Hacker News new | past | comments | ask | show | jobs | submit login

Let's just collectively admit it, finally - you can't write safe C++ in a codebase this complex.

Do they distrust their own coders to the same degree they distrust the processes they sandbox? I suspect the answer to this is "no" but I would like to hear from someone who actually codes there.

I think the truth is more like this: You can write safe C++, just like you can keep a secret. It's just that the odds that you fail go up with the size of the team involved, and it does that by compounding. So by the time you get to the size of the Google Chrome team, the odds of failure are very, very close to 1.




> Do they distrust their own coders to the same degree they distrust the processes they sandbox? I suspect the answer to this is "no" but I would like to hear from someone who actually codes there.

Actually, the answer is yes. That's why the renderer process is sandboxed.


The number of people required was a function of the "this complex" qualifier.

I can write a safe C++ app on my own. I can't write Chrome on my own.


I can write a safe C++ app on my own

But only if you don't use any external libraries, once you link in someone else's code, you can no longer be sure your program is "safe".


> I can write a safe C++ app on my own >> But only if you don't use any external libraries

using an external library is not "on your own"


Can you use the STL? What boundary is considered trusted?


The point i was making is that such boundary doesn't exist - no one can write everything "on their own".

Therefore, language features to prevent a class of exploits should be a high priority when considering a project.


I can trust the compiler... I hope?



Not at all, check the Linux 5.0 bug introduced by a gcc "optimization" regarding UB.


Use CompCert! (And C instead of C++)


Don't most people link at least with basic libraries to help with I/O and other standard operating system interfaces?

Do many people really use the kernel syscall interface directly?


once you link in someone else's code, you can no longer be sure your program is "safe"

This also fits in with the "keeping a secret" analogy. Good luck keeping something secret, if it has to be shared between organizations.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: