[Cryptography] Ada vs Rust vs safer C

Sat Sep 17 12:42:09 EDT 2016

On Sep 17, 2016, at 8:55 AM, Florian Weimer <fw at deneb.enyo.de> wrote:

>> 4.  If you really REALLY want to win big, define a new language that
>> is just like C but where v[offset] and *(v+offset) are NOT equivalent
>> operations, and deprecate the latter.
> 
> Existing compilers already track pointer provenance information, the
> syntactic separation isn't really required.

Yes, it is.  There is a significant difference between x[y] and *(x+y) despite the fact that the C standard specifies that these are equivalent constructs: in *(x+y) the offset calculation and dereference operation are *syntactically separable*, whereas in x[y] they are not.  So in the case of x[y] the compiler can know that this is an offset+dereference operation without having to do any analysis.  *(x+y) is just a special case of *(f(x,y)), and figuring out whether or not that is equivalent to x[y] is uncomputable in general (it’s equivalent to the halting problem).

This fact is reflected in real systems.  The following code:

int main(int argc, char* argv[]) {
  int x[100];
  int y = x[101];
  int z = *(x+101);
  return y+z;
}

generates one warning under clang, not two (and zero under gcc even with -Wall).

Of course, both clang and gcc will happily compile:

  int y = x[argc];

with no warnings or runtime checks.

rg