"SoftBound: Highly Compatible and Complete Spatial Memory Safety for C" by  Santosh Nagarakatte, Jianzhou Zhao, Milo M K Martin and Steve Zdancewic:
http://llvm.org/pubs/2009-06-PLDI-SoftBound.html

It's a block of about 6000 lines of C++ code that augment the LLVM compiler, adding extra tests. It avoids out-of-bound situations with pointers. It works after the compilation stage, on the LL code produced by LLVM, so it can be used equally for C or D. Conceptually looks like a simple thing. Currently can't be used yet, but I'd like to have a compilation flag in LDC to activate this. In in nonrelease mode some of the tests are already present (the bound tests of arrays), so it can avoid to put them in twice (in LDC you can disable only bound tests, and keep assertions, etc).

From the abstract:
>SoftBound similarly records base and bound information for every pointer as disjoint metadata. This decoupling enables SoftBound to provide spatial safety without requiring changes to C source code. Unlike HardBound, SoftBound is a software-only approach and performs metadata manipulation only when loading or storing pointer values. A formal proof shows that this is sufficient to provide spatial safety even in the presence of arbitrary casts. SoftBound's full checking mode provides complete spatial violation detection with 67% runtime overhead on average. To further reduce overheads, SoftBound has a store-only checking mode that successfully detects all the security vulnerabilities in a test suite at the cost of only 21% runtime overhead on average.<

Bye,
bearophile

bearophile wrote:
> "SoftBound: Highly Compatible and Complete Spatial Memory Safety for
> C" by  Santosh Nagarakatte, Jianzhou Zhao, Milo M K Martin and Steve
> Zdancewic: http://llvm.org/pubs/2009-06-PLDI-SoftBound.html
> 
> It's a block of about 6000 lines of C++ code that augment the LLVM
> compiler, adding extra tests. It avoids out-of-bound situations with
> pointers. It works after the compilation stage, on the LL code
> produced by LLVM, so it can be used equally for C or D. Conceptually
> looks like a simple thing. Currently can't be used yet, but I'd like
> to have a compilation flag in LDC to activate this. In in nonrelease
> mode some of the tests are already present (the bound tests of
> arrays), so it can avoid to put them in twice (in LDC you can disable
> only bound tests, and keep assertions, etc).

I don't think there's much point to this in D. You rarely need to deal with pointers directly. Arrays are already checked.

Walter Bright:

> I don't think there's much point to this in D. You rarely need to deal with pointers directly. Arrays are already checked.

In D pointers are quite less common than in C, but half of the point of using D is to be able to use pointers too, when you want to implement your own data structures, otherwise it may be better to just use Java in the first place. So in my opinion adding optional safeties to D pointers can be useful.

The good things of the design of SoftBound is that it looks simple to implement (and probably LDC may just use/adapt the already existing implementation), it's logically sound, it doesn't change the behaviour of the C/D program and works with most or all programs, it's safe, it doesn't need changes to the source code of programs to be used, and the performance&memory overhead it introduces is usually acceptable in nonrelease mode (there are two different usage modes). I have seen more than ten similar systems for C, this one looks like being simple and effective enough.

Bye,
bearophile