Walter Bright <boost@xxxxxxxxxxxxxxx> writes: > David Kastrup wrote: >> Walter Bright <boost@xxxxxxxxxxxxxxx> writes: >> >>> A canonical example is that of a loop. Consider a simple C loop over >>> an array: >>> >>> void foo(int array[10]) >>> { >>> for (int i = 0; i < 10; i++) >>> { int value = array[i]; >>> ... do something ... >>> } >>> } >>> >>> It's simple, but it has a lot of problems: >>> >>> 1) i should be size_t, not int >> >> Wrong. size_t is for holding the size of memory objects in bytes, not >> in terms of indices. For indices, the best variable is of the same >> type as the declared index maximum size, so here it is typeof(10), >> namely int. > > The easiest way to show the error is consider the code being ported to > a typical 64 bit C compiler. int's are still 32 bits, yet the array > can be larger than 32 bits. Not if it is an array declared of size 10. And if it isn't, you have no business stating so in the function prototype. Willfully obfuscate programming does not prove anything. >>> 2) array is not checked for overflow >> >> Why should it? > > Because the 10 array dimension is not statically checked in C. I > could pass it a pointer to 3 ints without the compiler > complaining. This makes it a potential maintenance problem. Nonsense. Again, C won't keep you from shooting yourself in the foot. >>> 3) 10 may not be the actual array dimension >> >> Your point is? > > Array buffer overflow errors are commonplace in C, because array > dimensions are not automatically checked at either compile or run > time. No, because programmers get things wrong. You can tell C compilers to check all array accesses, but that is a performance issue. For gcc, we have `-fmudflap -fmudflapth -fmudflapir' For front-ends that support it (C and C++), instrument all risky pointer/array dereferencing operations, some standard library string/heap functions, and some other associated constructs with range/validity tests. Modules so instrumented should be immune to buffer overflows, invalid heap use, and some other classes of C/C++ programming errors. The instrumentation relies on a separate runtime library (`libmudflap'), which will be linked into a program if `-fmudflap' is given at link time. Run-time behavior of the instrumented program is controlled by the `MUDFLAP_OPTIONS' environment variable. See `env MUDFLAP_OPTIONS=-help a.out' for its options. Why isn't it the default? Because it is a performance issue. >>> 5) type of array may change, but the type of value may not get >>> updated >> >> Huh? > > Let's say our fearless maintenance programmer decides to make it an > array of longs, not an array of ints. He overlooks changing the type > of value in the loop. Again: C does not prevent you from shooting yourself in the foot. >>> 6) crashes if array is NULL >> >> Certainly. Your point being? > > I consider an array that is NULL to have no members, Nobody else does that. > so instead of crashing the loop should execute 0 times. If the loop count is zero, this is what will happen. >>> 7) only works with arrays and pointers >> >> Since there are only arrays and pointers in C, not really a >> restriction. > > C has structs, too, as well as more complicated user defined > collections. Essentially, you cannot (simply) write generic > algorithms in C, because you cannot (simply) generically express > iteration. Of course you can. Macros exist. >> Most of those are toy concerns. They prevent problems that don't >> actually occur much in practice. > > I beg to differ - buffer overflow bugs are common and expensive. Then compile your program with appropriate options. The key word is "option". You don't have to take the performance hit if you don't want or need it. -- David Kastrup, Kriemhildstr. 15, 44793 Bochum - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html