Safe Rust AIN'T SAFE!? (cve-rs)

Alright, I've made a Part 2 video that hopefully can address some of the confusion / questions people have.

xenotimeyt

Using necromancy to extend lifetimes, another thing I didn't think I would see. Great Video

Oler-yxxj

The YouTube algorithm recommended me this video. Probably because I was watching the trial of the armorer who is on trial because of unsafe handling of guns on the set of the movie Rust. Well done YouTube AI 👍

frankbauerful

This was great. When i saw this on reddit, i didn't get it. Even the docs were not that useful. This explained the issue very nicelyvv

mohitkumar-jvbx

finally someone (maybe not first one) is shedding some light on rustc soundness bugs here on youtube, thanks

xshady

Probably the best "Rust in 7 minutes" positions on internet, then followed by a grasp of type theory. Respect!

AK-vxdy

Interestingly this video has brought enough attention to the original bug report that they had to close the conversation because of spam.

pqnet

I'm not sure what's more "sus" in this: the ability to create "weird" functions that can leverage type information of arguments to infer lifetime nesting or the covariance of reference to reference lifetimes. Probably the ability to cast an & 'static & 'static to a &'a &'b in a single step is the issue: If you are forced to go through an intermediate step (such as &'a &'static) you'd find yourself banging against the borrow checker fairly soon (i would think you would never be allowed to create a &'static &'b)

pqnet

I have seen both videos. Fantastic explanation. I have come across earlier people mentioning it, but I did not read the details yet.
The thing is, everything has bugs. But the number and significance of bugs strongly differs. In Rust these are both low. You really have to do quite a lot of specific work make this problem show up.
So it does not change at all how much I like Rust and it's actually amazing how people do their best to test and experiment with everything. It's part of actually making it all better.

jongeduard

Wow. That is really neat. I don't have a ton of experience with Rust, but I completely understood your explanation. Although it is definitely a bug, it thankfully doesn't seem like something someone would inadvertently create in real code, unless they are dealing with complicated lifetime semantics without fully understanding lifetimes...

Matt

explained it so well that it felt like a really simple conclusion in the end

karpfenboy

dude you explained the cve and lifetimes so well! learned a lot from this video.

sudonick-knzn

Wow, the amount of info in this video is wild. Thank you for documenting and sharing this with us, it was a nice read to know about.

RootsterAnon

It's such a pain in the ass to write a buffer overflow in this language, the cve-rs repo needed an issue for it's cve (It was not always generating a buffer overflow on every target)

nordgaren

I’ve been sharing this with others. You’ve done a great job covering this, and thanks for sharing such a fascinating problem in a very digestible way.

Hope your channel keeps growing… I’d love to keep learning and your style is really well done and organized

haraseesgill

2:15 the moment I saw that the first generic numbers typed were 69 and 420 was the moment I knew this was going to be a damn good watch

_fudgepop

You touched on it at 18:20, but the Rust Vec<T> type is neither co- or contravariant. This is because you can mutably add elements! If you only read elements it’s contravariant; if you only add elements it’s contravariant. It’s sometimes called invariant, and now I’m curious how Rust handles that.

Skybrg

this is great.. i love rust.. even though these bugs are there, the whole ecosystem is so much more intelligent

nonefvnfvnjnjnjevjenjvonej

Ultimately I think the bug is, that you can only replace &'b &'a () with &'static &'static () if it is a valid type to begin with.
If 'a doesn't outlive 'b then &'b &'a () will be equivalent to infallible since no valid reference can outlive the value being referenced and therefore it has no valid representations on runtime.

To fix this the compiler would in addition to checking if &'static &'static () can be treated as &'b &'a () also need to check if any lifetime conditions that arise along the way are met.

kfftfuftur

I am now even more convinced that subtyping is the root of all evil.

aoeuable