> There exist memory safety bugs in Rust projects, so you will find them. Or maybe not with AI, as there is not enough training data?
No, there are simply too few memory safety bugs in Rust projects for AI to find any. It found 271 bugs in Firefox so you're talking around 0.3 bugs found in the same amount of Rust.
> The 70% number google claims is either BS or google-specific as other projects reported far lower numbers.
The post I linked didn't mention 70% so I guess you didn't read it. And if you're talking about the "70% of C/C++ security bugs are due to memory safety" stat, then no it isn't bullshit. The same (or very similar) number has been found by numerous companies and projects. Not that that stat is relevant here.
It is impossible to interpret this number (271) without looking into details. People certainly found plenty of memory safety and others bugs in Rust projects in the past, so I do not understand you claim that there too few to find any.
Curl reported 40% and more recently it dropped to about 20% of issues caused by their use of C. And this even with the requirement to stick to old C89. OpenBSD reported 30%. I assume the 70% either have to do with C++ or - more likely - there is a huge selection bias.
> I assume the 70% either have to do with C++ or - more likely - there is a huge selection bias.
Daniel admits that he "might" just be counting differently.
I expect some of it is C++ because there sure is plenty of additional complexity to fit in the same size brain and yet you retain the same absolute requirement to juggle everything at all times or the software blows up but I'd be very surprised if it accounted for this huge disparity.
No, there are simply too few memory safety bugs in Rust projects for AI to find any. It found 271 bugs in Firefox so you're talking around 0.3 bugs found in the same amount of Rust.
> The 70% number google claims is either BS or google-specific as other projects reported far lower numbers.
The post I linked didn't mention 70% so I guess you didn't read it. And if you're talking about the "70% of C/C++ security bugs are due to memory safety" stat, then no it isn't bullshit. The same (or very similar) number has been found by numerous companies and projects. Not that that stat is relevant here.