[Cryptography] Ada vs Rust vs safer C
Ron Garret
ron at flownet.com
Sat Sep 17 12:42:09 EDT 2016
On Sep 17, 2016, at 8:55 AM, Florian Weimer <fw at deneb.enyo.de> wrote:
>> 4. If you really REALLY want to win big, define a new language that
>> is just like C but where v[offset] and *(v+offset) are NOT equivalent
>> operations, and deprecate the latter.
>
> Existing compilers already track pointer provenance information, the
> syntactic separation isn't really required.
Yes, it is. There is a significant difference between x[y] and *(x+y) despite the fact that the C standard specifies that these are equivalent constructs: in *(x+y) the offset calculation and dereference operation are *syntactically separable*, whereas in x[y] they are not. So in the case of x[y] the compiler can know that this is an offset+dereference operation without having to do any analysis. *(x+y) is just a special case of *(f(x,y)), and figuring out whether or not that is equivalent to x[y] is uncomputable in general (it’s equivalent to the halting problem).
This fact is reflected in real systems. The following code:
int main(int argc, char* argv[]) {
int x[100];
int y = x[101];
int z = *(x+101);
return y+z;
}
generates one warning under clang, not two (and zero under gcc even with -Wall).
Of course, both clang and gcc will happily compile:
int y = x[argc];
with no warnings or runtime checks.
rg
More information about the cryptography
mailing list