On 6/23/26 14:18, Andrey Semashev via Boost wrote:
By the same logic as the browser, if the archive is valid, according to the archive format specification, Boost.Serialization has to parse it and present the result to the user. Otherwise, it must fail with an error. I'm not a Boost.Serialization user, but I'm assuming that this is currently the case (otherwise, this would be a bug in the library). In this sense, the library already does validate the data.
Now, the parsed archive may not be valid from the user's application standpoint (i.e. if the parsed data does not describe a valid state of the application), but I don't think Boost.Serialization is in a position to validate it at that level. Or maybe I'm missing something about Boost.Serialization.
Obviously Boost.Serialization cannot do anything about application-level invariants it doesn't know about. It is the job of the application to validate data it receives from Boost.Serialization. But there are cases where Boost.Serialization itself invokes undefined behavior before the data ever gets to the user code, like the problems mentioned by the OP of the thread. And again, it's not an error for a function to invoke undefined behaviors if its preconditions are not met. It's just a really problematic design decision if the function in question is deserialization function. -- Rainer Deyke - rainerd@eldwood.com