checkedint call removal
Daniel Murphy via Digitalmars-d
digitalmars-d at puremagic.com
Wed Jul 30 07:11:26 PDT 2014
"Artur Skawina via Digitalmars-d" wrote in message
news:mailman.227.1406728603.16021.digitalmars-d at puremagic.com...
> "D - the language that redefines commonly used and universally
> understood terms and concepts"?
Yes, see pure for another example. "D - the pragmatic language"
> > not that it can't work the way Walter and I have described.
>
> Possible != sane.
>
> The main problem isn't even the terminology; it's the consequences
> wrt safety and correctness.
Yes, this is a much more useful discussion to have than what other people
have definined assert to do.
> Consider a service/program that handles user supplied data. It
> uses several third-party libs, one for parsing and validating the
> inputs, another for some other processing/communication, etc.
> One is carefully written with security in mind and can safely
> deal with every possible valid or invalid input. Another was not
> considered security sensitive and designed to work on valid data.
> The input requirements are just documented and only checked via
> asserts. Now the programmer implementing that service only needs
> to make a single mistake, so that an invalid (or just unexpected)
> input is passed to the less hardened lib. In a production setting
> the asserts are not present, but the assumptions have leaked to
> the other libs, and some of the carefully written checks have been
> statically eliminated by the compiler. Code that was perfectly safe
> gained an invisible (!) security hole, because of an innocent
> looking assert statement in a different code base.
Yes, it is a very powerful and dangerous optimization capability. If the
optimization benefits are not worth the potential escalation of code
wrong-ness, then don't enable it. If security is more important than speed,
don't disable assertion and bounds checks.
If used wrong it will do the wrong thing. This is already true of compiler
optimizations. The optimizer may turn invalid code into security problems -
have a google around and you'll find some examples.
More information about the Digitalmars-d
mailing list