Re: C is not an applications programming language
That only works for STATIC bounds-checking, but a lot of the overruns come from DYNAMIC buffers with bounds only known at runtime
This gets language-dependent. If you have a language where the compiler knows how the size of a dynamic array can be determined (for example Java), it can optimize bounds checking also in those cases. I agree this is hard to make work in C, and we might not even want to, if we just use C as a close-to-the-metal language, and use something else for higher-level applications.