Wuffs the Language

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Compiler programming-language Haxe Parsing configuration-language

InfluxDB
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • wuffs

    Wrangling Untrusted File Formats Safely

    • Wuffs seems fascinating and I really wanted to like it. But when I look at the code for the JSON decoder it seems so low level, and full of places for bugs to hide. JSON is a pretty simple spec and this obscures it (although to be fair it's also handling UTF-8).

    https://github.com/google/wuffs/blob/main/std/json/decode_js...

    Yes it prevents buffer overflows and integer overflow, but it can't prevent logical errors.

    I'd rather see efficient code generated from a short high level spec, not an overwhelming amount of detail in a language verified along one dimension.

    Logical errors in parsing also lead to security vulnerabilities. For example, here is an example of parser differentials in HTTP parsing:

    https://about.gitlab.com/blog/2020/03/30/how-to-exploit-pars...

    I think the canonical example is forging SSL certificates to take advantage of buggy parsers, but I don't have a link handy. Again, this has nothing to do with buffer or integer overflows.

    (aside: while googling for that I found the claim that mRNA vaccines work by parser differentials: https://twitter.com/maradydd/status/1342891437537505280?lang... If anyone understands that I'd be curious on an opinion/analysis :) )

    At the very least, any language for parsing should include support for regular languages (regexes). The RFCs for many network protocols use this metalanguage, and there's no reason it shouldn't be executable. They compile easily to efficient code.

    The VPRI project claimed to generate a TCP/IP implementation from 200 lines of code, although it's not really a fair comparison because it hasn't been tested in the wild: https://news.ycombinator.com/item?id=846028 .

    Still I think that style has better engineering properties. Oil's lexer, which understands essentially all of bash, is generated from a short source file

    https://www.oilshell.org/release/0.8.8/source-code.wwz/front...

    which generates

    https://www.oilshell.org/release/0.8.8/source-code.wwz/_devb...

    (which goes on to generate 28,000 lines of C code)

  • haxe

    Haxe - The Cross-Platform Toolkit

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • dhall

    Maintainable configuration files

    • > If you add constraints (like not being able to feed the program to itself as is done in the halting problem and not allowing unbounded loops) then it is possible to determine if a program will terminate or not.

    Dhall is a good example - https://github.com/dhall-lang/dhall-haskell .

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts