From: Pavel Koshevoy <pkoshevoy@gmail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] I've written a filter in Rust
Date: Thu, 27 Feb 2025 18:57:48 -0700
Message-ID: <CAJgjuozkd7Nm+88bx3O1aRiV9pYZ4AV1V_3NROGcWKcK4Btn3Q@mail.gmail.com> (raw)
In-Reply-To: <20250227210145.GH4991@pb2>
On Thu, Feb 27, 2025 at 2:02 PM Michael Niedermayer <michael@niedermayer.cc>
wrote:
> On Wed, Feb 26, 2025 at 03:11:13PM +0100, Tomas Härdin wrote:
> > sön 2025-02-23 klockan 22:51 +0100 skrev Michael Niedermayer:
> > > Hi
> > >
> > > On Sun, Feb 23, 2025 at 10:30:03PM +0100, Tomas Härdin wrote:
> > > > lör 2025-02-22 klockan 14:57 +0200 skrev Rémi Denis-Courmont:
> > > > > Le perjantaina 21. helmikuuta 2025, 20.02.16 UTC+2 Tomas Härdin a
> écrit :
> > > > > > The above said, I'm not against Rust. It has some nice
> properties. But
> > > > > > it does not seem very "stable" so far. Perhaps this has changed
> in
> > > > > > recent years..
> > > > >
> > > > > IME, it's become very usable for user-space code. Bare metal still
> pretty much
> > > > > requires unstable features, but that's not a problem for FFmpeg.
> > > >
> > > > I mean more in terms of ABI, and having to have cargo install
> specific
> > > > versions of the Rust compiler and so on.
> > > >
> > > > > > If we're in the habit of allowing other languages I'd be in
> favor of
> > > > > > allowing C++, so that we can make use of the STL containers
> rather than
> > > > > > rolling our own.
> > > > >
> > > > > Yikes. Rust is actually way saner for type-generic programming
> than C++.
> > > >
> > > > No doubt, but STL is still miles better than rolling our own
> > > > containers.
> > > >
> > >
> > > > Anyway, rather than shoehorning Rust into this codebase it might make
> > > > more sense to contribute to NihAV instead. But only if it has a sane
> > > > parsing framework
> > >
> > > That misses the point. FFmpeg should support a "safer" language than C
> > > because for some modules its the better choice.
> >
> > Maybe. We can do a lot by just improving the build system. But if we're
> > going that route I think we should first try and see how working C++
> > into more parts of the code works, because we already have support for
> > C++ for torch and decklink. Doing so would allow us to toss out lots of
> > code, especially in lavu, which is always nice. Code is a liability.
>
> can some C++ expert explain me why this builds and runs with no warning ?
> ;)
>
> int main(int argc, char **argv) {
> int *v = (int*)(void*) new char; new int;
> delete v;
> return *++v;
> }
>
> we have a memleak, a use after free, a aliasing violation,
> some invalid pointer and a out of array read
>
> a safe language should not allow any of this
> C++ allows all of it, its not safe, switching to C++ doesnt help
>
>
>
```
$ cat > /tmp/foo.cpp
int main(int argc, char **argv) {
int *v = (int*)(void*) new char; new int;
delete v;
return *++v;
}
$ g++ -g -Wall -fsanitize=address -o /tmp/foo /tmp/foo.cpp
$ /tmp/foo
=================================================================
==14416==ERROR: AddressSanitizer: new-delete-type-mismatch on
0x602000000010 in thread T0:
object passed to delete has wrong type:
size of the allocated type: 1 bytes;
size of the deallocated type: 4 bytes.
#0 0x7fd6348debb8 in operator delete(void*, unsigned long)
(/usr/lib64/libasan.so.4+0xdebb8)
#1 0x40078e in main /tmp/foo.cpp:3
#2 0x7fd634040e6b in __libc_start_call_main (/lib64/libc.so.6+0x40e6b)
#3 0x7fd634040f34 in __libc_start_main_alias_1
(/lib64/libc.so.6+0x40f34)
#4 0x400680 in _start ../sysdeps/x86_64/start.S:115
0x602000000010 is located 0 bytes inside of 1-byte region
[0x602000000010,0x602000000011)
allocated by thread T0 here:
#0 0x7fd6348dd830 in operator new(unsigned long)
(/usr/lib64/libasan.so.4+0xdd830)
#1 0x40076f in main /tmp/foo.cpp:2
#2 0x7fd634040e6b in __libc_start_call_main (/lib64/libc.so.6+0x40e6b)
SUMMARY: AddressSanitizer: new-delete-type-mismatch
(/usr/lib64/libasan.so.4+0xdebb8) in operator delete(void*, unsigned long)
==14416==HINT: if you don't care about these errors you may set
ASAN_OPTIONS=new_delete_type_mismatch=0
==14416==ABORTING
```
As to why the compilation of this code did not issue any warnings -- that
should be directed to gcc, not C++ experts
A C++ expert would not write code like this ...
With C++ you have the same freedom to write bad and leaky code as you can
with C, but you also have the tools (RAII) to write safe code.
Pavel.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-02-28 1:58 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-20 13:06 Leandro Santiago
2025-02-20 16:20 ` Leandro Santiago
2025-02-20 22:49 ` Michael Niedermayer
2025-02-21 7:56 ` Leandro Santiago
2025-02-21 9:01 ` Tomas Härdin
2025-02-21 9:21 ` Soft Works
2025-02-21 13:21 ` Michael Niedermayer
2025-02-21 14:30 ` Soft Works
2025-02-21 14:53 ` Kieran Kunhya via ffmpeg-devel
2025-02-21 15:02 ` Soft Works
2025-02-21 19:27 ` Kieran Kunhya via ffmpeg-devel
2025-02-21 20:10 ` Soft Works
2025-02-26 13:50 ` Tomas Härdin
2025-02-26 14:18 ` Zhao Zhili
2025-02-26 15:32 ` Rémi Denis-Courmont
2025-02-26 16:03 ` Zhao Zhili
2025-02-26 16:25 ` martin schitter
2025-02-26 14:07 ` Nicolas George
2025-02-26 16:35 ` Soft Works
2025-02-27 22:40 ` Michael Niedermayer
2025-02-21 16:39 ` Stephen Hutchinson
2025-02-26 14:25 ` Vittorio Giovara
2025-02-21 13:18 ` Lynne
2025-02-21 13:44 ` Kieran Kunhya via ffmpeg-devel
2025-02-21 18:02 ` Tomas Härdin
2025-02-22 12:57 ` Rémi Denis-Courmont
2025-02-23 21:30 ` Tomas Härdin
2025-02-23 21:51 ` Michael Niedermayer
2025-02-26 14:11 ` Tomas Härdin
2025-02-27 21:01 ` Michael Niedermayer
2025-02-28 1:57 ` Pavel Koshevoy [this message]
2025-02-28 15:35 ` Rémi Denis-Courmont
2025-02-24 14:51 ` Rémi Denis-Courmont
2025-02-26 14:34 ` Tomas Härdin
2025-02-26 15:13 ` Leandro Santiago
2025-02-22 12:49 ` Rémi Denis-Courmont
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJgjuozkd7Nm+88bx3O1aRiV9pYZ4AV1V_3NROGcWKcK4Btn3Q@mail.gmail.com \
--to=pkoshevoy@gmail.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git