The ISO standard requires at() to be checked, while it leaves for implementations the freedom to decide if operator[]() is checked or not.

As such, checks for operator[]() are usually only enabled in debug builds, although Android and Red-Hat ship with them enabled into production.

Additionally, before C++ got a standard library, the frameworks that were shipped alongside compilers always had those checks enabled by default.

I'll admit I don't have the stats in front of me, but I can practically for guarantee code using std::vector in the wild that [] usage outnumbers .at() usage, probably at least 10 (or even 100) to 1.

C also doesn't have .at(). Considering C and C++ are the most obvious and direct competitors to Rust, bounds checking would be a significant upgrade if Rust paradigms cause it to be used more often.

It does, but as I mentioned, Red-Hat and Android ship with bounds checking enabled via FORTIFY.

C was already a bad option in the mid-90's compared with the alternatives, it is due to the unfortunate adoption of GNU manifesto and POSIX systems that we got where we are.

Hence why the ultimate solution is to have hardware memory tagging for bounds checking, Solaris has been doing it for a decade, ARM is following along, including a collaboration with CHERI, only Intel borked their MPX design, and it seems not to be on RISC-V's radar.

Note that while defaults matter, and given the option one should rather use a safe systems language, if there are ways to do unbound accesses, there will always be some folks going that route because reasons.

> It does, but as I mentioned, Red-Hat and Android ship with bounds checking enabled via FORTIFY.

I was under the impression FORTIFY only checked bounds with specific functions (mostly those starting with "mem" or "str"), and not on general pointer arithmetic. Thus, an OOB array access would not be caught. Am I wrong on this? Online sources seem to agree with my understanding: https://zatoichi-engineer.github.io/2017/10/06/fortify-sourc...

Additionally, FORTIFY does not work on variable length arrays (like std::vector), only those which have a size known at compile time.

> Hence why the ultimate solution is to have hardware memory tagging for bounds checking, Solaris has been doing it for a decade, ARM is following along, including a collaboration with CHERI, only Intel borked their MPX design, and it seems not to be on RISC-V's radar.

Unfortunately, Intel and ARM are the only relevant vendors here (at least in 2022, but for the record I wish the others the best of luck), so Intel's implementation sucking is a huge blow.

> Additionally, FORTIFY does not work on variable length arrays (like std::vector), only those which have a size known at compile time.

You use it alongside other compiler flags to enable them like _GLIBCXX_DEBUG, and FORTIFY levels.

It is not perfect, but since there are domains that won't stop using C and C++ past our lifetimes, that is better than nothing.

The point being made, if we scroll way back up this thread, is that Rust (supposedly, I have maybe 30 mins of experience with it) has these protections built into the language, and doesn't require compiler flags with "DEBUG" in their name to get them.

If this is true, for new projects, such as the experimental OS we're all talking about, Rust (or any language with a similar feature) could be a better choice.

std::vector, with dynamic memory allocation, is not necessarily safe for embedded applications. It seems like Rust provides bounds checks at a primitive level.