Comment by WalterBright

18 hours ago

Modern C still promptly decays an array to a pointer, so no array bounds checking is possible.

D does not decay arrays, so D has array bounds checking.

Note that array overflow bugs are consistently the #1 problem with shipped C code, by a wide margin.

17 comments

WalterBright

The thing is though that even with array bounds checking built into the language, out of bounds access due to programming error can still be attempted. Only this time it's safer because an attacker can't use the bug (which still exists) to access memory outside of bounds. In any case, the program still doesn't work as intended (has bugs) because the programmer has attempted, or allowed the attempt, to access out of bounds memory.

Writing safe code is better than depending on safety features. Writing safe code is possible in any programming language, the only things required are good design principles and discipline (i.e. solid engineering).

layer8 18 hours ago

> no array bounds checking is possible.

This isn’t strictly true, a C implementation is allowed to associate memory-range (or more generally, pointer provenance) metadata with a pointer.

The DeathStation 9000 features a conforming C implementation which is known to catch all array bounds violations. ;)

trealira 12 hours ago

> The DeathStation 9000 features a conforming C implementation which is known to catch all array bounds violations. ;)
That actually really does exist already with CHERI CPUs, whose pointers are tagged with "capabilities," which catch buffer overruns at runtime.
https://tratt.net/laurie/blog/2023/two_stories_for_what_is_c...
https://msrc.microsoft.com/blog/2022/01/an_armful_of_cheris/
uecker 18 hours ago
Right. Also it might it sound like array-to-pointer decay is forced onto the programmer. Instead, you can take the address of an array just fine without letting it decay. The type then preserves the length.
- WalterBright 14 hours ago
  
  C: int foo(int a[]) { return a[5]; }
  int main() { int a[3]; return foo(a); } > gcc test.c > ./a.out
  Oops.
  D: int foo(int[] a) { return a[5]; }
  int main() { int[3] a; return foo(a); } > ./cc array.d > ./array core.exception.ArrayIndexError@array.d(1): index [5] is out of bounds for array of length 3
  Ah, Nirvana!
  How to fix it for C:
  https://www.digitalmars.com/articles/C-biggest-mistake.html
  
  1 reply →
- codr7 16 hours ago
  
  Nice, when you know the length at compile time, which is rarely from my experience.
  The holy grail is runtime access to the length, which means an array would have to be backed by something more elaborate.
  
  3 replies →
Rusky 11 hours ago

A worked example: https://github.com/pizlonator/llvm-project-deluge/blob/delug...
TZubiri 17 hours ago
"The DeathStation 9000"
The what now?
- bsder 15 hours ago
  
  Nasal daemons for those of us of a slightly older vintage ...
- layer8 16 hours ago
  
  Google it.
  
  3 replies →