying significantly, so
absence of heap compaction is not a major defect.
BTW, I'd like to know if 3 years later they still have their Rust
solution running.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.lang.c

On 08/03/2024 13:41, Paavo Helde wrote:

07.03.2024 17:36 David Brown kirjutas:

CPython does use garbage collection, as far as I know.

AFAIK CPython uses reference counting, i.e. basically the same as C++ std::shared_ptr (except that it does not need to be thread-safe).

Yes, that is my understanding too. (I could be wrong here, so don't
rely on anything I write!) But the way it is used is still a type of
garbage collection. When an object no longer has any "live" references,
it is put in a list, and on the next GC it will get cleared up (and call
the asynchronous destructor, __del__, for the object).

A similar method is sometimes used in C++ for objects that are
time-consuming to destruct. You have a "tidy up later" container that
holds shared pointers. Each time you make a new object that will have asynchronous destruction, you use a shared_ptr for the access and put a
copy of that pointer in the tidy-up container. A low priority
background thread checks this list on occasion - any pointers with only
one reference can be cleared up in the context of this separate thread.

With reference counting one only knows how many pointers there are to a
given heap block, but not where they are, so heap compaction would not
be straightforward.

Python also has zillions of extensions written in C or C++ (all of AI
related work for example), so having e.g. heap compaction of Python
objects only might not be worth of it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)