On Thursday, 16 May 2019 at 16:17:45 UTC, Walter Bright wrote:
> Using asserts and relying on array bounds checking to check the validity of incoming data is incorrect.

A security bug is necessarily a bug in the program's logic.

It should be checked separately, but it should ALSO be checked automatically. In almost all situations. ESPECIALLY in production.

It is defense-in-depth.

On Thu, May 16, 2019 at 04:58:25PM +0000, Adam D. Ruppe via Digitalmars-d wrote:
> On Thursday, 16 May 2019 at 16:41:29 UTC, H. S. Teoh wrote:
> > What we need is a language with the right incentives: bounds checking is default and it takes effort to turn it off (should that ever become necessary), and the standard library should always have an API that take bounds.
> 
> We have that language, it is called D.

I know. ;-)

When arrays come with bounds by default, the API doesn't have to be uglified, and non-library code also benefits from default bounds checking. Win-win.


> The only problem is so many people say "use -release -boundscheck=off" to get an extra percentage point on artificial benchmarks without educating people as to what that REALLY means.

Yeah, good ole premature optimization.  I sympathize, because I used to be like that.  But after so many times of the profiler pointing to a bottleneck that was far, far away from where I imagined it would be, it finally dawned on me that *most* code actually doesn't even matter when it comes to performance. And the small bit of code that's the bottleneck usually is slowed down by something either completely non-obvious (rare), or by something really silly (more common) like a misplaced debug printf that eats up orders of magnitude more cycles than any bounds check ever will.

Not to mention, with a proper optimizing compiler like ldc2 -O3, many inner-loop bounds checks (where it matters) would be optimized away anyway. And if it doesn't, it's usually just a small effort to rewrite the code so that it doesn't need a bounds check.

Slapping -release -boundscheck=off across the board is just ... hamfisted, and usually misguided.


T

-- 
There are two ways to write error-free programs; only the third one works.

Would it much hurt performant bounds-checks-off code if Phobos ranges had an 'assert(0)' on out-of-bounds in their constructors? It would make unchecked array accesses via ranges safe.