![\"industrsy\"](\"https:\/\/www.modernescpp.com\/wp-content\/uploads\/2019\/09\/industrsy.jpg\")
<\/p>\nToday’s post concerns the second C++ Core Guidelines: Bounds Safety profile. The goal of the profile bounds safety is that you operate inside the bounds of allocated memory.<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
The profile names the two enemies for bounds safety: pointer arithmetic and array indexing. Additionally, when you use a pointer, it should only address a single object but not an array. To complete the profile bounds safety, you should combine it with the rules to type safety and lifetime safety. Type safety was the topic of my two previous posts: C++ Core Guidelines: Type Safety<\/a> and C++ Core Guidelines: Type Safety by Design<\/a>. Lifetime safety will be the topic of my next post.<\/p>\n Bounds safety consists of four rules:<\/p>\n The four rules to bounds safety mention three rules of the C++ core guidelines. As in the last posts to the profiles, I will make my additions if necessary.<\/p>\n<\/p>\n The reason for the three rules boils down to the three do’s: pass pointers to single objects (only), keep pointer arithmetic simple, and use std::span.<\/span> The first do can also be formulated negatively: don’t pass pointers to arrays. I assume you don’t know std::span. std::span<T><\/span> represents a non-owning range of contiguous memory. This range can be an array, a pointer with a size, or a std::vector<\/span>.<\/p>\n Let me cite the words of the guidelines: “Complicated pointer manipulation is a major source of errors<\/em>.”. Why should we care? Of course, our legacy code is full of functionality, such as this example:<\/p>\n <\/p>\n The main issue with this code is that the caller must provide the correct length of the C-array. If not, we get undefined behavior.<\/p>\n Think about the last lines (1) and (2) for a few seconds. We start with an array and remove its type information by passing it to the function f. This process is called an array to pointer decay and is the reason for many errors. Maybe we had a bad day, and we counted the number of elements wrong, or the size of the C-array changed. Anyway, the result is the same: undefined behavior. The same argumentation will also hold for a C-string.<\/p>\n What should we do? We should use a suitable data type. C++20 supports std::span<\/span><\/span>. Have a look here:<\/p>\n <\/p>\n Fine! std::span<\/span> checks at run-time its boundaries.<\/p>\n But I hear your complaints: We don’t have C++20. No problem. It’s pretty easy to rewrite the functions f<\/span> <\/span>using the container std:<\/span>:array<\/span> and the method std::array::at<\/span>. Here we are:<\/p>\n <\/p>\nBounds Safety<\/a><\/h3>\n
\n
<\/code><\/code><\/li>\nBounds.1: Don\u2019t use pointer arithmetic,
<\/code><\/code>Bounds.2: Only index into arrays using constant expressions and Bounds.3: No array-to-pointer decay<\/h3>\n\nvoid<\/span> f<\/span>(int<\/span>*<\/span> p, int<\/span> count)\r\n{\r\n if<\/span> (count <<\/span> 2<\/span>) return<\/span>;\r\n\r\n int<\/span>*<\/span> q =<\/span> p +<\/span> 1<\/span>; \/\/ BAD<\/span>\r\n\r\n int<\/span> n =<\/span> *<\/span>p++<\/span>; \/\/ BAD<\/span>\r\n\r\n if<\/span> (count <<\/span> 6<\/span>) return<\/span>;\r\n\r\n p[4<\/span>] =<\/span> 1<\/span>; \/\/ BAD<\/span>\r\n\r\n p[count -<\/span> 1<\/span>] =<\/span> 2<\/span>; \/\/ BAD<\/span>\r\n\r\n use(&<\/span>p[0<\/span>], 3<\/span>); \/\/ BAD<\/span>\r\n}\r\n\r\nint<\/span> myArray[100<\/span>]; \/\/ (1)<\/span>\r\n\r\nf(myArray, 100<\/span>), \/\/ (2)<\/span>\r\n<\/pre>\n<\/div>\n\nvoid<\/span> f<\/span>(span<<\/span>int<\/span>><\/span> a) \/\/ BETTER: use span in the function declaration<\/span>\r\n{\r\n if<\/span> (a.length() <<\/span> 2<\/span>) return<\/span>;\r\n\r\n int<\/span> n =<\/span> a[0<\/span>]; \/\/ OK<\/span>\r\n\r\n span<<\/span>int<\/span>><\/span> q =<\/span> a.subspan(1<\/span>); \/\/ OK<\/span>\r\n\r\n if<\/span> (a.length() <<\/span> 6<\/span>) return<\/span>;\r\n\r\n a[4<\/span>] =<\/span> 1<\/span>; \/\/ OK<\/span>\r\n\r\n a[count -<\/span> 1<\/span>] =<\/span> 2<\/span>; \/\/ OK<\/span>\r\n\r\n use(a.data(), 3<\/span>); \/\/ OK<\/span>\r\n}\r\n<\/pre>\n<\/div>\n\n\/\/ spanVersusArray.cpp<\/span>\r\n\r\n#include <algorithm><\/span>\r\n#include <array><\/span>\r\n\r\nvoid<\/span> use<\/span>(int<\/span>*<\/span>, int<\/span>){}\r\n\r\nvoid<\/span> f<\/span>(std::<\/span>array<<\/span>int<\/span>, 100<\/span>>&<\/span> a){\r\n\r\n if<\/span> (a.size() <<\/span> 2<\/span>) return<\/span>;\r\n\r\n int<\/span> n =<\/span> a.at(0<\/span>); \r\n\r\n std::<\/span>array<<\/span>int<\/span>, 99<\/span>><\/span> q;\r\n std::<\/span>copy(a.begin() +<\/span> 1<\/span>, a.end(), q.begin()); \/\/ (1)<\/span>\r\n\r\n if<\/span> (a.size() <<\/span> 6<\/span>) return<\/span>;\r\n\r\n a.at(4<\/span>) =<\/span> 1<\/span>; \r\n\r\n a.at(a.size() -<\/span> 1<\/span>) =<\/span> 2<\/span>;\r\n\r\n use(a.data(), 3<\/span>); \r\n}\r\n\r\nint<\/span> main<\/span>(){\r\n\r\n std::<\/span>array<<\/span>int<\/span>, 100<\/span>><\/span> arr{};\r\n\r\n f(arr);\r\n \r\n}\r\n<\/pre>\n<\/div>\n