C++ Weekly - Ep 406 - Why Avoid Pointer Arithmetic?

@@idfumg I am well aware of the problems of pointer-arithmetics and do avoid it - we if we see any they will always be flagged during the reviews and need indepth explanation of the rational and the exact behaviour.
But that is not what i am talking about. Not even close.
So please read my comment again cause you haven't really addressed my point, specially with contradictions like "not working in real life" directly followed by "One way of working with that ".

​@@idfumg "There are no contradictions at all because quotes are related to different discussed entities."
You wrote those in direct response top a single statement - then maybe you should try wording it better.
And that still leaves us with you accepting the fact that there are scenarios and people that can and will use pointer-arithmetic correctly and in a way that makes sense.
And you are the one starting with the strawmen of "smart programmers".

@@idfumg "Please, stop trying be toxic and abusive. "
So you come here with strawmen and then claim i would be abusive for showing you contradicting your self? That is some strong delusions.
"First you gazlaited me about some “contradiction”"
And now poisoning the well.
"“Jason, why dare you teach me, I'm the one who already knows enough everything about when to use that”."
And making up more shit.
". So, initially I answered on that arrogance that it is considered bad practice using pointers directly in c++"
As everybody can clearly see - no you didn't.
" without even trying to provide actual problems and reasons. "
Oh funny - Somebody really did that, just that somebody was not me.
" Totally abusive and manipulative speech without any examples and real arguments."
And you are becoming better and better at projecting.
"So, you will be able to change the direction to a positive side of the conversation without harassing"
Ah, the bully crying fowl cause somebody points out that he is a bully.
You came here with strawmen, ad hominem, shifting the goalpost and now more and more just outright lies. You know - that is what is called harassment.

When even those who have mastered C++ can get tripped up by something, you know not to consider it lightly. And always test the hell out of everything!

By using memcpy for the network fields. Anything else you're doing is UB. See also why most uses of reinterpret_cast are UB (Undefined Behavior)

It's 21st century. Time to stop using lexers. You don't need a tokeniser, use proper lexerless parsing algorithms instead (PEG/Packrat, GLR).

@@vitalyl1327 and the benefit is?.. Because it is the 21st century, I presume.

@@ysakhno benefits are numerous: you can mix languages together even if they have very different tokens (no more abominations like asm("...") in C, with assembly stuck into strings), more versatile parsing - better error messages, better error recovery, better auto-generated correction suggestions, etc.
The only benefit of a lexer is a little bit of memory saving. Not relevant even on modern day microcontrollers.

@@vitalyl1327 Perhaps we're using a different definition of lexer then, because my compiler doesn't have a problem with using inline assembly, and I doubt that gcc is restricted to that particular format for any reason other than historical.

@@anon_y_mousse lexer is a separate tokenisation pass that does not have any context, so it will parse something as an identifier always, with the same syntax, alwsys the same syntax for literals, etc. There is absolutely no reason to do it this way while you can tokenise and parse at the same time, having all the context onformation available.
And I did not even mention extensible syntax yet.

I think if you're original buffer is null-terminated then the string_view you create from it will be null-terminated too. Unless you create a sub-string_view.

@@sledgex9 Yeah but that's not what std::string_view communicates in a function signature. If the choice is between "take a std::string and live with the copy", "take a const char * and live with the the less nice API" or "take a std::string_view but segfault/open the wrong file/disclose memory contents/whatever if the string_view points to a buffer that isn't null terminated", option 1 and 2 are miles better than option 3.

good luck trying to break OS abi. c strings are here for eternity

@@GreenJalapenjo Why would it be a problem if string_view point to a buffer that isn't null terminated? If you construct the view with the appropriate constructor that takes the length of the buffer then you won't have a problem.

@@sledgex9 There is no problem with constructing a string_view with a string that isn't null terminated. That's intended use.
There is a problem with taking a string_view and assuming that the pointed-to string is null terminated, exactly *because* constructing a string_view from a string that isn't null terminated is a legal and normal thing to do.

or index arithmetic...

Kind of, but if you use indices you could at least have range checks built into the containers (or spans) but with iterators its not that trivial.@@TsvetanDimitrov1976

Iterators can have bounds-checked accessors.

@@Spielix But is there a guideline that say "only use bound checked iterators"? Does the iterators to the standard containers (the one you use mostly) check their bounds?

Exactly

char a[11] = { 'h', 'e', 'l', 'l', 'o', ',', 'w', 'o', 'r', 'l', 'd' };
const char* bad = a;

@@thelatestartosrs He's right, and it's in the standard. What you've defined is not a valid C string, but a char array and a pointer to it.

​@@anon_y_mousseThe point is, there's no special c "string" type, only the char * type. Therefore it's possible to pass a non-NULL terminated char array to a method which is "supposed to" only accept the defined c string type. A person can cry "foul" all they want about it, but the compiler happily accepts this anyway.

@@mkvalor But there is a standard type. It's not a valid C-string if it's not nul terminated. That doesn't mean that you can't do it, but it's just an ordinary array of char's if it's not nul terminated. I suppose what you're getting hung up on is that the language allows you to incorrectly pass this as input to standard functions, regardless of what kind of static checks are performed to attempt to catch these mistakes. Of course, if you know you have a deficiency in writing string handling code, then you should be using a string library, and there are many to pick from that have been written in the past 30 or 50 years.

Then you can just return sentinel struct that is comparable with iterator type and use iterator/range interface to deal with it, there is nothing inherently wrong with sentinel itself.

@@antagonista8122 not saying there's something wrong with sentinels, just that saying "use string_view" is not a solution

Sentinels can be impaired by some destructive logic and be invalid.

In order to make a reference to the object he did dereference the pointer. Now in reality the reference will just be stored as another pointer itself (I.e. just a copy of the passed pointer value) and the real error would happen when the reference is actually used, but the underlying UB that causes the later crash is the moment when you make a reference out of an out of bounds pointer.

It is actually ub to do pointer arithmetic that points to an invalid memory address, even if you don't dereference it
But I think Jason is still wrong because the standard allows creating a pointer to "one past the last element of an array" (to allow end iterator etc). So a pointer to 3rd element is fine, but deferencing it still is not

True, provided you already have the length. Not so simple if the input string is a null terminated string, so you have to scan it once just to get the length.

That's the whole point of string_view. It enforces a length parameter by having it encoded as the property of the object. Also the compiler will probably optimize away the view and any inefficiency because of it.

@@TsvetanDimitrov1976 If you have a string_view you already have the length, which is what makes this comparison so confusing.

@@Rodrigo-me6nq true, my argument was that in a lot of cases you don't have the string|_view, you only have a cstr provided by some c api

@@sledgex9 Encoding the length as a property of an object or as part of the signature of a function, it's the same thing. You are also expecting a lot from the compiler, I don't think custom calling conventions are that common for non trivial functions.

Just because std::span exists since C++20 doesn't mean it can't be implemented for older versions of C++. There are many 3rd party implementations, e.g. tcb::span, gsl::span etc.

He said you can code an implementation of span using c++11. Not that it was available in c++11.

​@@sledgex9you're right, must have overheard that.

you can use spans only it if you know the length beforehand, which is not true for input iterator category, e.g. getting a string from cin, or network - you either have to first scan it to determine its length or just use the input as it is. both solutions have their use cases.

span is fairly trivial to implement in any version of C++ ... but *gasp* you'd have to use pointer arithmetic to do it!
Fun fact: The standard library, boost, and every other thing you might turn to to "avoid pointer arithmetic" is doing pointer arithmetic for you.
The quiet part that comes after "avoid pointer arithmetic" is "because you're too incompetent. Have someone else do it for you."

Good luck to handle a couple of millions lines of code with pointer arithmetics everywhere. :)

@@idfumg As someone who has to maintain a few projects like that and has written a few, it's not difficult if you do it the right way. I see a lot of newbies copying strings using that horrid example of while ( *d++ = *s++ ); and I about barf every time I see it, but if you don't act like a dingus when writing code then it'll work perfectly fine. In general, always using an index into a string is universally better than incrementing a pointer directly, especially if you're accessing the same point in two different strings. So the better example should be for ( i = 0; s[i]; i++ ) d[i] = s[i]; and you can check Compiler Explorer to see that more often such constructs will generate better code.

@@anon_y_mousse the problem in large code bases is not the syntax you are using. Not the way of writing a loop. It's more about modularity, reliability, consistency, business logic segregation in different domain bounded context, testability, maintainability and readability. Pointer arithmetics allow us to introduce UB which can be very hard to find, logical bugs and code which very hard to maintain and read. Even your the “best” case will introduce accidental complexity and hidden implicit behavior, unnecessary assumptions, which will reduce quality of the code. The cleaner case is not to use an index at all or use an explicit condition with the total size of the string. And not implicit assumptions of \0. Moreover, it's a bad practice not to narrow scope of your variable i and give it the scope of the function. Also, another reason, why s[I] is bad is that the second string can have different size and here we are - writing to random place in memory and segfault. And that happens even in a such a small example you gave.

@@idfumg In the simple example, there's still a lot of code missing, such as allocating for the space where either d or s will reside. However, the general sentiment of using an index versus incrementing the pointer directly accounts for even the case where you may not be dealing with nul terminated buffers, and in such instances would have an exit condition of i < length as opposed to s[i]. The pointer arithmetic method can't be converted so easily to do things that way.

@@anon_y_mousse actually, I worked with the code like that, and I had seen how people struggle days of finding such bugs. The wrong length had been allocated to other array or something like that. Also, if there was an allocation, then we should have a length and be able to use it. Anyway, all of that is leaking abstraction leading to bugs. Such things should be moved to separated generic functionality for all strings, narrowing scope of the possible bugs and testing opportunities.

Errors can happen even by the best, maybe a non null terminated string get passed by accident and maybe it leads to a security vulnerability.

its a problem when the bugs dont introduce a segfault, but instead introduce a security vulnerability in a program that has trusted access to important data or resources. bug free code is important in a lot of places in the real world. not *every* place, but many.

You only get the segfault if you have ASAN/UBSAN or are in general VERY lucky. Otherwise you don't know what you'll get, but the person trying to exploit your program will find the bug for you.

Ever heard of the Guidelines Support Library (GSL)?

I mostly write C, so yay for both of us.

Yeah I thought so to. The operation itself is not unsafe or invalid but because of the applied operation's result exceeds the expected bounds it then becomes the cause as to the next instruction that uses it to be considered unsafe or result in some kind of undefined behavior. Yeah, it's not directly unsafe but it can lead to future unsafe executions which would then make it indirectly unsafe.

I'd say it is unsafe as it relies on a contract that is very unconventional, a '}' terminated string. Given the most likely scenarios that parsing a close brace terminated string would be used in, it is almost certain that it will be asked to parse data from a user or the internet, and without explicit validation to make sure all strings passed have a closing brace, it is a very non-obvious problem. It looks innocent until it blows up.
Mind, I already think zero terminated strings are an issue, but at least it is such a strong convention that the languages and standard libraries have great support for it.

@@oracleoftroy - I'm referring specifically to the code on the screen at the timestamp I marked. The contract of the function that contains line 16 is "You must pass me an array with at least 3 elements", which is a perfectly reasonable contract.
I agree that the determination of who's code is in error is a lot more complex in the parsing examples later on in the video, and that the function blindly looking for the next '}' is probably wrong. The code blindly hunting for the next '\0' is less clear cut. It's relatively easy to just stuff a '\0' character at the end of any buffer you pass it just to make sure.

​@@Omnifarious0 Oh, sorry, my mistake. Jumped too far ahead.
For that case, passing std::array of an explicit size or a struct with exactly N values makes more sense. Passing a pointer that must always hold N elements seems like a very foot gun sort of api. I agree that it could be done, but I dont see what benefit it brings, and it is just asking for someone to make a mistake.
A pointer like that without a size communicates optional reference, and usually one has a size parameter alongside it to communicate 'array'. I only see those sorts of apis in languages where struct-like data isn't laid out efficiently.

I consider it unsafe for C++ code. There were "lower standards" back in the day of C when everything assumed zero-terminated strings and it was assumed that functions would be called with arrays no longer than the function assumes.

No, that is UB.
You are likely thinking of using one-past-the-end pointers/iterators to detect the end of a range, but in those pointers still cannot be dereferenced and are acting like sentinel values rather than pointers.

@@claytorpedo I tested it in constexpr with clang and gcc, clang was more stringent than gcc but neither complained about what I mentioned. That doesn't guarantee that's not UB but it does align with what my understanding was

@@friedkeenan Reading uninitialized memory is UB, full stop. Arrays do not magically allocate and start the lifetime of one extra hidden object for you. Dereferencing a pointer is a read.
You probably aren't testing what you think you are. At best, you may be "dereferencing" the pointer such that it is obvious to the compiler that it is a noop and it is being nice by ignoring it for you.

@@claytorpedo Dereferencing a pointer doesn't read from that reference. It's only when you actually do something with the referred value that the reference is read from. With iterators in general however, it is UB to dereference the one-past-the-end iterator, but not so with pointers afaik.

There are scenarios were reading "outside" the range of an array is allowed - but this certainly is not one of them. This is purely UB. And UB just means that the compiler can do whatever he wants (sadly), which normally means it just assumes what you are doing is "valid" and in many cases it will at least appear to work correctly - till it suddenly crashes.

That's stupid. How do you do rebindable references without pointers? How do do optional references without pointers?

@@GreenJalapenjo std::ref ste::optional, std::shared_ptr, etc. almost every case where you may want to use a raw pointer, you can use something else that is better. If not, you may create your own wrapper.

​@@fcolecumberriI don't see how std::reference_wrapper is better than pointers and they're stupidly verbose. std::shared_ptr only works if you want ownership, it doesn't replace non-owning pointers.

@@GreenJalapenjo There's a difference between complexity and verbosity. Many programmers confuse the two. Less verbiage doesn't translate into less complexity, more efficiency, or faster performance. If you're still programming C++ like it's C, then you're getting no benefit out of using it. You might as well just use plain old C. The extra bit of verbosity helps future proof, better optimize, and make your code more readable and reliable. Besides, use a decent editor with autocomplete facilities if you want to save yourself from typing.

@@bobweiram6321 There's a difference between complexity and verbosity but that doesn't really matter when std::reference_wrapper is both more complex and more verbose does it?
How does reference_wrapper future proof my code? How does it optimize my code? And how the hell is std::reference_wrapper more readable than int*?