On Tue, May 14, 2024 at 5:16 PM James Youngman <ja...@youngman.org> wrote: > One of the worries in the back of my mind with findutils has always been > about whether all the fields in `struct predicate` actually get initialised > correctly by the parser functions. > > I should explain that recently I've been using other languages which make > it possible to ensure at compile time that things are correctly initialised > and consistently used, and to be direct about it, I miss these things in C.
[ ...snip ] > My instinct at this point would be to begin by adopting the second approach > (eliminating some of the fields of struct predicate) because even if we do > end up using a builder, it would make the builder simpler, too. > > However, perhaps there's another way to help us be confident that the > implementation initialises everything in all code paths and is consistent. > Any ideas, folks? How about GNU does a call to arms for an alternative Rust implementation of its coreutils? There's still hungry Rust devs out there willing to write a lot of code to prove themselves. Another idea: use AFL on the parser functions. If you initialize the fields of `struct predicate` with forbidden values and crash on such a forbidden value, you should be able to do this. It's not a guarantee, but you'll have strong assurances. Regards, Nikolaos Chatzikonstantinou
