←back to thread

The C23 edition of Modern C

(gustedt.wordpress.com)
515 points bwidlar | 2 comments | 15 Oct 24 16:06 UTC | HN request time: 0.447s | source
Show context
ralphc ◴[15 Oct 24 18:30 UTC] No.41851601[source]
How does "Modern" C compare safety-wise to Rust or Zig?
replies(4): >>41852048 #>>41852113 #>>41852498 #>>41856856 #
WalterBright ◴[15 Oct 24 19:18 UTC] No.41852113[source]
Modern C still promptly decays an array to a pointer, so no array bounds checking is possible.

D does not decay arrays, so D has array bounds checking.

Note that array overflow bugs are consistently the #1 problem with shipped C code, by a wide margin.

replies(2): >>41852316 #>>41857792 #
layer8 ◴[15 Oct 24 19:39 UTC] No.41852316[source]
> no array bounds checking is possible.

This isn’t strictly true, a C implementation is allowed to associate memory-range (or more generally, pointer provenance) metadata with a pointer.

The DeathStation 9000 features a conforming C implementation which is known to catch all array bounds violations. ;)

replies(4): >>41852348 #>>41852932 #>>41854734 #>>41855111 #
uecker ◴[15 Oct 24 19:42 UTC] No.41852348[source]
Right. Also it might it sound like array-to-pointer decay is forced onto the programmer. Instead, you can take the address of an array just fine without letting it decay. The type then preserves the length.
replies(2): >>41853029 #>>41854211 #
WalterBright ◴[15 Oct 24 23:36 UTC] No.41854211[source]
C: int foo(int a[]) { return a[5]; }

    int main() {
        int a[3];
        return foo(a);
    }

    > gcc test.c
    > ./a.out
Oops.

D: int foo(int[] a) { return a[5]; }

    int main() {
        int[3] a;
        return foo(a);
    }

    > ./cc array.d
    > ./array
    core.exception.ArrayIndexError@array.d(1): index [5] is out of bounds for array of length 3
Ah, Nirvana!

How to fix it for C:

https://www.digitalmars.com/articles/C-biggest-mistake.html

replies(2): >>41856518 #>>41859824 #
uecker ◴[16 Oct 24 07:33 UTC] No.41856518[source]
You need to take the address of the array instead of letting it decay and then size is encoded in the type:

  int foo(int (*a)[6]) { return a[5]; }
  int main() {
  int a[3];
    return foo(&a);
  }
Or for run-time length:

  int foo(int n, int (*a)[n]) { return (\*a)[5]; }
  int main() {
    int a[3];
    return foo(ARRAY_SIZE(a), &a);
  }
  /app/example.c:4:38: runtime error: index 5 out of bounds for 
 type 'int[n]'
https://godbolt.org/z/dxx7TsKbK\*
replies(2): >>41862243 #>>41869100 #
1. marcodiego ◴[17 Oct 24 12:40 UTC] No.41869100[source]
\* what operator is this? I have never seen it. Where can I read about it?
replies(1): >>41871820 #
2. aw1621107 ◴[17 Oct 24 17:42 UTC] No.41871820[source]
My guess is that it was intended to escape the * since unescaped * in regular text on HN results in italics. Since the text in question is in a code block, though, that escaping is not needed.