Does std::span perform bounds checking in C++?

std::span does not perform bounds checking by default â€” operator[] accesses elements without checking the index, matching the zero-overhead C++ philosophy. Some implementations enable bounds checking in debug builds. Use std::span::subspan to create a narrowed view with a known safe range. For safety-critical code, enable runtime bounds checking via sanitizers (AddressSanitizer) during testing, or use a bounds-checked wrapper type.

What is the difference between std::span and a pointer/size pair?

std::span bundles a pointer and a size into a single type-safe object, preventing mismatched pointer/size pairs and enabling range-for iteration, standard algorithm compatibility, and self-documenting function signatures. It is a view â€” it does not own data and has reference semantics. A raw pointer/size pair has identical performance but no type system guarantees. std::span is the idiomatic modern C++ replacement for pointer/size function parameters.

Can std::span be used with std::vector, arrays, and C arrays?

Yes â€” std::span is constructible from std::vector, std::array, raw C arrays, and any contiguous range. It automatically deduces the element type and size. A static extent span (std::span ) has size known at compile time; a dynamic extent span (std::span ) stores the size at runtime. This makes span a universal interface for functions that operate on contiguous sequences regardless of the underlying storage type.

What are the C++ Core Guidelines rules around buffer safety?

The Core Guidelines (rules Bounds.1 through Bounds.4) prohibit pointer arithmetic, raw array subscripting without span, and unchecked pointer casts. The GSL (Guidelines Support Library) provides gsl::span (predating std::span), gsl::at (bounds-checked subscript), and not_null for non-nullable pointers. Following these rules eliminates the majority of buffer-overflow vulnerabilities. Enable a static analyser (clang-tidy with cppcoreguidelines checks) to enforce them automatically.

C++ std::span & Modern Bounds Safety: Non-Owning Views, Subspans, and Buffer Hardening

â† Back to C++ Mastery

C++ std::span & Modern Bounds Safety: Non-Owning Views, Subspans, and Buffer Hardening

Why Pointer Decay Is a Security Vulnerability
std::span: The Non-Owning Contiguous View
Static vs Dynamic Extent
std::span as a Universal Function Parameter
Subspans: Zero-Copy Buffer Slicing
Iterating and Algorithms with span
std::span vs std::string_view
std::mdspan: Multidimensional Spans (C++23)
Hardened Modes and Bounds Checking
Real-World Pattern: Network Packet Parsing
Frequently Asked Questions
Key Takeaway

Why Pointer Decay Is a Security Vulnerability

cpp

// C-style: array â†’ pointer (size LOST):
void process(int* data, size_t len) {
    for (size_t i = 0; i < len; i++) {
        data[i] *= 2; // What if caller passed wrong len? â†’ buffer overflow!
    }
}

int arr[10] = {};
process(arr, 100);  // Caller says 100, array has 10 â†’ UNDEFINED BEHAVIOR
                     // No compile error. No runtime check. Exploitable.

// Comparison to other languages:
// Python: IndexError raised at runtime
// Rust: index out of bounds panics (debug), LLVM checks (release)
// C++: undefined behavior â€” ANYTHING can happen

// The 2024 NSA advisory specifically cited C++ array passing as a top
// vulnerability source in systems code. std::span is the C++ answer.

std::span: The Non-Owning Contiguous View

cpp

#include <span>
#include <vector>
#include <array>
#include <print>

// `std::span<T>` â€” non-owning view of contiguous T elements
// Layout: two pointers (pointer + size) = 16 bytes on 64-bit
// Always pass by VALUE (not by reference â€” it's already non-owning)

// The universal function:
void process(std::span<int> data) {
    std::println("Processing {} elements", data.size());
    for (int& x : data) x *= 2;
    // data.size() is always correct â€” no caller error possible
}

// Works with ALL contiguous containers â€” same function signature:
std::vector<int>    v = {1, 2, 3, 4, 5};
std::array<int, 5>  a = {1, 2, 3, 4, 5};
int                 raw[5] = {1, 2, 3, 4, 5};

process(v);    // vector â†’ span (automatic)
process(a);    // array â†’ span (automatic)
process(raw);  // raw array â†’ span (automatic and SAFE)

// const span = read-only view:
void read_only(std::span<const int> data) {
    // data[0] = 5; // COMPILE ERROR: can't modify through const span
    for (int x : data) std::print("{} ", x);
}
read_only(v);  // Works â€” implicitly converts span<int> to span<const int>

// Span properties:
std::span<int> s(v);
std::println("Size: {}", s.size());         // 5
std::println("Bytes: {}", s.size_bytes()); // 20 (5 * sizeof(int))
std::println("Empty: {}", s.empty());      // false
std::println("Front: {}", s.front());      // 1
std::println("Back: {}", s.back());        // 5
int* raw_ptr = s.data();                   // Underlying pointer (for C APIs)

Static vs Dynamic Extent

cpp

// Dynamic extent (runtime size â€” default):
std::span<int>         dynamic_span(v); // Size known at runtime

// Static extent (compile-time size â€” N must be known):
std::span<int, 5>      static_span(v);  // Compiler knows it's 5 elements
// std::span<int, 3>   wrong_span(v);   // COMPILE ERROR: v has 5 elements

// Static extent benefits:
// - No size field stored (just one pointer â€” 8 bytes vs 16 bytes)
// - Compiler can optimize bounds checks, loop unrolling, vectorization
// - Size checked at compile time â†’ catch mismatches early

// std::array naturally produces static span:
std::array<float, 8> simd_data{};
std::span<float, 8> simd_view(simd_data); // Compiler knows it's exactly 8

// Dynamic extent from runtime calculation:
void process_first_n(std::vector<int>& v, size_t n) {
    auto view = std::span<int>(v).first(n); // span of first n elements
    for (int& x : view) x++;
}

std::span as a Universal Function Parameter

Key design guidelines for using std::span as a parameter:

cpp

// PREFER: span for read-write contiguous access
void normalize(std::span<float> data) {
    float max = *std::ranges::max_element(data);
    for (float& x : data) x /= max;
}

// PREFER: span<const T> for read-only access
float sum(std::span<const float> data) {
    return std::reduce(data.begin(), data.end());
}

// AVOID: const std::vector<float>& (forces vector, excludes array/raw)
// AVOID: std::vector<float>& (forces vector, excludes C arrays)
// AVOID: float*, size_t (unsafe, error-prone)
// USE:   std::span or std::span<const T>

// Comparison:
void old_api(const float* data, size_t n);  // 2 params, easy to mismatch
void new_api(std::span<const float> data);  // 1 param, self-contained, safe

// Works with anything contiguous:
float stack_arr[1000];
std::vector<float> heap_vec(1000);
std::array<float, 1000> std_arr;

new_api(stack_arr);  // All three work
new_api(heap_vec);
new_api(std_arr);

Subspans: Zero-Copy Buffer Slicing

std::span supports efficient slicing without copying data:

cpp

std::vector<uint8_t> packet(512);
std::span<uint8_t> buffer(packet);

// first(N): first N elements
auto ethernet_header = buffer.first(14);   // bytes 0-13

// last(N): last N elements
auto payload = buffer.last(buffer.size() - 14); // bytes 14-511

// subspan(offset, count): slice from offset
auto ip_header  = buffer.subspan(14, 20);   // bytes 14-33
auto tcp_header = buffer.subspan(34, 20);   // bytes 34-53
auto data_field = buffer.subspan(54);       // bytes 54 to end (no count = all remaining)

// Static subspan (compile-time slice):
auto first5 = buffer.first<5>();   // span<uint8_t, 5> â€” static extent!
auto last10 = buffer.last<10>();   // span<uint8_t, 10>

std::mdspan: Multidimensional Spans (C++23)

std::mdspan (C++23) extends span to multidimensional arrays without copying:

cpp

#include <mdspan>  // C++23

// 2D matrix view over flat array:
std::vector<float> flat_data(4 * 4);  // 4x4 matrix flattened

std::mdspan<float, std::extents<size_t, 4, 4>> matrix(flat_data.data());

// Access via row, column:
matrix[0, 0] = 1.0f;  // C++23 multi-index syntax
matrix[1, 2] = 3.14f;

// Dynamic shape (runtime dimensions):
int rows = 4, cols = 8;
std::mdspan<float, std::dextents<size_t, 2>> dynamic_matrix(
    flat_data.data(), rows, cols);

// Works with SIMD, BLAS, GPU kernels without data movement
// Essential for scientific computing, image processing

Real-World Pattern: Network Packet Parsing

cpp

#include <span>
#include <cstdint>
#include <cstring>

#pragma pack(push, 1)
struct EthHeader { uint8_t dst[6]; uint8_t src[6]; uint16_t type; };
struct IPv4Header { uint8_t version_ihl; uint8_t tos; uint16_t length;
                    uint16_t id; uint16_t flags_frag; uint8_t ttl;
                    uint8_t proto; uint16_t checksum; uint32_t src; uint32_t dst; };
#pragma pack(pop)

struct ParsedPacket {
    const EthHeader*  eth;
    const IPv4Header* ip;
    std::span<const uint8_t> payload;
};

std::optional<ParsedPacket> parse_ethernet(std::span<const uint8_t> raw) {
    if (raw.size() < sizeof(EthHeader)) return std::nullopt;
    
    const auto* eth = reinterpret_cast<const EthHeader*>(raw.data());
    auto after_eth  = raw.subspan(sizeof(EthHeader)); // Zero-copy slice!
    
    if (after_eth.size() < sizeof(IPv4Header)) return std::nullopt;
    
    const auto* ip   = reinterpret_cast<const IPv4Header*>(after_eth.data());
    size_t ip_len    = (ip->version_ihl & 0x0F) * 4;
    auto payload     = after_eth.subspan(ip_len); // TCP/UDP payload
    
    return ParsedPacket{eth, ip, payload};
}

// Caller:
std::vector<uint8_t> recv_buffer(/* from network */);
if (auto pkt = parse_ethernet(recv_buffer)) {
    process_payload(pkt->payload); // No copies! All views into recv_buffer
}

Frequently Asked Questions

Does std::span perform bounds checking? The operator[] on std::span does NOT bounds-check in Release mode (same as std::vector::operator[]). Use at() for explicit bounds checking, or enable compiler hardening flags: _LIBCPP_HARDENING_MODE=fast (libc++) or -D_GLIBCXX_ASSERTIONS (libstdc++) to add bounds checks to all subscript operations in debug/hardened builds.

When should I use span<const T> vs span<T>? Use span<const T> for read-only access â€” it accepts both span<T> (mutable â†’ const promotion) and span<const T>. Use span<T> when the function needs to modify the data. Never accept const span<T> â€” that's a const span, not a span of const; the const is shallow (it prevents reassigning the span, not writing through it.

Can I store std::span in a class? Yes, but carefully. A stored span must not outlive the data it references. Since span is non-owning, if the underlying vector/array is destroyed and the span is still in the class, you have undefined behavior. Document span member fields as borrowed references, and ensure the owning object's lifetime is always longer than the class containing the span.

Key Takeaway

std::span is the single most impactful memory safety upgrade to C++ since smart pointers. It eliminates the pointer-decay vulnerability class, removes the need for paired T*, size_t parameters, and works transparently with all contiguous containers. In new code written after C++20: any function accepting a buffer should take std::span<const T> (read-only) or std::span<T> (read-write) â€” never raw pointers with separate size arguments.

Part of the C++ Mastery Course â€” 30 modules from modern C++ basics to expert systems engineering.

C++ std::span & Modern Bounds Safety: Non-Owning Views, Subspans, and Buffer Hardening

C++ std::span & Modern Bounds Safety: Non-Owning Views, Subspans, and Buffer Hardening

Table of Contents

Why Pointer Decay Is a Security Vulnerability

std::span: The Non-Owning Contiguous View

Static vs Dynamic Extent

std::span as a Universal Function Parameter

Subspans: Zero-Copy Buffer Slicing

std::mdspan: Multidimensional Spans (C++23)

Real-World Pattern: Network Packet Parsing

Frequently Asked Questions

Key Takeaway