Re: Bounds Checking

[beck () BOFH UCS UALBERTA CA (Bob Beck)]

> [ language religious wars, machines with hardware bounds checking ]
...
> array.setvalue(...)) you could implement yourself some nice safe arrays. I
> think this is much better than having the bounds checker built into the
> compiler do something annoying and not under your control (by Murphy, the
> opposite of what you'd like it to do) when bounds are overrun. It's secure
> if the program quits when you pass it 10k 'X' characters looking for a
> crash, but it's _elegant_ if the program deals with the error internally
> rather than relying on the compiler's bounds checking code. It also gives
> power to the programmer, which is the point of not using visual basic :).

        "If the program deals with the error internally" - sounds like
manual bounds checking to me. Sure, bounds enforcement, even in your
own library, can stop the buffer overruns in your bad code (lets not
talk about the libraries you linked with, etc. etc.). But will it do
the right thing? What is the right thing to do when you get 10k of X
characters? Is it to stop(or do arbitrary something) with a bounds
checking exception? No. That's a bug. Might be you've prevented a
buffer overrun, and might be in another circumstance that you've
created a security problem by the fact that your program is no longer
running or not doing what you expected it to be doing. Maybe a denial
of service, maybe the fact that your program has gone away lets me
pretend to be your program. Maybe your program was the front door that
has now exited. Not having a buffer overrun is nice, but in and of
itself solves nothing if the code isn't always doing the right thing.
The right thing to do may be different for 10 different pieces of
program - exiting, discarding the input, giving an error, logging the
attempt, or notifying the admin to come after the source of the
problem with a LART..  Improper handling of unexpected input is a bug,
and "proper" is very context dependent.

        If you have to "do the right thing" in your unexpected input
case, no bounds checking(language/compiler/library/class/whatnot) is
going to do it for you. The programmer still has to know what the
right thing to do is, and have the code identifying the exceptional
cases and handling them.  Does it mean they can screw it up and count
on the the bounds checking to have you exit?  perhaps, if
implementation of the language isn't flawed, (heaven knows C++ and
Java implementations are never flawed :) Are there languages where it
may be easier to implement doing the right thing? Sure. since
whatever's easier for you to do the right thing in is probably a
decent choice. Will automatic <something happening> on bounds
violations make programmers more or less careful about writing better
code and dealing with it the "right way"?  I don't know about that
one, particularly in the death-march-sell-it-now-fix-it-later modus
operandi of an awful lot of modern software development.

        Cheers,

        -Bob

--
Bob Beck                                   Computing and Network Services
beck () bofh ucs ualberta ca                           University of Alberta
True Evil hides its real intentions in its street address.