The C23 edition of Modern C

(gustedt.wordpress.com)

515 points bwidlar | 4 comments | 15 Oct 24 16:06 UTC | HN request time: 0.849s | source

Show context

ralphc ◴[15 Oct 24 18:30 UTC] No.41851601[source]▶

>>41850017 (OP) #

How does "Modern" C compare safety-wise to Rust or Zig?

replies(4): >>41852048 #>>41852113 #>>41852498 #>>41856856 #

WalterBright ◴[15 Oct 24 19:18 UTC] No.41852113[source]▶

>>41851601 #

Modern C still promptly decays an array to a pointer, so no array bounds checking is possible.

D does not decay arrays, so D has array bounds checking.

Note that array overflow bugs are consistently the #1 problem with shipped C code, by a wide margin.

replies(2): >>41852316 #>>41857792 #

layer8 ◴[15 Oct 24 19:39 UTC] No.41852316[source]▶

>>41852113 #

> no array bounds checking is possible.

This isn’t strictly true, a C implementation is allowed to associate memory-range (or more generally, pointer provenance) metadata with a pointer.

The DeathStation 9000 features a conforming C implementation which is known to catch all array bounds violations. ;)

replies(4): >>41852348 #>>41852932 #>>41854734 #>>41855111 #

uecker ◴[15 Oct 24 19:42 UTC] No.41852348[source]▶

>>41852316 #

Right. Also it might it sound like array-to-pointer decay is forced onto the programmer. Instead, you can take the address of an array just fine without letting it decay. The type then preserves the length.

replies(2): >>41853029 #>>41854211 #

WalterBright ◴[15 Oct 24 23:36 UTC] No.41854211[source]▶

>>41852348 #

C: int foo(int a[]) { return a[5]; }

    int main() {
        int a[3];
        return foo(a);
    }

    > gcc test.c
    > ./a.out

Oops.

D: int foo(int[] a) { return a[5]; }

    int main() {
        int[3] a;
        return foo(a);
    }

    > ./cc array.d
    > ./array
    core.exception.ArrayIndexError@array.d(1): index [5] is out of bounds for array of length 3

Ah, Nirvana!

How to fix it for C:

https://www.digitalmars.com/articles/C-biggest-mistake.html

replies(2): >>41856518 #>>41859824 #

1. uecker ◴[16 Oct 24 07:33 UTC] No.41856518[source]▶

>>41854211 #

You need to take the address of the array instead of letting it decay and then size is encoded in the type:

  int foo(int (*a)[6]) { return a[5]; }
  int main() {
  int a[3];
    return foo(&a);
  }

Or for run-time length:

  int foo(int n, int (*a)[n]) { return (\*a)[5]; }
  int main() {
    int a[3];
    return foo(ARRAY_SIZE(a), &a);
  }
  /app/example.c:4:38: runtime error: index 5 out of bounds for 
 type 'int[n]'

https://godbolt.org/z/dxx7TsKbK\*

replies(2): >>41862243 #>>41869100 #

2. WalterBright ◴[16 Oct 24 18:35 UTC] No.41862243[source]▶

>>41856518 (TP) #

  int foo(int n, int (*a)[n]) { return (\*a)[5]; }
  int main() {
    int a[3];
    return foo(ARRAY_SIZE(a), &a);
  }

That syntax is why array overflows remain the #1 problem with C bugs in shipped code. It isn't any better than:

  int foo(size_t n, int* a) { assert(5 < n); return a[5]; }
  int main() {
    int a[3];
    return foo(ARRAY_SIZE(a), a);
  }

as the array dimension has to be handled separately from the pointer.

Contrast with how simple it is in D:

    int foo(int[] a) { return a[5]; }
    int main() {
        int[3] a;
        return foo(a);
    }

and the proof is shown by array overflow bugs in the wild are stopped cold. It can be that simple and effective in C.

3. marcodiego ◴[17 Oct 24 12:40 UTC] No.41869100[source]▶

>>41856518 (TP) #

\* what operator is this? I have never seen it. Where can I read about it?

replies(1): >>41871820 #

4. aw1621107 ◴[17 Oct 24 17:42 UTC] No.41871820[source]▶

>>41869100 #

My guess is that it was intended to escape the * since unescaped * in regular text on HN results in italics. Since the text in question is in a code block, though, that escaping is not needed.

↑