Hacker News new | ask | show | jobs
by cakoose 638 days ago
What happens if we gradually transition to memory-safe languages for new features, while leaving existing code mostly untouched except for bug fixes?

...

In the final year of our simulation, despite the growth in memory-unsafe code, the number of memory safety vulnerabilities drops significantly, a seemingly counterintuitive result [...]

Why would this be counterintuitive? If you're only touching the memory-unsafe code to fix bugs, it seems obviously that the number of memory-safety bugs will go down.

Am I missing something?
2 comments
cogman10 638 days ago
The counter intuitive part is that there is now more code written in memory unsafe languages than there was before. Even if it's just bug fixing.

It's not as if bug fixes haven't resulted in new memory bugs, but apparently that rate is much lower in bug fixes than it is in brand new code.

link
MBCook 638 days ago
I think the standard assumption would be that you need to start replacing older code with memory safe code to see improvements.

Instead they’ve shown that only using memory safe languages for new code is enough for the total bug count to drop.

link