checkedint call removal
Kapps via Digitalmars-d
digitalmars-d at puremagic.com
Sat Aug 2 21:29:26 PDT 2014
On Saturday, 2 August 2014 at 19:10:51 UTC, Walter Bright wrote:
> On 8/2/2014 4:12 AM, Artur Skawina via Digitalmars-d wrote:
>> _`assume` is extremely dangerous_. Redefining `assert` to
>> include `assume`
>> would result in D's `assert` being banned from the whole code
>> base, if 'D'
>> even would be consider a 'sane' enough language to use...
>
> More simply, you could just ban "-release".
>
> Keep in mind, that under the current implementation, removing
> asserts also removes the bug checking that the asserts
> presumably were inserted for. If the asserts don't hold true,
> the program has undetected bugs in it, it is in an unknown and
> invalid state, and the ability to predict what it will do next
> is gone.
>
> I.e. you should already have banned use of "-release".
There's a huge difference between removing an extra check to
verify the lack of a bug versus guaranteeing the lack of a bug
and optimizing off of it. The way that assert is traditionally
used (C/C++, Java, C#, current D implementation, etc) is a
verification of your code, not a hint to the optimizer that some
expression is true. If D wishes to change this meaning then it
goes against D's philosophy of that if C code compiles it should
behave the same way as it did in C, and goes against every
previous usage of assert. Worse, it does so in a way that would
be extremely hard to detect if tests don't catch it since the
error would occur in an unrelated location and only in release
builds.
More importantly, it's a huge security flaw. Not all bugs are
equal; an assertion being false means a bug exists, but
optimizing based off of this allows much more severe bugs to
exist. Given a function that makes a call to a database/launches
a process/returns some HTML/etc, having an early check that
directly or indirectly asserts the data is valid to ease
debugging will remove the runtime check that ensures there's
nothing malicious in that data. Now because you had one extra
assert, you have a huge security flaw and a great deal of unhappy
customers that have had their accounts compromised or their
information leaked. This is not an unrealistic scenario.
That being said, so long as this is a separate optimization
switch, it should rarely be an issue. Keep the current behaviour
of -release disabling asserts, then add a new -assumeasserts or
-Oassert or such that allows the optimizer to optimize with the
guarantee that all asserts are true. It would also be good to be
able to guarantee that some piece of code can never be optimized
out (e.g., sanitation of user input). Changing the current
behaviour of -release is a huge breaking change that would open
up security holes and overall I feel would be a terrible thing to
do.
More information about the Digitalmars-d
mailing list