Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The number of large C programs which have been repeatedly proven to be incorrect in practice is essentially 100%.

Still, C is unreasonably effective. A lot of large and complicated, yet mostly well-working (modulo regular CVEs) systems have been achieved in C. And that’s truly wonderful. I cut my teeth on C nearly 30 years ago and I still hold a soft spot in my heart for it.

But other languages these days are even more unreasonably effective. They need fewer lines of code to achieve the same results and they have fewer security vulnerabilities and logic bugs per line as well.



Many of the ways that C programs are incorrect are abstract portability problems, that don't have a repro test case on the machines and compilers that people care about.

Rule of thumb: almost never fix some alleged problem without a repro test case.


Might I point you at the CVE database?


May I point you to Wikipedia pages on cognitive biases, like Confirmation and Selection?

The CVE database lists only entries related to situations gone wrong. It doesn't list any information about working software that has no issues.

Also nothing will appear in the CVE database in relation to a language that nobody uses.

The database also has some garbage entries.

Overall the database is actually paltry in size in relation to the vast amounts of stuff out there written in C.

Also, correct C programs can have security issues, because some security issues depend on actual behaviors being observable which correspond to behavior that is not observable according to language standard. ISO C is mum about memory being observed, or side channel information being monitored, or timing of operations.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: