From 239fdd456e72a08465e8ef51bff12d5dbfac43dc Mon Sep 17 00:00:00 2001 From: Melody Horn Date: Mon, 19 Oct 2020 16:27:42 -0600 Subject: super rough draft of memory safety --- index.md | 53 +++++++++++++++++++++++++++++++---------------------- safety.md | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+), 22 deletions(-) create mode 100644 safety.md diff --git a/index.md b/index.md index f9f71e9..72e2572 100644 --- a/index.md +++ b/index.md @@ -1,22 +1,31 @@ ---- -title: Crowbar Spec ---- - -This is entirely a work-in-progress, and should not be relied upon to be stable in any way. - -# Context - -- [Rust is not a good C replacement](https://drewdevault.com/2019/03/25/Rust-is-not-a-good-C-replacement.html) - -# cactus's Blog Posts - -- [Crowbar: Defining a good C replacement](https://www.boringcactus.com/2020/09/28/crowbar-1-defining-a-c-replacement.html) -- [Crowbar: Simplifying C's type names](https://www.boringcactus.com/2020/10/13/crowbar-2-simplifying-c-type-names.html) - -# Syntax - -[Read the Syntax chapter of the spec.](syntax.md) - -# Semantics - -[![Creative Commons BY-SA License](https://i.creativecommons.org/l/by-sa/4.0/80x15.png)](http://creativecommons.org/licenses/by-sa/4.0/) +Crowbar: the good parts of C, with a little bit extra. + +This is entirely a work-in-progress, and should not be relied upon to be stable in any way. + +# Context + +- [Rust is not a good C replacement](https://drewdevault.com/2019/03/25/Rust-is-not-a-good-C-replacement.html) + +# cactus's Blog Posts + +- [Crowbar: Defining a good C replacement](https://www.boringcactus.com/2020/09/28/crowbar-1-defining-a-c-replacement.html) +- [Crowbar: Simplifying C's type names](https://www.boringcactus.com/2020/10/13/crowbar-2-simplifying-c-type-names.html) + +# Additions to C + +For Crowbar to be "the good parts of C, with a little bit extra", we must first decide what C lacks. +C has several widely known footguns, some of which are misfeatures that can simply be not supported, but some of which are insecure-by-default. +As such, new features must be added to engage the safeties on these proverbial footguns. + +- C is generous with memory in ways that are unreliable by default. + Crowbar adds [memory safety guarantees](safety.md) to make correctness the default behavior. + +# Syntax + +[Read the Syntax chapter of the spec.](syntax.md) + +# Semantics + +TODO + +[![Creative Commons BY-SA License](https://i.creativecommons.org/l/by-sa/4.0/80x15.png)](http://creativecommons.org/licenses/by-sa/4.0/) diff --git a/safety.md b/safety.md new file mode 100644 index 0000000..d353227 --- /dev/null +++ b/safety.md @@ -0,0 +1,61 @@ +Each item in Wikipedia's [list of types of memory errors](https://en.wikipedia.org/wiki/Memory_safety#Types_of_memory_errors) and what Crowbar does to prevent them. + +# Access errors + +## Buffer overflow + +bounds checking based on uhhhh something + +## Buffer over-read + +bounds checking again + +## Race condition + +uhhhhh 🤷‍♀️ + +## Page fault + +bounds checking, dubious-pointer checking + +## Use after free + +`free(x);` not followed by `x = NULL;` is a compiler error + +# Uninitialized variables + +C already warns about these in most cases, so we're good. + +## Null pointer dereference + +dubious-pointer checking + +## Wild pointers + +let C handle it + +# Memory leak + +## Stack exhaustion + +uhhhhhh 🤷‍♀️ + +## Heap exhaustion + +that counts as error handling, just the `malloc`-shaped kind + +## Double free + +this is just use-after-free but the use is calling free on it + +## Invalid free + +don't do that + +## Mismatched free + +how does that even happen + +## Unwanted aliasing + +uhhh don't do that? -- cgit v1.2.3