Hacker News new | ask | show | jobs
by 9rx 23 days ago
> Like by not remembering to check if a pointer is nil?

Rule of thumb is to not introduce values that aren't valid. Equally, don't put in -1 for an age value, even if the language allows you to. You might later forget to validate that the age value is valid.

Yes, mistakes are possible, but these types of mistakes are pretty rare. There is some value in eliminating the possibility of those mistakes, sure, but we cannot pretend that it comes cost-free. There is good reason why almost nobody uses Rocq.

> Or actually comparing one typed nil to a different typed nil?

This is something that is likely to confuse, but not a facet of nil. It is related to interfaces. Let's not flail around like one of those wacky blow up things at the used auto lot.
1 comments
stouset 23 days ago
Ah the good old “just be a perfect programmer and you won’t run into any issues” argument. Haven’t heard that one in awhile.
link
9rx 23 days ago
If only you had made it to the second paragraph.

Hey, at least we can now understand why you have such a hard time with nil, so that's something.

link
shakow 22 days ago
Your second paragraph doesn't hold after one minute spent reading the CVEs list.
link
foldr 22 days ago
Nil references in Go aren't likely to be a source of CVEs. Dereferencing a nil reference is not undefined behavior in Go; it's guaranteed to panic.
link
shakow 21 days ago
Not all CVEs are RCE. This one[1] for instance is go's nil-dereference caused.

[1] https://access.redhat.com/security/cve/cve-2025-29785

link
foldr 20 days ago
This is a bug that could also happen in Rust if someone used 'unwrap', or if the code panicked for any other reason. You can have logic bugs in any language. Remember the Cloudflare outage of Nov 2025.

It's also worth noting that the vulnerability you link to is a denial of service vulnerability. While yes, this is technically a vulnerability, it's not the sort of thing that people are usually worrying about in the context of null pointers. If features that give rise to DoS vulnerabilities are the ones to worry about, top of the list would have to be backtracking regex engines: https://owasp.org/www-community/attacks/Regular_expression_D...

link