Typical security issues in C++: why the GC isn't your enemy

Siarhei Siamashka siarhei.siamashka at gmail.com
Wed Dec 7 04:38:28 UTC 2022 

On Tuesday, 6 December 2022 at 22:26:17 UTC, Sergey wrote:
> On Tuesday, 6 December 2022 at 04:35:18 UTC, Siarhei Siamashka 
> wrote:
>> end users. While D compilers don't offer any reasonable 
>> protection. Except for GDC, which supports `-ftrapv` option as 
>> an undocumented "Easter egg".
>
> What about these modules?
> https://dlang.org/phobos/std_checkedint.html
> https://dlang.org/phobos/core_checkedint.html

Imagine that you have several millions of D code (a big popular 
browser) and you want to do something to safeguard against 
integer overflow bugs and security issues (or at least mitigate 
them). How would these modules help?

In my opinion, the `std.checkedint` module is completely useless 
and there are no practical scenarios in the real world where it 
can help in any meaningful way. I see no real alternative to 
`-ftrapv` or UBSan for integer overflows diagnostics in large 
software projects. But the `core.checkedint` module is surely 
useful *after* you already know the exact part of the code where 
the overflow happens and needs to be patched up.

My reply would be incomplete without mentioning that D compilers 
do have some limited static analysis at compile time, intended to 
improve integer overflows safety: 
https://dlang.org/spec/type.html#vrp
But this analysis doesn't catch everything and it also sometimes 
unnecessarily gets in the way by forcing type casts. So it's not 
good enough. Want to see it in action? Here's one example:

```D
import std.stdio;
void main() {
   long bigsum = 0;
   int min_a = int.max - 50, max_a = int.max - 1;
   int min_b = 50, max_b = 100;
   foreach (a ; min_a .. max_a + 1) {
     foreach (b ; min_b .. max_b + 1) {
       // Compiles fine, but overflows at runtime
       int a_plus_b = a + b;
       bigsum += a_plus_b;
     }
   }
   byte min_c = 1, max_c = 50;
   byte min_d = 1, max_d = 50;
   foreach (c ; min_c .. max_c + 1) {
     foreach (d ; min_d .. max_d + 1) {
       // Won't compile without this explicit cast
       byte c_plus_d = cast(byte)(c + d);
       bigsum += c_plus_d;
     }
   }
   writeln(bigsum);
}
```

```
$ gdc -ftrapv test.d && ./a.out
Aborted

$ gdc test.d && ./a.out
-5471788083929
```

More information about the Digitalmars-d mailing list