Bad array indexing is considered deadly

Arafel via Digitalmars-d digitalmars-d at puremagic.com
Fri Jun 2 04:55:27 PDT 2017 

On 06/02/2017 01:26 PM, Steven Schveighoffer wrote:
> 
> If only that is what happened, I would not have started this thread!
> 
> In any case, the way forward is clear -- create containers that don't 
> throw Error, and make them easy to use.
> 
> I think I will actually publish them, because it's a very useful thing 
> to have. You can validate your input all you want, but if you have a 
> program bug, or there is something you didn't consider, then the entire 
> server isn't crashed because of it. I *like* the bounds checking, I 
> don't have to translate back to the input what it will mean for every 
> array access in the function -- the simple check is enough.
> 
> Still good to have it auto-restart, which I will also do. But having 
> some sort of feedback to the client, and an attempt to continue on with 
> other unrelated requests is preferable.
> 
> -Steve


Hi,

I think that most people agree that an out-of-bounds access is a bug 
that needs to be fixed, this shouldn't be an acceptable way of running 
the program.

The question here seems to be what to do *in the meanwhile*, and here is 
the problem. I can understand the position that from a theoretical point 
of view the process is already unsafe at this point, and that the best 
option is to stop (and restart if needed).

But, in the real world if I've got a (web)server that has proper 
isolation, I'd much rather have a server that sends back a 500 [error 
message] for the buggy page and keeps working otherwise, than one that 
is killed and has to be restarted every time a buggy page is asked.

Think that it can be a multithreaded server, and that other ongoing (and 
safe!) tasks might be affected, and that safe restart, even when 
available, often has a performance hit.

I agree that one (perhaps even the proper) way to get this is through 
process isolation, but this doesn't mean that the language shouldn't 
allow it if needed and explicitly required. There are ways for the 
programmer to explicitly disable most other security features 
(__gshared, casting away shared and immutable, @trusted code, etc.) so 
why not this one?

Perhaps an intermediate solution would be to offer a compiler switch 
that allows Errors to be safely caught (that is, they behave as 
exceptions). As far as I understand from reading this thread, that's 
already the case in debug builds, so it cannot be that bad practice, but 
it would be nice to have a mode that it's otherwise "release", only with 
this feature turned on.

Even better would be to turn on this behaviour on a per-function basis 
(say @throwErrors). Although perhaps that'd be promoting this behaviour 
a bit too much...

Anyway, just 2ยข from a half-newbie (okay, still full-newbie :) )

More information about the Digitalmars-d mailing list