Hacker News new | past | comments | ask | show | jobs | submit login

The point is that "write tests" has empirically not been a satisfactory solution to this class of vulnerability.



I think you don't get it. This isn't "write tests to make sure the vulnerability doesn't exist" this is "as you're testing, all of your code is automatically scanned for these vulnerabilities".

For a big project like a browser, I would imagine the tests would include property tests, fuzzing, etc.

This is obviously strictly less powerful than a proof assistant, which, yes, rust has, but we don't empirically know what the delta and the risk factor is between something like what zig gives you and something like what rust gives you... Moreover, I think it's likely that something like an proof assistant will be developed to track resources based off of zig's AIR. This is something that would be costly, but you could write it as a "linter" that blocks commits as a part of CI.


> "as you're testing, all of your code is automatically scanned for these vulnerabilities".

For browsers, that's been done for years and years, probably even a decade at this point. Tooling for memory safety has gotten incredibly good.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: