Bad array indexing is considered deadly

John Colvin via Digitalmars-d digitalmars-d at puremagic.com
Thu Jun 1 07:10:21 PDT 2017 

On Thursday, 1 June 2017 at 10:26:24 UTC, Steven Schveighoffer 
wrote:
> On 5/31/17 9:05 PM, Walter Bright wrote:
>> On 5/31/2017 6:04 AM, Steven Schveighoffer wrote:
>>> Technically this is a programming error, and a bug. But 
>>> memory hasn't
>>> actually been corrupted.
>>
>> Since you don't know where the bad index came from, such a 
>> conclusion
>> cannot be drawn.
>
> You could say that about any error. You could say that about 
> malformed unicode strings, malformed JSON data, file not found. 
> In this mindset, everything should be an Error, and nothing 
> should be recoverable.
>
>>
>>
>>> This seems like a large penalty for "almost" corrupting 
>>> memory. No
>>> other web framework I've used crashes the entire web server 
>>> for such a
>>> simple programming error.
>>
>> Hence the endless vectors for malware insertion in those other 
>> frameworks.
>
> No, those are due to the implementation of the interpreter. If 
> the interpreter is implemented in @safe D, then you don't have 
> those problems.
>
>>> Compare this to, let's say, a malformed unicode string 
>>> (exception),
>> malformed JSON data (exception), file not found (exception), 
>> etc.
>>
>> That's because those are input and environmental errors, not 
>> programming
>> bugs.
>
> Not necessarily. A file name could be sourced from the program, 
> but have a typo. An index could come from the environment. The 
> library can't know, but makes assumptions one way or the other. 
> Just like we assume you want to use the GC, these assumptions 
> are harmful for those who need it to be the other way.
>
>> There can be grey areas in classifying problems as input 
>> errors or
>> programming bugs, and those will need some careful thought by 
>> the
>> programmer as to which bin they fall into, and then code 
>> accordingly.
>>
>> Array overflows are not a grey area, however. They are always
>> programming bugs.
>
> Of course, programming bugs cause all kinds of Errors and 
> Exceptions alike. Environmental bugs can cause Array overflows.

I think the idea is that no, array overflows can never be caused 
by the environment in a correct program. If you don't adequately 
screen the environmental input, your program is incorrect.


This is how I think about it:

There are 3 categories of bugs: known safe to survive, known 
unsafe to survive, unknown safety.

Range Errors are an example of errors that can be considered 
"unknown safety", so by default we assume it is unsafe to 
continue.

If you - as the human developer - decide that the specific 
RangeError bug from this place in the code is actually known safe 
to survive, you should add screening for the bad value and throw 
an Exception instead, or if that's difficult to do then catch the 
Error and then throw an Exception*. Note that these aren't fixes 
for the bug, these are explicit recognition of the continued 
existence of the bug while promising (@trusted style) that 
everything will still be OK.

If you decide it is truly an "unsafe to continue" bug, then let 
it carry on crashing there.

Ultimately of course you screen the environment at the 
appropriate level or fix the bug, do the "right thing" whatever 
that may be.

*note that you could abstract this away into an array type that 
throws Exceptions, but where would you know it was safe to use? 
Perhaps not so many places.

Tldr; if you know that a bug is safe to continue/recover from, 
put in the necessary code to do so.


I would be interested to see ideas of how to implement some sort 
of logical sandboxing in D. Perhaps if one calls a strongly pure 
@safe function, there is no way it can mess up shared state, so 
you know that as long as you disregard the result it will always 
be safe to continue... Effectively it's a "process within a 
process" or something like that. Of course you'd need to be able 
to guarantee you can catch Errors, plus even though the function 
you've called can't have *caused* the problem, it might be the 
only place where you *find* the problem and that might be bad 
enough to not want to continue from...

More information about the Digitalmars-d mailing list