In message <mtubsdz8t43.fsf@kinki-sharyo.mit.edu>, Nathan J. Williams writes:
>1) We have thirty years of compiler technology that can optimize out a
>   large fraction of expensive bounds checks.

True enough.

>2) Isn't it worth paying a price for safety? That is the point of this
>   thread, to me; SSH is an application that should be optimized for
>   safety over speed.

It's unclear that the price actually buys you safely.

>3) The low-level things that C allows and that bounds-checking
>   prohibits are almost always bad ideas, unless - and often not even
>   then - you're pounding the metal in the low levels of the
>   kernel. SSH is not doing that.

Fair enough - but to be completely fair, C never allows anything that bounds
checking prohibits, strictly speaking; any bounds violation is undefined
behavior.  So, if you *REALLY* want to solve this problem, take advantage
of those 30 years of optimizations, and do a good bounds-checking
implementation of C.

My best understanding is that the C99 spec, like the C89 spec, is very careful
not to ever prohibit bounds checking, or to make it any more impractical than
it needs to be.  To a certain extent, any language which allows pointers
makes bounds checking hard, but careful study should show that the standard
carefully ensures that any bounds violation is *still* undefined behavior.

-s