Curiously Recurring C++ Bugs

Timon Gehr timon.gehr at gmx.ch
Fri Jul 12 21:16:28 UTC 2024 

On 7/12/24 22:13, Walter Bright wrote:
> On 7/11/2024 3:39 PM, Timon Gehr wrote:
>> - std::vector::operator[]:
>>    D code still suffers from unrecoverable range errors that would 
>> crash the website, it's just not a memory safety issue unless you pass 
>> badly designed compiler flags like `-release`.
> 
> `-release` hasn't turned of bounds checking for something like 15 years. 
> To disable it, `-noboundscheck` is required.
> ...


```d
void main(){
     auto a=[1,2,3];
     a[3]=2;
}
```

```bash
$ dmd -run tt
core.exception.ArrayIndexError at tt.d(4): index [3] is out of bounds for 
array of length 3
----------------
??:? onArrayIndexError [0x5a712bff44b2]
??:? _d_arraybounds_indexp [0x5a712bff180f]
??:? _Dmain [0x5a712bff1780]
```

```bash
dmd -release -run tt
```

(crickets.)

> ...
>>
>>
>> - volatile:
>>    Not clear, but I guess `volatile` is less popular nowadays.
>>    https://dlang.org/phobos/core_volatile.html
> 
> Those are special functions, and the documentation is explicit about 
> what they are for, and not for, and atomic operations are in the "not" 
> category. They are not part of the type system of the language.
> ...

I am aware.

>>    D also does not have a full `shared` story so far.
> 
> It's a far better story than C++ has.
> ...

I acknowledged as much at the beginning of my post.
I like D and I dislike C++.

> 
>> - shared_ptr thread-safe:
>>    Potentially fixed because D has transitive `shared`. But again, 
>> `shared` is unfinished. Or use GC.
> 
> 
>> - shared_ptr bonus bug:
>>    Simple pattern like the one on the slide seem superficially fixable 
>> with DIP1000, but in general in D it is not possible to make smart 
>> pointer dereferencing safe.
> 
> It is possible by blocking any attempts at bypassing the interface of it.
> ...

Well, the example was specifically about the dereference operator 
returning by `ref`.

> 
>> I guess the lessons are:
>>
>> - D also does not have static typing to rule out range errors.
> 
> I don't understand that. If you have resizeable arrays, static typing is 
> not going to give you compile time guarantees.

It can do that. Neither D nor C++, nor other particularly popular 
languages are doing it yet though.

There are entire compilers that have been verified for functional 
correctness by the type systems of their implementation languages. This 
in particular includes absence of runtime errors, which is not even 
prone to misspecification errors.

> ...
> 
>> - D also does not have memory safety for general allocator-backed 
>> container types.
> 
> That wasn't in his talk.
> ...

`shared_ptr` was in the talk. The language-level safety challenges 
remain basically the same, whether you build your data structures out of 
`shared_ptr`s or not.

> ...
>> - finalize `shared`.
> 
> The idea is to disallow use of shared if it cannot be done atomically - 
> std.atomic would need to be used.

At the moment, basic druntime synchronization functionality does not 
compile with `-preview=nosharedaccess`.

Class references cannot be tail-`shared`. etc.

More information about the Digitalmars-d mailing list