On Tuesday, 6 December 2022 at 22:26:17 UTC, Sergey wrote:
> On Tuesday, 6 December 2022 at 04:35:18 UTC, Siarhei Siamashka wrote:
> end users. While D compilers don't offer any reasonable protection. Except for GDC, which supports -ftrapv
option as an undocumented "Easter egg".
What about these modules?
https://dlang.org/phobos/std_checkedint.html
https://dlang.org/phobos/core_checkedint.html
Imagine that you have several millions of D code (a big popular browser) and you want to do something to safeguard against integer overflow bugs and security issues (or at least mitigate them). How would these modules help?
In my opinion, the std.checkedint
module is completely useless and there are no practical scenarios in the real world where it can help in any meaningful way. I see no real alternative to -ftrapv
or UBSan for integer overflows diagnostics in large software projects. But the core.checkedint
module is surely useful after you already know the exact part of the code where the overflow happens and needs to be patched up.
My reply would be incomplete without mentioning that D compilers do have some limited static analysis at compile time, intended to improve integer overflows safety: https://dlang.org/spec/type.html#vrp
But this analysis doesn't catch everything and it also sometimes unnecessarily gets in the way by forcing type casts. So it's not good enough. Want to see it in action? Here's one example:
import std.stdio;
void main() {
long bigsum = 0;
int min_a = int.max - 50, max_a = int.max - 1;
int min_b = 50, max_b = 100;
foreach (a ; min_a .. max_a + 1) {
foreach (b ; min_b .. max_b + 1) {
// Compiles fine, but overflows at runtime
int a_plus_b = a + b;
bigsum += a_plus_b;
}
}
byte min_c = 1, max_c = 50;
byte min_d = 1, max_d = 50;
foreach (c ; min_c .. max_c + 1) {
foreach (d ; min_d .. max_d + 1) {
// Won't compile without this explicit cast
byte c_plus_d = cast(byte)(c + d);
bigsum += c_plus_d;
}
}
writeln(bigsum);
}
$ gdc -ftrapv test.d && ./a.out
Aborted
$ gdc test.d && ./a.out
-5471788083929