diff options
| author | Melody Horn <melody@boringcactus.com> | 2020-10-19 16:27:42 -0600 |
|---|---|---|
| committer | Melody Horn <melody@boringcactus.com> | 2020-10-19 16:27:42 -0600 |
| commit | 239fdd456e72a08465e8ef51bff12d5dbfac43dc (patch) | |
| tree | 488aff3b7fb246b68dac101ec7462368886b129c | |
| parent | a6543cd772b22889e17b59507d7fbf6fd8a41bc1 (diff) | |
| download | spec-239fdd456e72a08465e8ef51bff12d5dbfac43dc.tar.gz spec-239fdd456e72a08465e8ef51bff12d5dbfac43dc.zip | |
super rough draft of memory safety
| -rw-r--r-- | index.md | 53 | ||||
| -rw-r--r-- | safety.md | 61 |
2 files changed, 92 insertions, 22 deletions
@@ -1,22 +1,31 @@ ---- -title: Crowbar Spec ---- - -This is entirely a work-in-progress, and should not be relied upon to be stable in any way. - -# Context - -- [Rust is not a good C replacement](https://drewdevault.com/2019/03/25/Rust-is-not-a-good-C-replacement.html) - -# cactus's Blog Posts - -- [Crowbar: Defining a good C replacement](https://www.boringcactus.com/2020/09/28/crowbar-1-defining-a-c-replacement.html) -- [Crowbar: Simplifying C's type names](https://www.boringcactus.com/2020/10/13/crowbar-2-simplifying-c-type-names.html) - -# Syntax - -[Read the Syntax chapter of the spec.](syntax.md) - -# Semantics - -[](http://creativecommons.org/licenses/by-sa/4.0/) +Crowbar: the good parts of C, with a little bit extra.
+
+This is entirely a work-in-progress, and should not be relied upon to be stable in any way.
+
+# Context
+
+- [Rust is not a good C replacement](https://drewdevault.com/2019/03/25/Rust-is-not-a-good-C-replacement.html)
+
+# cactus's Blog Posts
+
+- [Crowbar: Defining a good C replacement](https://www.boringcactus.com/2020/09/28/crowbar-1-defining-a-c-replacement.html)
+- [Crowbar: Simplifying C's type names](https://www.boringcactus.com/2020/10/13/crowbar-2-simplifying-c-type-names.html)
+
+# Additions to C
+
+For Crowbar to be "the good parts of C, with a little bit extra", we must first decide what C lacks.
+C has several widely known footguns, some of which are misfeatures that can simply be not supported, but some of which are insecure-by-default.
+As such, new features must be added to engage the safeties on these proverbial footguns.
+
+- C is generous with memory in ways that are unreliable by default.
+ Crowbar adds [memory safety guarantees](safety.md) to make correctness the default behavior.
+
+# Syntax
+
+[Read the Syntax chapter of the spec.](syntax.md)
+
+# Semantics
+
+TODO
+
+[](http://creativecommons.org/licenses/by-sa/4.0/)
diff --git a/safety.md b/safety.md new file mode 100644 index 0000000..d353227 --- /dev/null +++ b/safety.md @@ -0,0 +1,61 @@ +Each item in Wikipedia's [list of types of memory errors](https://en.wikipedia.org/wiki/Memory_safety#Types_of_memory_errors) and what Crowbar does to prevent them.
+
+# Access errors
+
+## Buffer overflow
+
+bounds checking based on uhhhh something
+
+## Buffer over-read
+
+bounds checking again
+
+## Race condition
+
+uhhhhh 🤷♀️
+
+## Page fault
+
+bounds checking, dubious-pointer checking
+
+## Use after free
+
+`free(x);` not followed by `x = NULL;` is a compiler error
+
+# Uninitialized variables
+
+C already warns about these in most cases, so we're good.
+
+## Null pointer dereference
+
+dubious-pointer checking
+
+## Wild pointers
+
+let C handle it
+
+# Memory leak
+
+## Stack exhaustion
+
+uhhhhhh 🤷♀️
+
+## Heap exhaustion
+
+that counts as error handling, just the `malloc`-shaped kind
+
+## Double free
+
+this is just use-after-free but the use is calling free on it
+
+## Invalid free
+
+don't do that
+
+## Mismatched free
+
+how does that even happen
+
+## Unwanted aliasing
+
+uhhh don't do that?
|