C++ std::span & Modern Bounds Safety: Non-Owning Views, Subspans, and Buffer Hardening
C++ std::span & Modern Bounds Safety: Non-Owning Views, Subspans, and Buffer Hardening
Table of Contents
- Why Pointer Decay Is a Security Vulnerability
- std::span: The Non-Owning Contiguous View
- Static vs Dynamic Extent
- std::span as a Universal Function Parameter
- Subspans: Zero-Copy Buffer Slicing
- Iterating and Algorithms with span
- std::span vs std::string_view
- std::mdspan: Multidimensional Spans (C++23)
- Hardened Modes and Bounds Checking
- Real-World Pattern: Network Packet Parsing
- Frequently Asked Questions
- Key Takeaway
Why Pointer Decay Is a Security Vulnerability
std::span: The Non-Owning Contiguous View
Static vs Dynamic Extent
std::span as a Universal Function Parameter
Key design guidelines for using std::span as a parameter:
Subspans: Zero-Copy Buffer Slicing
std::span supports efficient slicing without copying data:
std::mdspan: Multidimensional Spans (C++23)
std::mdspan (C++23) extends span to multidimensional arrays without copying:
Real-World Pattern: Network Packet Parsing
Frequently Asked Questions
Does std::span perform bounds checking?
The operator[] on std::span does NOT bounds-check in Release mode (same as std::vector::operator[]). Use at() for explicit bounds checking, or enable compiler hardening flags: _LIBCPP_HARDENING_MODE=fast (libc++) or -D_GLIBCXX_ASSERTIONS (libstdc++) to add bounds checks to all subscript operations in debug/hardened builds.
When should I use span<const T> vs span<T>?
Use span<const T> for read-only access — it accepts both span<T> (mutable → const promotion) and span<const T>. Use span<T> when the function needs to modify the data. Never accept const span<T> — that's a const span, not a span of const; the const is shallow (it prevents reassigning the span, not writing through it.
Can I store std::span in a class?
Yes, but carefully. A stored span must not outlive the data it references. Since span is non-owning, if the underlying vector/array is destroyed and the span is still in the class, you have undefined behavior. Document span member fields as borrowed references, and ensure the owning object's lifetime is always longer than the class containing the span.
Key Takeaway
std::span is the single most impactful memory safety upgrade to C++ since smart pointers. It eliminates the pointer-decay vulnerability class, removes the need for paired T*, size_t parameters, and works transparently with all contiguous containers. In new code written after C++20: any function accepting a buffer should take std::span<const T> (read-only) or std::span<T> (read-write) — never raw pointers with separate size arguments.
Read next: Phase 2 Review: Building an In-Memory Data Store →
Part of the C++ Mastery Course — 30 modules from modern C++ basics to expert systems engineering.