Anyone know how this relates to the Training Solo attack that was just disclosed? https://www.vusec.net/projects/training-solo/

Both exploit Spectre V2, but in different ways. My takeaway:

Training Solo: - Enter the kernel (and switch privilege level) and “self train” to mispredict branches to a disclosure gadget, leak memory.

Branch predictor race conditions: - Enter the kernel while your trained branch predictor updates are still in flight, causing the updates to be associated with the wrong privilege level. Again, use this to redirect a branch in the kernel to a disclosure gadget, leak memory.

Announcement: https://mastodon.online/@sdeleuze/113679114039764735

Relatedly, this recent paper shows that many manually-removed bounds checks in Rust libraries can be re-introduced with no bottom-line perf regression, depending on the application https://dl.acm.org/doi/10.1145/3485480

Mike Ernst wrote about the downsides of Optional in Java some time back https://homes.cs.washington.edu/~mernst/advice/nothing-is-be... with pluggable type checking it is possible to use `null` safely in Java

Error Prone does this: https://errorprone.info/bugpatterns

I'm one of the authors of NullAway. Happy to answer any questions!

A code example contains:

  if (x.f != null) {
    System.out.println(x.f.toString());
  }

Apparently NullAway infers that x.f cannot be null inside the branch, so calling x.f.toString() is safe. However, strictly speaking, since field f is not final, it is possible that a different thread would modify it between the test and the call, resulting in a NullPointerException. Have you decided to just ignore such effects of multi-threading?

Hi, good point! Yes, we are deliberately ignoring multithreading, among many other things. We were aiming to catch the NPEs we see most often in practice while keeping the type system relatively simple. Based on our data from the field, I think NPEs due to multithreading and code like the example are fairly rare.

Yeah, they used to have full-text RSS feeds for many of their blogs, but now those have turned into snippet feeds; what a bummer.

Wow. From the source:

"VW continued to assert to CARB and the EPA that the increased emissions from these vehicles could be attributed to various technical issues and unexpected in-use conditions. VW issued a voluntary recall in December 2014 to address the issue. CARB, in coordination with the EPA, conducted follow up testing of these vehicles [...] to confirm the efficacy of the recall. When the testing showed only a limited benefit to the recall, CARB broadened the testing to pinpoint the exact technical nature of the vehicles' poor performance"

I remember spending half a day at the dealership to deal with this recall, which was required to get my CA registration renewed. Can't believe it was just a BS update that didn't really fix anything. Shocking and extremely disappointing behavior from VW

Some of my colleagues wrote a research paper about a system like this a few years back:

http://researcher.watson.ibm.com/researcher/files/us-bacon/B...

They proposed a new notion of "software correctness" as an equilibrium in which there is insufficient economic demand for any further bug fixes. Cool to see such a system being built!

I'm one Android user who would definitely pay $5 for an official Instapaper app.

Why? Read It Later is a great, overlooked service that does the same thing. It's also well designed. And it's cross platform.

Thanks for the tip. Just gave it a try, and it looks great so far.

I have had no issues with InstaFetch and it serves the purpose pretty well.