A serious security bug... caused by no bounds checking.

Tommi tommitissari at hotmail.com
Thu Apr 10 10:45:26 PDT 2014


On Thursday, 10 April 2014 at 17:37:53 UTC, Steven Schveighoffer 
wrote:
> On Thu, 10 Apr 2014 13:25:25 -0400, bearophile 
> <bearophileHUGS at lycos.com> wrote:
>
>> Steven Schveighoffer:
>>
>>> No, the author of the @safe code expects bounds checking, 
>>> it's part of the requirements.
>>
>> Take a look ad Ada language. It has bounds checking and its 
>> compilers have a switch to disable those checks. If you want 
>> the bounds checking don't use the switch that disables the 
>> bounds checking. Safety doesn't mean to have no way to work 
>> around safety locks. It means have nice handy locks that are 
>> active on default. In a system language total safety is an 
>> illusion. Better to focus on real world safety and not a 
>> illusion of theoretical safety.
>
> That's why we have @trusted.

No. @trusted is for code that cannot be guaranteed to be 
memory-safe by the compiler (either at runtime or at 
compile-time), but the programmer still wants to promise that the 
code is memory-safe. Array bounds checking doesn't land under 
that moniker, it can be checked by the compiler.


More information about the Digitalmars-d mailing list