Masu haɓaka aikin Chromium 912 babban haɗari da rashin lahani masu mahimmanci da aka gano a cikin tsayayyen sakin Chrome tun daga 2015, kuma sun kammala cewa 70% daga cikinsu sun haifar da rashin tsaro na ƙwaƙwalwar ajiya (kurakurai lokacin aiki tare da masu nuni a cikin lambar C/C ++). Rabin waɗannan matsalolin (36.1%) ana haifar da su ta hanyar samun dama ga buffer bayan yantar da ƙwaƙwalwar da ke da alaƙa da ita (amfani-bayan-kyauta).
Lokacin zayyana Chromium shi ne da farko , cewa yana yiwuwa kurakurai su bayyana a cikin lambar, don haka an ba da babbar mahimmanci ga yin amfani da keɓewar sandbox don iyakance sakamakon rashin ƙarfi. A halin yanzu, yuwuwar yin amfani da wannan fasaha ta kai iyakar iyawarsu kuma ƙarin rarrabuwar kawuna a cikin matakai ba shi da amfani daga ra'ayi na amfani da albarkatu.
Don kiyaye tsaro na codebase, Google kuma yana tilasta "", bisa ga abin da kowace lambar da aka ƙara dole ne ta cika fiye da biyu daga cikin sharuɗɗa uku: aiki tare da bayanan shigar da ba a tantance ba, ta amfani da yaren shirye-shirye mara tsaro (C/C++) da kuma aiki tare da manyan gata. Wannan doka tana nuna cewa dole ne a rage lambar sarrafa bayanan waje zuwa mafi ƙarancin gata (keɓe) ko a rubuta cikin amintaccen yaren shirye-shirye.
Don ƙara haɓaka tsaro na tushen lambar, an ƙaddamar da wani aiki don hana kurakuran ƙwaƙwalwar ajiya bayyana a cikin lambar tushe. Akwai manyan hanyoyi guda uku: ƙirƙirar dakunan karatu na C++ tare da ayyuka don amintaccen aiki na ƙwaƙwalwar ajiya da faɗaɗa iyawar mai tara shara, ta amfani da hanyoyin kariya na hardware. (Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwaƙwalwa ) da aka rubuta a cikin harsunan da ke tabbatar da aiki mai aminci tare da ƙwaƙwalwar ajiya (Java, Kotlin, JavaScript, Rust, Swift).
Ana sa ran cewa aikin zai mayar da hankali ne a bangarori biyu:
- Babban canji ga tsarin ci gaba na C ++, wanda ba ya ware wani mummunan tasiri akan aikin (ƙarin bincika iyakokin iyaka da tarin datti). Maimakon maƙasudin maƙasudi, an ba da shawarar yin amfani da nau'in , wanda ke ba ku damar rage amfani mai amfani-bayan kurakurai na kyauta zuwa hadarurruka waɗanda ba su haifar da barazanar tsaro ba, ba tare da wani tasiri mara kyau ba akan aiki, amfani da ƙwaƙwalwar ajiya da kwanciyar hankali.
- Yin amfani da yarukan da aka tsara don yin rajistan tsaro na ƙwaƙwalwar ajiya a lokacin tattarawa (zai kawar da mummunan tasiri akan aikin da ke cikin irin waɗannan cak yayin aiwatar da lambar, amma zai haifar da ƙarin farashi don tsara hulɗar lambar a cikin sabon harshe tare da lamba a ciki). C++).
Amfani da dakunan karatu masu aminci shine mafi sauƙi, amma kuma mafi ƙarancin inganci. Sake rubuta lambar a cikin Rust an ƙididdige shi a matsayin mafi inganci, amma kuma hanya mai tsada sosai.
source: budenet.ru