Jason started work on a C++ application doing quantitative work. The nature of the program involves allocating all sorts of blocks of memory, doing loads of complicated math, and then freeing them. Which means, there's code which looks like this:

for( i = 0; i < 6; i++ ) { if( h->quant4_bias[i] ) free( h->quant4_bias[i] ); }

This isn't terribly unusual code. I have quibbles- why the magic number 6, I'd prefer the comparison against nullptr to be explicit- but this isn't the kind of code that's going to leave anybody scratching their head. If h->quant4_bias[i] is pointing to actual memory, free it.

But this is how that array is declared:

uint16_t (*quant4_bias[4])[16];

Uh… the array has four elements in it. We free six elements. And shockingly, this doesn't crash. Why not? Well… it's because we get lucky. Here's that array declaration with a bit more context:

uint16_t (*quant4_bias[4])[16]; uint16_t (*quant8_bias[2])[64];

We iterate past the end of quant4_bias, but thankfully, the compiler has put quant8_bias at the next offset, and has decided to just let the [] operator just access that memory. There's no guarantee about this- this is peak undefined behavior. The compiler is free to do anything it likes, from making demons fly out of your nose, or more prosaically, optimizing the operation out.

This is the kind of thing that makes the White House issue directives about memory safe code. The absence of memory safety is a gateway to all sorts of WTFs. This one, here, is a pretty mild one, as memory bugs go.

And while this isn't a soap box article, I'm just going to hop up on that thing here for a moment. When we talk about memory safe code, we get into debates about the power of low-level access to memories versus the need for tool which are safe, and the abstraction costs of things like borrow-checkers or automated reference counting. This is a design challenge for any tool. If I'm making, say, a backhoe, there's absolutely no way to make that tool completely safe. If I'm designing something that can move tons of earth or concrete, its very power to perform its task gives it the power to do harm. We address this through multiple factors. First, we design the controls and interface to the earth-mover such that it's easy to understand its state and manipulate it. The backhoe responds to user inputs in clear, predictable, ways. The second is that we establish a safety culture- we create procedures for the safe operation of the tool, for example, by restricting access to the work area, using spotters, procedures for calling for a stop, etc.

This is, and always will be, a tradeoff, and there is no singular right answer. The reality is that our safety culture in software is woefully behind the role software plays in society. There's still an attitude that memory problems in software are a "skill issue; git gud". But that runs counter to a safety culture. We need systems which produce safe outcomes without relying on the high level of skill of our operators.

Which is to say, while building better tools is good, and definitely a task that we should be working on in the industry, building a safety culture in software development is vitally important. Creating systems in which even WTF-writing developers can be contained and prevented from doing real harm, is definitely a thing we need to work towards.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

An anonymous reader quotes a report from the BBC: Switzerland and Italy have redrawn part of their border in the Alps due to melting glaciers, caused by climate change. Part of the area affected will be beneath the Matterhorn, one of Europe's tallest mountains, and close to a number of popular ski resorts. Large sections of the Swiss-Italian border are determined by glacier ridgelines or areas of perpetual snow, but melting glaciers have caused these natural boundaries to shift, leading to both countries seeking to rectify the border. Switzerland officially approved the agreement on the change on Friday, but Italy is yet to do the same. This follows a draft agreement by a joint Swiss-Italian commission back in May 2023. Statistics published last September showed that Switzerland's glaciers lost 4% of their volume in 2023, the second biggest loss ever after 2022's record melt of 6%. An annual report is issued each year by the Swiss Glacier Monitoring Network (Glamos), which attributed the record losses to consecutive very warm summers, and 2022 winter's very low snowfall. Researchers say that if these weather patterns continue, the thaw will only accelerate. On Friday, Switzerland said that the redefined borders had been drawn up in accordance with the economic interests of both parties. It is thought that clarifying the borders will help both countries determine which is responsible for the upkeep of specific natural areas. Swiss-Italian boundaries will be changed in the region of Plateau Rosa, the Carrel refuge and Gobba di Rollin -- all are near the Matterhorn and popular ski resorts including Zermatt. The exact border changes will be implemented and the agreement published once both countries have signed it. Switzerland says that the approval process for signing the agreement is under way in Italy.

Read more of this story at Slashdot.

Google has obtained (PDF) a default judgment against two men who abused its DMCA takedown system to falsely target 117,000 URLs of competitors' online stores. With none of the defendants showing up in court, a California federal court sided with the search engine. Through an injunction, the men are now prohibited from sending false takedown notices and creating new Google accounts. TorrentFreak reports: Last November, Google decided to take action against the rampant DMCA abuse. In a lawsuit filed at a federal court in California, it accused Nguyen Van Duc and Pham Van Thien of sending over 100,000 fraudulent takedown requests. Many of these notices were allegedly filed against third-party T-shirt shops. [...] Following the complaint, the defendants, who are believed to reside in Vietnam, were summoned via their Gmail accounts and SMS. However, the pair remained quiet and didn't respond in court. Without the defendants representing themselves, Google requested a default judgment. According to the tech giant, it's clear that the duo violated the DMCA with their false takedown notices. In addition, they committed contract breach under California law. Google said that, absent a default judgment, the defendants would continue to harm consumers and third-party businesses. These actions, in turn, will damage Google's reputation as a search engine. In July, U.S. Magistrate Judge Sallie Kim recommended granting Google's motion for default judgment. The recommendation included an injunction that prevents the two men from abusing Google's services going forward. However, the District Judge had the final say. Last Friday, U.S. District Court Judge Edward Davila adopted the recommendations, issuing a default judgment in favor of Google. The order confirms that defendants Nguyen Van Duc and Pham Van Thien violated the DMCA with their false takedown notices. In addition, they committed contract breach under California law. In typical copyrights-related verdicts, most attention is paid to the monetary damages, but not here. While Google could have requested millions of dollars in compensation, it didn't request a penny. Google's primary goal was to put an end to the abusive behavior, not to seek financial compensation. Therefore, the company asked for an injunction to prohibit the defendants from sending false takedowns going forward. This includes a ban on registering any new Google accounts. The request ticked all the boxes and, without a word from the defendants, Judge Davila granted the default judgment as well as the associated injunction.

Read more of this story at Slashdot.

Cerebras Systems, an AI chip startup, filed (PDF) for an IPO and plans to trade under the ticker "CBRS" on Nasdaq. CNBC reports: Cerebras competes with Nvidia, whose graphics processing units are the industry's choice for training and running AI models. Cerebras says on its website that its WSE-3 chip comes with more cores and memory than Nvidia's popular H100. It's also a physically larger chip. In addition to selling chips, Cerebras offers cloud-based services that rely on its own computing clusters. [...] In addition to Nvidia, Cerebras cites AMD, Intel, Microsoft and Google as competitors, "as well as internally developed custom application-specific integrated circuits and a variety of private companies." Taiwan Semiconductor Manufacturing Company makes the Cerebras chips. Cerebrus warned investors that any possible supply chain disruptions may hurt the company. Cerebras was founded in 2016 and is based in Sunnyvale, California. Andrew Feldman, the startup's co-founder and CEO, sold server startup SeaMicro to AMD for $355 million in 2012. The company said in 2021 that it was valued at over $4 billion in a $250 million funding round.In May, G42 committed to purchasing $1.43 billion in orders from Cerebras before March 2025, according to the filing. G42 currently owns under 5% of Cerebras' Class A shares, and the firm has an option to purchase more depending on how much Cerebras product it buys.

Read more of this story at Slashdot.

Amazon Prime is launching a new Shark Tank-style competition show where contestants pitch products to a panel of celebrity investors and a live audience called "The 100." If a product wins audience approval, it gets featured in Amazon's Buy It Now Store, accessible via QR codes during episodes. The show, called Buy It Now and hosted by JB Smoove, premieres on October 30, 2024. You can watch a trailer for it on YouTube. The Verge reports: The company announced the show earlier this year but has now released a trailer showing what it will look like. Contestants pitch their ideas to the audience. If the crowd votes for them, then the panelists pick which ones will show up on Amazon's Buy It Now Store: a new storefront launching alongside the show that viewers can reach using a QR code that shows up during episodes. One presenter per episode will get a $20,000 prize, too. Apart from Smoove -- who you may remember from Curb Your Enthusiasm and Harley -- the show will feature "a star-studded rotating panel of celebrity panelists," including Gwyneth Paltrow, Anthony Anderson, Tabitha Brown, Tony Hawk, and Christian Siriano. It will also include three Amazon executives, and Ring founder and current CEO of Door.com (formerly Latch) Jamie Siminoff will serve as the "resident judge and entrepreneurial panelist." Oh, and those panelists will be selling their own products on that Buy It Now Store.

Read more of this story at Slashdot.

The Arch Linux team has announced a collaboration with Valve, working to support critical infrastructure projects like a build service and secure signing enclave for the Arch Linux distribution. Tom's Hardware reports: If you're familiar with Valve and Steam Deck, you may already know that the Deck uses SteamOS 3, which is built on top of Arch Linux. Thanks to the Arch Linux base and Valve's development of the Proton compatibility layer for playing Windows games on Linux, we now have a far improved Linux gaming scene, especially on Valve's Steam Deck and Deck OLED handhelds. While Valve's specific reasons for picking Arch Linux for Steam Deck remain unknown, it's pretty easy to guess why it was picked. Mainly, it's a particularly lightweight distribution maintained since March 2002, which lends itself well to gaming with minimal performance overhead. A more intensive Linux distribution may not have been the ideal base for SteamOS 3, which is targeted at handhelds like Steam Deck first. As primary Arch Linux developer Levente Polyak discloses in the announcement post, "Valve is generously providing backing for two critical projects that will have a huge impact on our distribution: a build service infrastructure and a secure signing enclave. By supporting work on a freelance basis for these topics, Valve enables us to work on them without being limited solely by the free time of our volunteers." Polyak continues, "This opportunity allows us to address some of the biggest outstanding challenges we have been facing for a while. The collaboration will speed up the progress that would otherwise take much longer for us to achieve, and will ultimately unblock us from finally pursuing some of our planned endeavors [...] We believe this collaboration will greatly benefit Arch Linux, and are looking forward to share further development on the mailing list as work progresses."

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: Raspberry Pi, the company that sells tiny, cheap, single-board computers, is releasing an add-on that is going to open up several use cases -- and yes, because it's 2024, there's an AI angle. Called the Raspberry Pi AI Camera, this image sensor comes with on-board AI processing and is going to cost $70. In more technical terms, the AI Camera is based on a Sony image sensor (the IMX500) paired with a RP2040, Raspberry Pi's own microcontroller chip with on-chip SRAM. Like the rest of the line-up, the RP2040 follows Raspberry Pi's overall philosophy -- it is inexpensive yet efficient. In other words, AI startups aren't going to replace their Nvidia GPUs with RP2040 chips for inference. But when you pair it with an image sensor, you get an extension module that can capture images and process those images through common neural network models. As an added benefit, on-board processing on the camera module means that the host Raspberry Pi isn't affected by visual data processing. The Raspberry Pi remains free to perform other operations -- you don't need to add a separate accelerator. The new module is compatible with all Raspberry Pi computers. This isn't Raspberry Pi's first camera module. The company still sells the Raspberry Pi Camera Module 3, a simple 12-megapixel image sensor from Sony (IMX708) mounted on a small add-on board that you can pair with a Raspberry Pi with a ribbon cable. As Raspberry Pi promises to keep production running for many years, the Camera Module 3 will remain available for around $25. The AI Camera is the same size as the Camera Module 3 (25mm x 24mm) but slightly thicker due to the structure of the optical sensor. It comes pre-loaded with the MobileNet-SSD model, an object detection model that can run in realtime.

Read more of this story at Slashdot.

The National Highway Traffic Safety Administration (NHTSA) said it has fined Cruise $1.5 million for failing to disclose that a pedestrian was seriously injured by one of its driverless vehicles in San Francisco last year. The Verge reports: Last October, a Cruise vehicle hit a pedestrian and then dragged her 20 feet after she was initially struck by a human driver in a hit-and-run incident. In the aftermath, Cruise disclosed that its vehicle had struck a pedestrian but omitted details about the victim being dragged. As a result, the California Department of Motor Vehicles pulled the GM-backed company's permit to operate self-driving cars in the state, and the National Highway Traffic Safety Administration launched an investigation into the incident. Today, NHTSA announced the $1.5 million penalty as part of a broader consent order with Cruise that includes additional requirements around safety and disclosure. The company submitted several "incomplete reports" under the agency's Standing General Order, which requires crash reports to be filed within a certain period of time, depending on their severity. In its first report to NHTSA, filed one day after the incident, Cruise failed to disclose "that the Cruise vehicle had dragged the pedestrian," the consent order reads. The company also filed an additional report 10 days later in which it also failed to disclose the dragging incident. "It is vitally important for companies developing automated driving systems to prioritize safety and transparency from the start," NHTSA Deputy Administrator Sophie Shulman said. "NHTSA is using its enforcement authority to ensure operators and manufacturers comply with all legal obligations and work to protect all road users." After its permit was suspended, Cruise hired a law firm to conduct an investigation into what went wrong. The firm's report concluded that the company had tried to send a 45-second video to regulators that showed its vehicle dragging the victim but was hampered by "internet connectivity issues." Also, Cruise employees failed to point out the dragging incident in subsequent conversations with regulators.

Read more of this story at Slashdot.

Apple has withdrawn from discussions to invest in OpenAI's $6.5 billion funding round, though reasons for the decision remain unclear. The company still plans to proceed with integrating ChatGPT into Siri. MacRumors reports: The development comes just a month after WSJ reported that Apple was considering an investment in OpenAI as part of a fundraising effort that could value the AI company at over $100 billion. The high valuation reflects the intense competition in the artificial intelligence sector that OpenAI helped ignite with ChatGPT's launch in late 2022. While Apple has stepped away, other major tech companies remain involved. Microsoft, which has already invested $13 billion in OpenAI, is expected to contribute about $1 billion to this latest round. Nvidia is also reportedly in talks to participate. OpenAI's transition into a for-profit structure may have factored into Apple's decision. Last week, Reuters reported on OpenAI's plan to restructure its core business into a for-profit benefit corporation that will no longer be controlled by its non-profit board. "Chief executive Sam Altman will also receive equity for the first time in the for-profit company, which could be worth $150 billion after the restructuring as it also tries to remove the cap on returns for investors," reported Reuters.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Politico: It will soon be illegal for public and private universities in California to consider an applicant's relationship to alumni or donors when deciding whether to admit them. Gov. Gavin Newsom on Monday signed a ban on the practice known as legacy admissions, a change that will affect prestigious institutions including Stanford University and the University of Southern California. California's law, which will take effect Sept. 1, 2025, is the nation's fifth legacy admissions ban, but only the second that will apply to private colleges. "In California, everyone should be able to get ahead through merit, skill, and hard work," Newsom said in a statement. "The California Dream shouldn't be accessible to just a lucky few, which is why we're opening the door to higher education wide enough for everyone, fairly." Like other states, California won't financially penalize violators, but it will post the names of violators on the state Department of Justice's website. California will also add to data reporting requirements that it implemented in 2022, when private colleges had to start sharing the percentage of admitted students who were related to donors and alumni. Schools that run afoul of the new law will also have to report more granular demographic information about their incoming classes to the state, including the race and income of enrolled students as well as their participation in athletics. [...] Public universities in California won't be affected by the change. California State University does not consider legacy or donor ties, and the University of California system stopped doing so in 1998, two years after California voters banned race-conscious admissions through a statewide ballot measure.

Read more of this story at Slashdot.

An anonymous reader shares a report: Mazda recently surprised customers by requiring them to sign up for a subscription in order to keep certain services. Now, notable right-to-repair advocate Louis Rossmann is calling out the brand. He points to several moves by Mazda as reasons for his anger toward them. However, it turns out that customers might still have a workaround. Previously, the Japanese carmaker offered connected services, that included several features such as remote start, without the need for a subscription. At the time, the company informed customers that these services would eventually transition to a paid model. It's important to clarify that there are two very different types of remote start we're talking about here. The first type is the one many people are familiar with where you use the key fob to start the vehicle. The second method involves using another device like a smartphone to start the car. In the latter, connected services do the heavy lifting. What is wild is that Mazda used to offer the first option on the fob. Now, it only offers the second kind, where one starts the car via phone through its connected services for a $10 monthly subscription, which comes to $120 a year. Rossmann points out that one individual, Brandon Rorthweiler, developed a workaround in 2023 to enable remote start without Mazda's subscription fees.

Read more of this story at Slashdot.

More American workers are seeing their compensation tied to performance metrics, a shift from traditional fixed salaries. A 2024 survey by Alexander Group found 28% of over 300 companies are incorporating incentive pay into new roles, extending a practice once limited to sales and executive positions. Employers argue this model boosts productivity, while some workers report earning less than expected, WSJ reported Monday.

Read more of this story at Slashdot.

An anonymous reader shares a report: Udemy, an e-learning platform with more than 250,000 online classes, recently announced that it would train generative AI on the classes that its users contribute to the site. Not only were class teachers automatically opted in to having their classes used as training, Udemy said teachers would have only a three-week "window" to opt-out of training. That window has now passed. "We want to officially announce that the opt-out period for our Generative AI Program (GenAI Program) begins today, August 21st, and goes through September 12th. The choice to participate in the GenAI program is yours. If you want to participate, no action is needed!," Udemy said in a post on its community forums August 21. In an "Instructor Generative AI Policy" document, it says it plans to offer "Annual Periods designated by us" during which instructors can opt-out of having their classes trained on, and said that when people opt-out of training, it will remove the instructors' classes from its dataset "by the end of the calendar year." It has also told instructors that "By opting out, you'll lose access to all AI features and benefits, which may affect your course visibility and potential earnings." With the first opt-out window having passed, instructors are now seeing a grayed-out option in their settings if they didn't know about the window or would like to opt-out now.

Read more of this story at Slashdot.

DirecTV has agreed to acquire struggling rival Dish Network, creating a satellite TV behemoth with nearly 20 million subscribers. The complex transaction, announced Monday, involves private equity firm TPG acquiring a majority stake in DirecTV from AT&T for $7.6 billion. DirecTV will then purchase Dish for $1 and assume its debt. The deal provides a lifeline for Dish, which faces $2 billion in debt due November with only $500 million in available cash. EchoStar, Dish's parent company, will retain its wireless spectrum investments and operate independently. Subject to regulatory approval and creditor agreement, the merger is expected to close in late 2025. DirecTV and TPG will provide $2.5 billion to cover Dish's immediate financial needs. The deal's fate remains uncertain, as a similar 2002 merger attempt was blocked on antitrust grounds.

Read more of this story at Slashdot.

Reddit has implemented new restrictions on moderators' ability to alter community visibility settings, the social media platform announced Monday. Moderators must now obtain admin approval before switching subreddits between public, private, or NSFW status. The move comes in response to last year's widespread protests against API pricing changes, during which thousands of subreddits went private, disrupting platform accessibility. Reddit VP Laura Nestler stated the policy aims to prevent actions that "deliberately cause harm" and protect the site's long-term health.

Read more of this story at Slashdot.

The Energy Department said on Monday that it had finalized a $1.52 billion loan guarantee to help a company restart a shuttered nuclear plant in Michigan -- the latest sign of rising government support for nuclear power. From a report: Two rural electricity providers that planned to buy power from the reactor would also receive $1.3 billion in federal grants [Editor's note: the link is likely paywalled; alternative source] under a program approved by Congress to help rural communities tackle climate change. The moves will help Holtec International reopen the Palisades nuclear plant in Covert Township, Mich., which ceased operating in 2022. The company plans to inspect and refurbish the plant's reactor and seek regulatory approval to restart the plant by October 2025. After years of stagnation, America's nuclear industry is seeing a resurgence of interest. Both Congress and the Biden administration have offered billions of dollars in subsidies to prevent older nuclear plants from closing and to build new reactors. Despite concerns about high costs and hazardous waste, nuclear plants can generate electricity at all hours without emitting the greenhouse gases that are heating the planet. David Turk, the deputy secretary of energy, said he expected U.S. electricity demand would grow by 15 percent over the next few years, driven by an increase in electric vehicles, a boom in battery and solar factories as well as a surge of new data centers for artificial intelligence. That meant the nation needs new low-carbon sources of power that could run 24/7 and complement wind and solar plants.

Read more of this story at Slashdot.

AmiMoJo writes: The UK is about to stop producing any electricity from burning coal -- ending its 142-year reliance on the fossil fuel. The country's last coal power station, at Ratcliffe-on-Soar, finishes operations on Monday after running since 1967. This marks a major milestone in the country's ambitions to reduce its contribution to climate change. Coal is the dirtiest fossil fuel producing the most greenhouse gases when burnt. The UK was the birthplace of coal power, and from tomorrow it becomes the first major economy to give it up. The first coal-fired power station in the world, the Holborn Viaduct power station, was built in 1882 in London by the inventor Thomas Edison -- bringing light to the streets of the capital. In the early 1990s, coal began to be forced out of the electricity mix by gas, but coal still remained a crucial component of the UK grid for the next two decades. In 2012, it still generated 39% of the UK's power. In 2010, renewables generated just 7% of the UK's power. By the first half of 2024, this had grown to more than 50% -- a new record. The rapid growth of green power meant that coal could even be switched off completely for short periods, with the first coal-free days in 2017.

Read more of this story at Slashdot.

Thousands of Verizon users across the United States reported having little or no cellphone service on Monday morning in major cities, including in Atlanta, Chicago, Denver, New York and Phoenix. From a report: According to the website Downdetector, which tracks user reports of internet disruptions, more than 104,000 cases of Verizon outages were reported across the country as of 11:20 a.m. Eastern, more than an hour after the first issues were reported. A map posted on the site showed cities with the most reports. On the site, many users said their cellphones were intermittently displaying SOS mode and that they could not place calls or send or receive text messages. "We're aware of the issue affecting service for some customers," a spokesman for Verizon, Ilya Hemlin, said in a telephone interview at 11:30 a.m. "Our engineers are engaged and we are working quickly to solve the issue," he added.

Read more of this story at Slashdot.

An anonymous reader shares a report: Songs by Adele, Bob Dylan, Green Day, R.E.M., Burna Boy, Rush and many others are currently unplayable on YouTube in the U.S. due to a legal dispute between the platform and the performing rights organization SESAC. Attempts to play many, but not all, songs by those artists on Saturday met with the following message: "This video contains content from SESAC. It is not available in your country." A similar dispute between Universal Music Group and TikTok raged on for several months earlier this year before being resolved. In a statement to Variety, a YouTube rep said: "We have held good faith negotiations with SESAC to renew our existing deal. Unfortunately, despite our best efforts, we were unable to reach an equitable agreement before its expiration. We take copyright very seriously and as a result, content represented by SESAC is no longer available on YouTube in the US. We are in active conversations with SESAC and are hoping to reach a new deal as soon as possible." A source close to the situation tells Variety that the previous deal actually does not expire until next week, and suggests that YouTube's move is a negotiating tactic. SESAC is far smaller than ASCAP and BMI -- with approximately 30,000 members and 1.5 million compositions while ASCAP has nearly 800,000 members -- but as the caliber of artists affected by the block shows, it represents a comparatively large percentage of the marketplace.

Read more of this story at Slashdot.

AMD has released BIOS updates to boost performance and reduce latency for its Ryzen 9600X and 9700X processors. The updates come a month after disappointing Zen 5 desktop CPU reviews and coincide with Windows 11 optimizations for AMD chips. The new AGESA PI 1.2.0.2 firmware addresses high core-to-core latency issues and introduces a 105-watt cTDP option, promising up to 10% performance gains for multithreaded workloads.

Read more of this story at Slashdot.