Bad array indexing is considered deadly
Moritz Maxeiner via Digitalmars-d
digitalmars-d at puremagic.com
Wed May 31 14:43:58 PDT 2017
On Wednesday, 31 May 2017 at 21:00:43 UTC, Steven Schveighoffer
wrote:
> On 5/31/17 3:17 PM, Moritz Maxeiner wrote:
>> On Wednesday, 31 May 2017 at 13:04:52 UTC, Steven
>> Schveighoffer wrote:
>>> [...]
>>>
>>> What are your thoughts? Have you run into this? If so, how
>>> did you
>>> solve it?
>>>
>>
>> It is not that accessing the array out of bounds *leading* to
>> data
>> corruption that is the issue here, but that in general you
>> have to
>> assume that the index *being* out of bounds is itself the
>> *result* of
>> *already occurred* data corruption;
>
> To be blunt, no this is completely wrong.
I disagree.
> Memory corruption *already having happened* can cause any
> number of errors.
Correct, of which out of bounds array is *one*.
> The point of bounds checking is to prevent memory corruption in
> the first place.
That is *one* of the purposes. The other is to abort in case of
already occurred memory corruption.
> I could memory corrupt the length of the array also (assuming a
> dynamic array), and bounds checking merrily does nothing to
> stop further memory corruption.
Yes, that is one case against out of bounds checks do not help;
but that changes nothing for the case we were talking about.
>
> The runtime should not assume that crashing the whole program
> is necessary when an integer is out of range.
Without *any* other information, I think it should.
> Preventing actual corruption, yes that is good. But an
> Exception would have done the job just fine.
If it were only about further memory corruption, yes, but as I
said, my argument about preexisting corruption remains.
>
> But that ship, as I said elsewhere, has sailed. We can't change
> it to Exception now, as that would break just about all nothrow
> code in existence.
Sure.
>
>> So in your specific use case I would say use a wrapper. This
>> is one of
>> the reasons why I am working on my own library for data
>> structures (libds).
>
> That is my conclusion too. Is your library in a usable state?
Well, since I really needed only a single data structure at the
time, it only contains a binary heap so far, but I believe it to
be usable. I intend to add a dynamic array implementation next.
> Perhaps we should not repeat efforts, though I wasn't planning
> on making a robust public library for it :)
Well, you can take a look at the binary heap implementation[1]
and decide if that a style you are interested in, but it does
currently use errors for things such as removing an element when
the heap is empty; I am not sure there, what I intend to do here,
but I might make it configurable via the Conf template parameter
in a design-by-introspection style.
[1] https://github.com/Calrama/libds
More information about the Digitalmars-d
mailing list