Date: Fri, 29 Aug 2025 21:48:43 +0000
On Fri, Aug 29, 2025 at 02:04:36PM -0700, Oliver Hunt wrote:
>
>
> > On Aug 29, 2025, at 1:21 PM, Levo D via Std-Proposals <std-proposals_at_[hidden]> wrote:
> >>
> >>
> >>
> >> Nothing prevents compilers from checking the uses of std::span and
> >> diagnosing provably out of bounds accesses.
> >
> > IMO it doesn't make much sense to have span bounds check and not do it for other containers and arrays. I figure since array is easy (I'm speaking from experience), that it should be first.
> >
>
> When you say array, do you mean C style `type name[size]`?
>
> If so, those are actually substantially harder:
>
> * The size/length postscript in parameters and similar are entirely notional, and aren’t (for historical reasons) actually useful for security by default: the reality is that they have already decayed to pointers at that point, and existing code already depends on that
> * As a result you can only know the actual size when interacting with the actual declaration, the moment you lose that connection there is no size info that matters (if you’re interested you can look at the -fbounds-safety proposal in clang to get some idea of just how quickly this information disappears and has to be re-added)
> * a raw array does not indicate how much of the array is initialized (alas a span does not give you this either :-/)
>
> All the higher level types explicitly know the bounds, and so can check any access
My proposal wouldn't work once arrays decays into pointers. In hindsight I should have added that to motivation.
The slice syntax exist so it's reasonable to use a 4k array with something expecting 256bytes.
>
>
> > On Aug 29, 2025, at 1:21 PM, Levo D via Std-Proposals <std-proposals_at_[hidden]> wrote:
> >>
> >>
> >>
> >> Nothing prevents compilers from checking the uses of std::span and
> >> diagnosing provably out of bounds accesses.
> >
> > IMO it doesn't make much sense to have span bounds check and not do it for other containers and arrays. I figure since array is easy (I'm speaking from experience), that it should be first.
> >
>
> When you say array, do you mean C style `type name[size]`?
>
> If so, those are actually substantially harder:
>
> * The size/length postscript in parameters and similar are entirely notional, and aren’t (for historical reasons) actually useful for security by default: the reality is that they have already decayed to pointers at that point, and existing code already depends on that
> * As a result you can only know the actual size when interacting with the actual declaration, the moment you lose that connection there is no size info that matters (if you’re interested you can look at the -fbounds-safety proposal in clang to get some idea of just how quickly this information disappears and has to be re-added)
> * a raw array does not indicate how much of the array is initialized (alas a span does not give you this either :-/)
>
> All the higher level types explicitly know the bounds, and so can check any access
My proposal wouldn't work once arrays decays into pointers. In hindsight I should have added that to motivation.
The slice syntax exist so it's reasonable to use a 4k array with something expecting 256bytes.
Received on 2025-08-29 21:48:44