>>53430752
it's programmer fault. If you like a program that consider you a retarded try Java

>implying there would be no catastrophic mistakes if we used some other language
humans gonna human

>>53430786
>Just drive better bro ;)

>>53430752
Also C based language like C++, C# and Java?

>>53430752
everything has to be converted to assembly/machine code at some point and where ever the process occurs will have the same vulnerabilities.

File: 898.jpg (77 KB, 704x792) Image search: [Google]

77 KB, 704x792

>>53430816
>Java
>C-based

>>53430835
Look what the JRE is based from, faggot

>>53430844
but its largely different from C. C is compiled to machine code.

File: autism detected.jpg (14 KB, 238x279) Image search: [Google]

14 KB, 238x279

>>53430752
Now /g/ I'll be the first to admit I don't know very much about C, I'm more of a bash/python kinda guy. But this guy seems like he is spouting bullshit. There's no way C can be that bad, why would anyone use it? Why is the language being blamed and not the programmer?

Someone please explain, is this autism or legitimate concerns?

>>53430862
And how does Java execute its code on the machine if it's not machine code?

>>53430835
Do you know what C-family programming languages are?

>>53430752
At some point, you HAVE to have a language like C. Abstractions are great for a lot of things. Hiding machine details protects you from many problems. But what are you going to build the abstractions on? What's the javascript interpreter written in? Java, maybe? Then what's the JVM written in? How about the language runtimes, and the OS it runs on? The hypervisor?

Go down the ladder far enough and you have to tie the code to the physical hardware that shuffles bytes around, and that means you need to write code in a language like C.

>>53430877
legit

>>53430886
its compiled to java bytecode which is ran in a VM (sometimes JIT) but you don't actually interface with system memory

>>53430835
https://en.wikipedia.org/wiki/List_of_C-family_programming_languages

>>53430895
actually you are dumb as fuck.jvm is c++ , every game engine in the world , adobe products,CAD software,compilers (even the c compilers) all written in c++.go jack off to your 50year old language somewhere else.

>>53430911
>which is ran in a VM
Which is written in what?

>>53430944
In Java

>>53430944
C/C++ however you're missing my point lol

java isn't like C in the way it runs because it's in a VM so you can't accidentally overwrite memory or some shit
i dont like java however

File: 1377378345610.jpg (19 KB, 259x240) Image search: [Google]

19 KB, 259x240

>>53430957

>>53430752
This poster is borderline retarded. Bugs exist in all languages, and are especially plentiful and undetected in your modern and hip languages.

My suggestion would be to kys before finishing highschool.

>>53430965
Ok but the point being, java development is done in C/C++. If you can't use C-family languages, how do you use java?

>>53430786
>>53430795

>yfw that anon drives a car with power steering, abs, airbags, seat belts, traction control

>>53430888
>>53430924
Just because it takes influences from C and C++ doesn't mean it has all the down-sides of the languages.

It's moot point because a lot of the ways Java is used these days makes it insecure as fuck.

>>53430930
And for the purposes of this thread, C++ is a language that shares all the drawbacks of C that OP is bitching about, especially memory-safety problems.

>>53430983
no, java is WRITTEN in C/C++. i think you meant "look what the JRE is written in" not "based from" because that means it uses the same concepts

>>53430924
>https://en.wikipedia.org/wiki/List_of_C-family_programming_languages
>wikipedia article with few citations

>>53431059
>java is WRITTEN in C/C++.
Yes.

So now you're told you can't use C anymore. Are you now going to re-write java? Or do you just stop developing the language and call it a day?

>>53430924
C is really only similar to Java in the syntax

>>53431086
i don't know what your point is. i don't agree with the picture in the OP at all. i was just pointing out how C is really not similar to Java

>>53431122
The discussion was about the point of the guy in the pic saying people should stop using C and C-family languages. So if you stop using C completely, as well as C++, then you can't develop java anymore. It doesn't matter how similar java is compared to C, you'd have to re-write java if you wanted to completely cut out C-family languages.

It just points out the stupidity of abandoning C.

>>53431017
>And for the purposes of this thread, C++ is a language that shares all the drawbacks of C that OP is bitching about, especially memory-safety problems.
C++11 has managed pointers and safe containers

But that's not the point, managed pointers are slower than raw pointers, safe containers are slower than containers without boundary checks, and goto is still faster than stack unwinding.

OP post is just a whine. C is unsafe because it's fast, and it's fast because it's unsafe. Not using C anymore means slower software and hardware, not to mention that there are no mature C/C++ alternatives at this point. You either drive fast and have a chance to crash if you don't drive well enough, or you drive slow.

>>53431159
>So if you stop using C completely, as well as C++, then you can't develop java anymore
That's dumb, there are implementations of JVM written in java, there are java compilers written in java too.

>>53430930
>c++ for compilers
>>53430895
you could use a safer language for all of those. think ATS, Rust, etc.
>>53431242
wrong. ATS especially (though Rust to a lesser extent) can reach C speeds with extremely high safety guarantees. C isn't unsafe because it's fast, it's unsafe because it's designed to do as little static analysis of your program as possible.

>>53431094
yeah that's kinda the whole point

a quite important point

>>53430971
there are multiple implementatsions of the JVM, including one in Java

Oracle/Sun JVM was/is written in C though yes

We should just go back to assembly

>>53430795
>let's blame the car, the driver obviously wasn't at fault for ramming into a bunch of school children crossing at a walkway.

>>53431242

C++11 and C++14 don't have managed anything. The proposed "garbage collector" was optional, and no one implemented it. What it has is smart pointers, which have been possible for a lot longer.

But regardless of whatever features C++ has, that doesn't stop many of its users from writing it like C.

It is just as easy in C++ and Rust to write unsafe code as it is in C.

Also, an implementation of the JVM in Java would imply a JVM running on the JVM. At some point, you still need a native process running on the CPU.

>>53430752
>unethical
faggot.

>C is shit
>Linux kernel written in C, the meme OS that /g/ fellates
So which is it?

>>53431306
Static analysis does not prevent stack smashing. You either spend time on boundary checks in run-time or you just have an unsafe array.

>>53431419
Smart pointers are managed pointers, you dummy

>Also, an implementation of the JVM in Java would imply a JVM running on the JVM
You can compile a JVM, written in Java, to native code by a compiler, written in Java.

>>53430906
no

>>53431499
yes

>>53430877

The problem OP is describing is that the language allows for mistakes. Their suggested solution is to use a language that didn't allow such mistakes. The problem is that OP also suggests that things like drivers and operating systems also should not be written in C.

Here's where there problem is:

It is not possible to write a driver or operating system without being able to use raw pointers, because the purpose of these things includes managing memory.

So even if you switched to Rust, which supposedly is "memory safe", you'd still be writing a bunch of unsafe blocks, opening up the possibility of vulnerabilities. What about OpenSSL? Well, they were dumb enough to write their own memory allocator. They would have had dumb shit like heartbleed and more in any other language.

C has it's uses, but why would you write crypto stuff in C?

so what should we use instead? sepples?

File: 1444373538771.jpg (17 KB, 316x239) Image search: [Google]

17 KB, 316x239

>>53431524

>it's

Fuck

Yes, let's go back to FORTRAN.

>>53431477
OS X and Windows NT are as well.

>>53431586
OS X is written in special C though.

>>53431487

Managed means you have a garbage collector. Smart pointers use RAII. All it means if that your destructor gets called when the object goes out of scope. You still have to design the destructor for whatever custom objects you make, and there's a lot of possibility for stupidity with circular dependencies.

>>53431086
You don't have to stop using it because the code is ALREADY WRITTEN and compiled
If C is suddenly eradicated from existence and no new C code can be created, the JVM can still be run and new Java code can be compiled and executed you dense fucking faggot.
As long as the JVM is solidly coded, which it is, there will be no new vulnerabilities introduced due to "problems with C" unless you explicitly change the implementation of the JVM

>>53430877
it's autism, mate
a bad programmer will find ways to fuck things up using anything from Visual BASIC to Haskell to Assembly

>>53431660
>As long as the JVM is solidly coded, which it is
Fuck off, Larry.

>>53431524
for speed, especially since crypto is one of those things that can be ran millions of times a day

>>53431524
>it's
I know someone else already point this out but holy shit this triggers my autism

>>53430835
Java is literally written in C, the file system operations are just wrappers around C functions. The syntax is C style.

>>53431524
Well, for one, it has to be fast. If you want someone running a web server to use SSL, it's important to keep the additional load this will put on his server down to a minimum. For another, it's a library. That's a format that makes sense for crypto, since you want crypto users to use a library written by crypto people and not try to implement it themselves. And C is a very common choice for a library since unlike many other languages, it's very easy to call C code from almost any language. And, finally, if you're implementing crypto, you're doing a lot of shuffling bits and bytes around. As raw data, not as ints or floats or classes or anything, just "put these bytes in this order". C is well-suited to this kind of thing, many other languages are designed on the assumption that you won't be doing that and should be at a higher level of abstraction.

>>53431650
>Managed means you have a garbage collector
No, it means I don't have to manually manage the resources. RAII or GC, it doesn't matter.

>You still have to design the destructor for whatever custom objects you make
You still have to write finally in Java, so?

>there's a lot of possibility for stupidity with circular dependencies
Drive better :^)

>>53431524

SSL is placed alongside TCP and UDP in the transport layer of the OSI model. It is expected that packets which contain encrypted data not take too much longer than normal packets because of the number of the number of applications in the higher levels that depend on it.

>>53431677
>Just drive better, m8 ;)
There's a reason cops give out tickets to retards who drive shitbuckets with broken headlights.

>>53431419
Learn what bootstrapping is. You can write a JVM in Java, compile it using C (once and only once), and use it to compile all other Java code, including further implementations of the JVM.

Language -> language -> C -> assembly
Poor unoptimized recycled shit like this makes me sick. I wish there was a frontend for machine code that doesn't rely on a crappy core functions library like C.

>>53430752
The latch in register of intel i7CPU can be hacked. Did you know this?

>>53431850
with an axe?

>>53430752
>all C based languages
>non memory safe
why should we take anything this guy says seriously?

Every shitposter in here who insists on using C everywhere is free to do so.

I'll use Lisp, finish in a quarter the time w/ 10% the LoC to maintain, and have significantly fewer bugs. I'll let results speak for themselves. It's none of my business what some shitposter on /g/ uses.

>>53431770
This exists, it's called LLVM.

>>53431993
>measuring things by LoC

>>53432009
I measure by several things:
(1) Functionality
(2) Performance (Does it meet performance REQUIREMENTS?)
(3) Unit tests -- does it pass (assuming GOOD coverage?)

Bugs can be defined as a function of lines of code to number of bugs. Fewer LoC is generally better, as long as those 3 goals previously stated aren't compromised in the process.

>>53432043
>no mention of readability
tip top kek

have fun making sense of your 10 line one-liners

>>53431993
>I'll use Lisp, finish in a quarter the time w/ 10% the LoC to maintain, and have significantly fewer bugs.
Lispish fairy tales, everyone.

>I'll use Lisp, not finish at all, stop at 10%, and have more bugs but Lisp's condition system lets the user deal with them.
That's what really happens.

>>53432063
Readability is good writing style. It has nothing to do with project requirements. I also didn't mention documentation (which matters more.) I'm assuming that a programmer will be responsible and write readable code in whatever language he is using, and create documentation. Thus, I'm not mentioning it when evaluating a technology.

Your post is a scarecrow. If solution 'A' has 10000 LoC, solution 'B' has 1000, and they both meet project requirements, are readable, and well documented, solution 'B' is better. There is less to maintain, and less opportunity for bugs to appear.

>>53432125
Walmart is using Clojure in production, and successful projects have been done in Lisp. This is the worst shitpost I've ever seen. You just make statements without any facts or compelling line of reasoning.

>>53431731
Because it's against the law.

A responsible driver wouldn't drive at night with a broken headlight, but cops know that most drivers are retards, so by law you have to have working headlights.

>>53431993
>Have you guys heard of LISP? It's relevant, you know
I mean, I won't argue that you have to choose your tools based on your needs, but this thread is about C and it's niche and I have no idea why some lisper would crawl out of the woodwork to post how useful he is elsewhere.

>>53432043
my problem with Lisp is that I could never get it reasonably working for anyone else except my machines.

>>53432125
http://dev.clojure.org/display/community/Clojure+Success+Stories

http://franz.com/success/

Your post is a myth perpetuated by retards (such as yourself) who are unable to grasp any style of programming other than procedural.

>>53432218
Clojure fixes a lot of these problems. Lisp development on Windows is a bit tricky, I honestly don't have much experience with it. On Linux/*BSD/OS X you can easily create binaries with SBCL.

>>53432250
clojure isn't a Lisp and I feel like creating binaries with the SBCL is more insane than the typical C .so/library

>>53432276
>clojure isn't a Lisp
[citation needed]
https://en.wikipedia.org/wiki/Clojure
"Clojure is a dialect of the Lisp programming language"

http://www.xach.com/lisp/buildapp/
It's so easy to do this.

>>53432310
sorry bud, clojure is shit that doesn't support basic lisp shit

>>53432336
>doesn't support basic lisp shit
like what?

>>53430944
You're getting confused. It doesn't matter what the VM was written because it is an implementation. It could've been written in asm and it doesn't change anything.

C isn't the issue
It's not properly understanding glibc functions that causes issues, which is not a fault of the language itself

>He doesn't use strlcpy
You can do everything what cpp does in C.

>>53432250
You can create binaries on windows as well in literally one line of code. My problem with SBCL is that it doesn'the do any tree shaking so you basically getting the entire VM in your binary. The best you can do is just compress the core image.

>>53432359
no tail-call optimization

>>53432532
Oh yea... this is a problem. Good thing modern storage is so plentiful

>>53432533
First, tail-call optimization isn't a requirement to be a Lisp. Second, it doesn't have it because that breaks Java calling convention. Third, if you use loop, it does a tail-call optimization.

>>53432577

Fourth, Clojure is not limited to the JVM. There are implementations that can run on the CLR, and on JavaScript.

>>53432532
You could compile with ecl that compiles to C.

Anything Java can do C can better~
http://ldeniau.web.cern.ch/ldeniau/html/oopc/oopc.html

>>53430877
It is very simple and low level compared to more abstract languages like Python.

But being compiled and so close to assembly enables you to write pretty fast code.

You also have to do stuff like memory management by yourself and the pointer syntax is very badly designed IMO.

>>53432529
You mean strncpy, right?

>>53432689
strlcpy is better then strncpy, It's used by openBSD

>>53432711
Ew

>>53432659
He does have a point, but it's slightly exaggerated. It's stupidly simple to create C code that seems straightforward, but in reality is a security nightmare. A lot of security problems aren't caused by problems in the business logic, but are caused by problems with implementation details and edge cases. As languages like Swift, Go, Clojure, Rust, etc. are getting more popular, they're crowding in on performance critical network tasks traditionally implemented in C. Also, parallelism and concurrency mechanisms are becoming important, and C still relies on a lock-based concurrency model that isn't as fast, easy, or reliable as STM.

>Smashing the stack

this hasn't been a thing for years, what the fuck?

The post in OP is written by a retard. C/C++ only have security flaws if you write them too. If companies didn't try to hire pajeets I'm sure this would be a nonissue

>>53431419
>>>53431242
>It is just as easy in Rust to write unsafe code as it is in C.
False.

>>53431518
That's like saying that there's no point in seatbelts and airbags because you might still die in a crash.

>>53430877
C is optimized for maximum performance, it was made for creating operating systems in the 70s. There is type checking on compile time, but any safety measure that would have made things slower during runtime simply was not implemented.

There is no bound checking in arrays or structs, which means you can write into arbitrary memory and overwrite jumps, which effectively allows someone to inject code.

C has a notion of undefined behavior, which means when certain errors or edge-cases happen its not an error but arbitrary stuff may happen. This mainly exists to give the compiler writers room for implementing optimizations. Signed integer overflow for example is already considered undefined behavior to allow for certain loop optimizations that wouldn't be possible otherwise. If you overflow an integer and such an optimization is applied shit will go wrong.

There are tons of other cases of undefined behavior, most people using C are not aware of many of them. This is the main reason why I think you should use managed and more secure languages like Java or C# instead. The runtimes of those languages may be written in C or C++ too, but this is done by a small amount of people that can specialize in knowing the ins and outs of C and preventing those issues, not by every single dev that just wants to implement arbitrary applications like some GUI or server application.

>>53433003
relying on undefined behavior is wrong anyway so this becomes a non-argument. the c standard is small enough that undefined behavior is easily known and understood.

c isn't a tricky language except when people want to get tricky with it.

>>53432161
Why is it against the law you fuck?

>A responsible programmer wouldn't program in C
I can use your logic too

>>53431518
You have no fucking clue what you're talking about.

From wiki:
>The author of the change which introduced Heartbleed, Robin Seggelmann, stated that he "missed validating a variable containing a length"

This would not happen in managed languages, period, because you wouldn't need to specify buffer lengths like you need to in C.

You should try to read more before you spew bullsht.

>>53433050
People don't usually rely on undefined behavior on purpose. It's an edge-case issue.

ITT: complete retards

>>53430752
Fucking hell, did C rape his mom and girlfriend while he was forced to watch or something?

>>53433050
Integer promotion and the fact that signed overflow/underflow is undefined is really easy to get bitten with.

but what all this boils down to is that C is a language with the safety off, since that makes it faster. So don't use it unless you're willing to trade increased developer time for that. The speed is critically important in some things and inconsequential in others. The security problem is that an SSL library is probably always going to be a case where a lot of the users think that yes, speed is critical. It has to be if you're ever going to reach the goal of encrypting essentially all web traffic.

>>53433192
just a webcuck jealous of real programmers

>>53433309
At least webcucks didn't fuck up the most important security codebase in the entire world.

>>53433337
Yeah, they just fuck up their own security codebases. Remind me why SQL injection and cross-site scripting attacks are still a thing in CURRENT_YEAR

>>53433337
yes, retards are not allowed near important stuff

>>53433383
It's $CURRENT_YEAR people! Wake up!

>>53432862
>False.
Tons of bad practice is what caused Heartbleed. Rust doesn't stop people from doing stupid stuff in unsafe blocks. The only argument Rustfags come up with is: it won't happen because people will be extra cautious in unsafe blocks and they will review unsafe blocks. I tell you what: if OpenSSL developers had been extra cautious during development and if they had reviewed commits, Heartbleed wouldn't have happened either.

>>53433115
They rolled their own memory caching mechanisms because >muuh performance. That made it impossible to detect invalid reads. These programmers would just allocate a huge blob of bytes in any other language and do the same.

>>53433397
Rust isn't invulnerable to shit programmers but it protects against many of the common mistakes that they would also make in C.

>>53433533
Not against things like heartbleed.

>>53430795
Just drive less fancy is more like it. C is like a sportscar that everyone tries to drift around corners in - in heavy traffic.

If you stopped writing bloated fucking garbage you wouldn't have as many programs, but no, my encryption program needs a million fucking features and I don't want to write another one

People have this retarded way of viewing a single program as a product that must gain as many users as possible, so they do the equivalent of putting microwaves in cars so they can be not driven at all and used as kitchens instead. More users, dude! If it didn't support kitchen mode not as many people would use it!

Well, why not MAKE A FUCKING KITCHEN SEPARATE FROM THE CAR?

Because dude, users!

And then the retarded "emacsy" nerd pipes up ("emacsy" might be a bit outdated...they're "webkitty" now)

"ehehehe yeeeeerrrrreeeee autism souuuunds i use my car for everything its a consistent user environment and i even customized it nyeheheh snort"

>>53431487
>Static analysis does not prevent stack smashing. You either spend time on boundary checks in run-time or you just have an unsafe array.
ATS will force you to spend that time by making sure you are handling the possibility of there being an exploit statically
in places where that could lead to a bug, the static analysis is able to pick up on it

>>53433169
This

>omg C is hard to do right

plz