search

morganstanley / hobbes

A language and an embedded JIT compiler
http://hobbes.readthedocs.io/
Apache License 2.0
1.16k stars 105 forks source link

Enable CodeQL analysis on Hobbes #363

Closed kelliott55 closed 4 years ago

kthielen commented 4 years ago

Hi Kevin,

Is this related to the optional unchecked array access in hobbes expressions? I don't think that this tool is likely to flag that, since it's a couple of levels away from where the tool can see (we read this AST, then run type inference, then poke at the LLVM IRBuilder in a way that produces code that does or does not check array bounds as a side-effect.

The issue of bounds checking was discussed early on, and left optional for performance. That option also works in a way that can be stratified so that you can have "trusted" inner code (where bounds checking isn't done) and then "untrusted" outer code for e.g. user queries.

HTH

kelliott55 commented 4 years ago

Ah cool, it does look like an interesting tool. If there’s anything I can help with there, please let me know!

Take care, stay safe from coronavirus. :)

On Jun 9, 2020, at 12:34 PM, Kevin Elliott Kevin.Elliott@morganstanley.com wrote:

Hi Kalani,

Yes that is correct. I understand this will unlikely catch the specific problem you mention, am interested to enable the github codeql tool out of general interest.

Kevin

On Tue, 9 Jun 2020 at 17:31, kthielen <notifications@github.com mailto:notifications@github.com> wrote:

Hi Kevin,

Is this related to the optional unchecked array access in hobbes expressions? I don't think that this tool is likely to flag that, since it's a couple of levels away from where the tool can see (we read this AST, then run type inference, then poke at the LLVM IRBuilder in a way that produces code that does or does not check array bounds as a side-effect.

The issue of bounds checking was discussed early on, and left optional for performance. That option also works in a way that can be stratified so that you can have "trusted" inner code (where bounds checking isn't done) and then "untrusted" outer code for e.g. user queries.

HTH

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/Morgan-Stanley/hobbes/pull/363#issuecomment-641417601, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF745VCNSTH2LP4EPATOGG3RVZPWPANCNFSM4NZSDJJQ.

-- Kevin Elliott, Executive Director
Morgan Stanley | ISG Technology
20 Bank Street | Canary Wharf | Floor 04
London, E14 4AD
Phone: +44 20 7677-3292
Kevin.Elliott@morganstanley.com mailto:Kevin.Elliott@morganstanley.com