Editing Buffer overflow (section)

===Choice of programming language===

[[Assembly language|Assembly]], [[C (programming language)|C]], and [[C++]] are popular programming languages that are vulnerable to buffer overflow in part because they allow direct access to memory and are not [[strongly typed]].<ref name="OWASP">https://www.owasp.org/index.php/Buffer_OverflowsBuffer Overflows article on OWASP {{Webarchive|url=https://web.archive.org/web/20160829122543/https://www.owasp.org/index.php/Buffer_Overflows |date=2016-08-29 }}</ref> C provides no built-in protection against accessing or overwriting data in any part of memory. More specifically, it does not check that data written to a buffer is within the boundaries of that buffer. The standard C++ libraries provide many ways of safely buffering data, and C++'s [[Standard Template Library]] (STL) provides containers that can optionally perform bounds checking if the programmer explicitly calls for checks while accessing data. For example, a <code>vector</code>'s member function <code>at()</code> performs a bounds check and throws an <code>out_of_range</code> [[Exception handling|exception]] if the bounds check fails.<ref>{{cite web|url=http://www.cplusplus.com/reference/vector/vector/at/ |title=vector::at - C++ Reference |publisher=Cplusplus.com |access-date=2014-03-27}}</ref> However, C++ behaves just like C if the bounds check is not explicitly called. Techniques to avoid buffer overflows also exist for C.

Languages that are strongly typed and do not allow direct memory access, such as COBOL, Java, Eiffel, Python, and others, prevent buffer overflow in most cases.<ref name="OWASP"/> Many programming languages other than C or C++ provide runtime checking and in some cases even compile-time checking which might send a warning or raise an exception, while C or C++ would overwrite data and continue to execute instructions until erroneous results are obtained, potentially causing the program to crash. Examples of such languages include [[Ada (programming language)|Ada]], [[Eiffel (programming language)|Eiffel]], [[Lisp (programming language)|Lisp]], [[Modula-2]], [[Smalltalk]], [[OCaml]] and such C-derivatives as [[Cyclone (programming language)|Cyclone]], [[Rust (programming language)|Rust]] and [[D (programming language)|D]]. The [[Java (software platform)|Java]] and [[.NET Framework]] bytecode environments also require bounds checking on all arrays. Nearly every [[interpreted language]] will protect against buffer overflow, signaling a well-defined error condition. Languages that provide enough type information to do bounds checking often provide an option to enable or disable it. [[Static code analysis]] can remove many dynamic bound and type checks, but poor implementations and awkward cases can significantly decrease performance. Software engineers should carefully consider the tradeoffs of safety versus performance costs when deciding which language and compiler setting to use.