top | item 42260817

(no title)

tomberek | 1 year ago

Random thought. Another commenter worried about the runtime of the program becoming mangled and performing destructive operations on your machine. What if you run the reducer as a source-to-source Nix derivation? Protects against dangerous things, and can be easily distributed to remote builders.

discuss

judofyr|1 year ago

Oh, that’s a neat idea. To reply to the sibling comment: Nix runs commands under a sandbox. It’s not bullet proof, but useful enough that it will prevent obvious commands like deleting local files and accessing the network.

It took some time to get RustPython to run, but it seems to work fine: https://gist.github.com/judofyr/82d2255c92ebb0c6b3a6882ac9fd...

Also, after running it for 5 minutes it was now able of reducing it to a much smaller case:

    class a:
        def b() : c
        def h(d) :
            while d:
                    break
            else:
                return 
            d.b()
    def j(e) :
        f = a()
        if f.h  () :
                g
    i = ""
    j(i)

hinkley|1 year ago

You generally shouldn’t use absolute paths in your programs. That makes it dangerous for local development, and makes running two copies of the program to compare behaviors difficult.

There’s a Venn diagram of people who don’t care enough to do that (works for me!) and people who would never think to use c-reduce. It’s not a perfect circle, but it’ll be fairly close.

somat|1 year ago

> You generally shouldn’t use absolute paths in your programs.

This is true, but I was enjoying the irony that there is an old sys-sdmin adage that you should only use absolute paths in your program(usually a shell script, in this environment) this is to make sure it is running exactly what you expect it to run.

So always put "/usr/bin/awk" instead of just "awk"

I had a co-worker once who took this as gospel. His scripts were always... interesting... to port to a new environment.

capitol_|1 year ago

How does this protect against dangerous things?

My understanding is that this would just cause the dangerous things to be repeatable.

dietr1ch|1 year ago

It must be that by running any program within the nix build sandbox you don't expose your files unless you discover a privilege escalation attack by chance during the reduction process.