The problem with the D GC [OT: Quicksort]

Frits van Bommel fvbommel at REMwOVExCAPSs.nl
Mon Jan 8 14:23:08 PST 2007


Miles wrote:
> I should also mention that this is considered a serious security issue,
> on the same class of the QuickSort algorithm.
> 
> For those not aware of secure programming practices: using QuickSort to
> sort data input by a remote user is considered a bad programming
> practice, because although QuickSort is O(n*log(n)) on average, there is
> a set of input data that makes the algorithm O(n^2). Knowing the
> implementation, an attacker may feed the application with carefully
> crafted data that exploits this weakness.

Of course, if you're only concerned about malicious users sending 
worst-case data (and not about worst-case data appearing randomly) 
there's an easy fix: randomize the data in O(n) :).
Don't laugh, they taught me that in school. And it works, Quicksort will 
remain O(n*log(n)) on average with that simple step performed 
beforehand, no matter the input data.
You'll need to trust your randomizer though, if the attacker can 
influence *that* you're just screwed and should use introsort or merge 
sort or something else with guaranteed O(n*log(n)) behavior if that's 
really what you want...



More information about the Digitalmars-d mailing list