Frédéric Jacobs
Learn about “-fbounds-safety”, enforcing bounds safety in production C code. #LLVM
https://www.youtube.com/watch?v=RK9bfrsMdAM
2023 EuroLLVM - Keynote: “-fbounds-safety”: Enforcing bounds safety for production C code

YouTube
Jul 24, 2023 at 7:58amIvory for Mac
Show threadDaniel Paoliello Jul 24, 2023

@fj Yet another data point that enabling bounds checking has almost no cost with modern compilers - and yet folks still believe that it does and push towards insecure-by-default designs (see `std::vector` `at()` versus `operator[]`).

One step further than `-fbounds-safety` would be Checked C (https://github.com/microsoft/checkedc), but that would require making some incremental code changes (ala TypeScript).

GitHub - microsoft/checkedc: Checked C is an extension to C that lets programmers write C code that is guaranteed by the compiler to be type-safe. The goal is to let people easily make their existing C code type-safe and eliminate entire classes of errors. Checked C does not address use-after-free errors. This repo has a wiki for Checked C, sample code, the specification, and test code.

Checked C is an extension to C that lets programmers write C code that is guaranteed by the compiler to be type-safe. The goal is to let people easily make their existing C code type-safe and elim...

GitHub
Show threadJim LutherJul 24, 2023
@fj This is very cool.
Show threadJim LutherJul 24, 2023

@fj At Apple, I maintained a lot of C code in the OS written in the past by others using many of the libc (and bsd) functions that are considered to be "unsafe”, but I never had time to rewrite all of that code because often “feature work > maintenance work”. If I were still working, I would have had used -fbounds-safety in all of those code bases.

Note that much of that old code did its own bounds checking (for example, by checking string lengths against the buffer size before calling strcat), but I'm sure it could have been done more efficiently.