[Cryptography] bounded pointers in C
Bill Stewart
billstewart at pobox.com
Fri Apr 18 18:58:30 EDT 2014
>On Apr 18, 2014, at 7:35 AM, Ben Laurie <ben at links.org> wrote:
> > Hmm. Any info on how this works (or worked)? All bounded pointers
> > implementations I've seen have required some kind of code annotation
> > to make them work properly (e.g. explicit fat pointers). Can it really
> > be done without source modification?
I'm skeptical - one of the attractions of C is being able to write
constructs like
while (*output++ = *input++) ;
and have them just work (except when they just don't work, of course.)
Sometimes you can make things safer by zero-padding the ends of
arrays without telling the programmer
(it wouldn't totally bother me if malloc() automatically added a
couple extra words of 0s after the end of every allocation, as long
as you didn't tell anybody they could depend on it happening.)
At 10:50 AM 4/18/2014, Jerry Leichter wrote:
>That's the principle. The *practice* is that a huge fraction of
>practical, every day, C programs assume that a pointer will fit in a
>long. Nothing in the language guarantees it, but "everyone knows"
>that this is how C works.
Occasionally programmers have known better, but mostly when they've
been switching architectures (e.g. 16->32 bit or 32->64 bit, or when
they've been writing on machines where int != long, such as earlier
Motorola 680x0, or other weirdness like segmented memory.
More information about the cryptography
mailing list