Date: Fri, 29 Aug 2025 14:04:36 -0700
> On Aug 29, 2025, at 1:21 PM, Levo D via Std-Proposals <std-proposals_at_[hidden]> wrote:
>>
>>
>>
>> Nothing prevents compilers from checking the uses of std::span and
>> diagnosing provably out of bounds accesses.
>
> IMO it doesn't make much sense to have span bounds check and not do it for other containers and arrays. I figure since array is easy (I'm speaking from experience), that it should be first.
>
When you say array, do you mean C style `type name[size]`?
If so, those are actually substantially harder:
* The size/length postscript in parameters and similar are entirely notional, and aren’t (for historical reasons) actually useful for security by default: the reality is that they have already decayed to pointers at that point, and existing code already depends on that
* As a result you can only know the actual size when interacting with the actual declaration, the moment you lose that connection there is no size info that matters (if you’re interested you can look at the -fbounds-safety proposal in clang to get some idea of just how quickly this information disappears and has to be re-added)
* a raw array does not indicate how much of the array is initialized (alas a span does not give you this either :-/)
All the higher level types explicitly know the bounds, and so can check any access
> Are there any committee members interested in working with me on a out-of-bounds checks for containers?
Have a look at https://wg21.link/P3471 which I believe did get accepted into C++26, which introduces the concept of “hardened preconditions” to the standard library that make things like bounds checks mandatory.
You can test with libc++ if you want: https://libcxx.llvm.org/Hardening.html
—Oliver
> --
> Std-Proposals mailing list
> Std-Proposals_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/std-proposals
>>
>>
>>
>> Nothing prevents compilers from checking the uses of std::span and
>> diagnosing provably out of bounds accesses.
>
> IMO it doesn't make much sense to have span bounds check and not do it for other containers and arrays. I figure since array is easy (I'm speaking from experience), that it should be first.
>
When you say array, do you mean C style `type name[size]`?
If so, those are actually substantially harder:
* The size/length postscript in parameters and similar are entirely notional, and aren’t (for historical reasons) actually useful for security by default: the reality is that they have already decayed to pointers at that point, and existing code already depends on that
* As a result you can only know the actual size when interacting with the actual declaration, the moment you lose that connection there is no size info that matters (if you’re interested you can look at the -fbounds-safety proposal in clang to get some idea of just how quickly this information disappears and has to be re-added)
* a raw array does not indicate how much of the array is initialized (alas a span does not give you this either :-/)
All the higher level types explicitly know the bounds, and so can check any access
> Are there any committee members interested in working with me on a out-of-bounds checks for containers?
Have a look at https://wg21.link/P3471 which I believe did get accepted into C++26, which introduces the concept of “hardened preconditions” to the standard library that make things like bounds checks mandatory.
You can test with libc++ if you want: https://libcxx.llvm.org/Hardening.html
—Oliver
> --
> Std-Proposals mailing list
> Std-Proposals_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/std-proposals
Received on 2025-08-29 21:04:50