[libcxx-commits] [libcxx] [libc++][hardening] Check bounds on arithmetic in __bounded_iter (PR #78876)

[Louis Dionne via libcxx-commits]

================
@@ -31,13 +31,10 @@ _LIBCPP_BEGIN_NAMESPACE_STD
 // Iterator wrapper that carries the valid range it is allowed to access.
 //
 // This is a simple iterator wrapper for contiguous iterators that points
-// within a [begin, end) range and carries these bounds with it. The iterator
-// ensures that it is pointing within that [begin, end) range when it is
-// dereferenced.
-//
-// Arithmetic operations are allowed and the bounds of the resulting iterator
-// are not checked. Hence, it is possible to create an iterator pointing outside
-// its range, but it is not possible to dereference it.
+// within a [begin, end] range and carries these bounds with it. The iterator
+// ensures that it is pointing within [begin, end) range when it is
+// dereferenced. It also ensures that it is never iterated outside of
+// [begin, end].
----------------
ldionne wrote:

Is something like this library-level UB?

```c++
int array[32];
std::span<int> span(array);
std::span<int> sub = span.subspan(0, 16);
// is this library UB?
auto it = sub.begin() + 20;
*it;
```

This is definitely not language-level UB because we're still within the `int[32]`, but I *think* this is library-level UB because as far as `sub` is concerned, `it` is beyond `sub.end()`. If this is not library UB, then there's a real problem with the overall notion of using bounded iterators with `span`. I am pretty certain we confirmed this was library UB a long time ago but we should confirm again.

https://github.com/llvm/llvm-project/pull/78876