From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
	autolearn=ham autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: f849b,b8d52151b7b306d2
X-Google-Attributes: gidf849b,public
X-Google-Thread: 103376,a00006d3c4735d70
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-12-29 13:50:51 PST
Path: 
 archiver1.google.com!news2.google.com!newsfeed2.dallas1.level3.net!news.level3.com!news-out.visi.com!petbe.visi.com!ash.uu.net!spool.news.uu.net!not-for-mail
Date: Mon, 29 Dec 2003 16:50:09 -0500
From: Hyman Rosen <hyrosen@mail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
 rv:1.5) Gecko/20031013 Thunderbird/0.3
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: comp.arch.embedded,comp.lang.ada
Subject: Re: Certified C compilers for safety-critical embedded systems
References: <3fe00b82.90228601@News.CIS.DFN.DE> <3FE026A8.3CD6A3A@yahoo.com>
 <$km9afA3DB7$EAYO@phaedsys.demon.co.uk>
 <bcEFNEK9esyI@eisner.encompasserve.org>
 <p$OIcVFWHL7$EA6t@phaedsys.demon.co.uk>
 <wccekur4151.fsf@shell01.TheWorld.com>
 <Xns945DE49836882jimmaureenrogers@204.127.36.1>
 <3ff0686d.528369824@News.CIS.DFN.DE> <bsq5du$oit$1@pcls4.std.com>
In-Reply-To: <bsq5du$oit$1@pcls4.std.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Organization: KBC Financial Products
Message-ID: <1072734609.947440@master.nyc.kbcfp.com>
Cache-Post-Path: master.nyc.kbcfp.com!unknown@nightcrawler.nyc.kbcfp.com
X-Cache: nntpcache 3.0.1 (see http://www.nntpcache.org/)
NNTP-Posting-Host: 204.253.250.10
X-Trace: 1072734609  22914 204.253.250.10
Xref: archiver1.google.com comp.arch.embedded:6308 comp.lang.ada:3937
Date: 2003-12-29T16:50:09-05:00
List-Id: <comp.lang.ada>

Alex Colvin wrote:
>>>The C standard explicitly permits accessing one element beyond the end
> not exactly. it permits addressing one beyond the end, but not accessing
> so 
> 	int a[10], *after = &a[10];
> is OK, but
> 	a[10]++
> isn't
> The rule lets you do bounds checks on pointers, even with empty ranges.

And in C++, you must write
     int a[10], *after = a + 10
as &a[10] is illegal. C99 gave special dispensation to remove &*
(a[10] is rewritten as *(a+10) so &a[10] is &*(a+10) becoming (a+10))
but C++ did not, even on built-in types.