Bad array indexing is considered deadly
Steven Schveighoffer via Digitalmars-d
digitalmars-d at puremagic.com
Fri Jun 2 05:04:42 PDT 2017
On 6/1/17 2:29 PM, Walter Bright wrote:
> For your date case, the date was not validated, and was fed into an
> array, where the invalid date overflowed the array bounds. The program
> was relying on the array bounds checking to validate the data.
I think it's important to state that no, I wasn't relying on array
bounds checks to validate the data. I should be validating the data (and
am now). What I had was a bug in my program.
What I have been saying is that in this framework, designed the way it
is, there is no good reason to crash the entire process for such a bug.
There are clear delineations of when the bug is in the "user code"
section of vibe.d (i.e. the code in your project) and when it is in
"system code" (i.e. the vibe.d framework). I want the "system code"
section to continue to function when an out of bounds error happens in
"user code", to give feedback to the user that no, this didn't work,
there was an internal error.
Other frameworks and languages don't have this issue. An out of range
error in PHP doesn't crash apache. Similarly, a segfault in a program
doesn't crash the OS. This is the way I view the layer between vibe.d
framework and the code that handles requests. I get that the memory is
shared, and there's a greater risk of corruption affecting the
framework. The right answer is to physically separate the processes, and
at some point, maybe vibe can move in that direction (I outlined what I
considered a good setup in another post). But a more logical separation
is still possible by requiring for instance that all request handlers
are @safe. Even in that case, crashing the *fiber* and not the entire
process is still preferable in cases where the input isn't properly
validated. Specifically, I'm talking about out-of-bounds failures, and
not general asserts.
This is why I'm still moving forward with making my arrays throw
Exceptions for out-of-bounds issues (and will publish the library to do
so in case anyone else feels the same way).
> 2. Array bounds checking can be turned off by a compiler switch. Program
> data validation should not be silently disabled in such an unexpected
> manner.
Most of your points are based on the assumption that this was a design
decision, so they aren't applicable, but on this point I wanted to say:
IMO, anything that's on the Internet should never have array bounds
checking turned off. The risk is too great.
-Steve
More information about the Digitalmars-d
mailing list