From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Thread: 103376,5bc4be576204aa20
X-Google-Attributes: gid103376,public
X-Google-Language: ENGLISH,ASCII-7-bit
Path: 
 g2news1.google.com!news4.google.com!news2.volia.net!newsfeed01.sul.t-online.de!t-online.de!newsfeed.arcor.de!news.arcor.de!not-for-mail
From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Buffer overflow Article - CACM
Newsgroups: comp.lang.ada
User-Agent: 40tude_Dialog/2.0.14.1
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Reply-To: mailbox@dmitry-kazakov.de
Organization: cbb software GmbH
References: <uYzdf.18228$Zv5.14884@newssvr25.news.prodigy.net>
 <IpQdf.1206$s14.1071@newsread2.news.pas.earthlink.net>
 <43783810.6080808@obry.net> <e8b1sf16mj2m.eq5dk3rsnk2c$.dlg@40tude.net>
 <m2r79jhrqz.fsf@grendel.local>
Date: Tue, 15 Nov 2005 09:49:54 +0100
Message-ID: <2jzfmy3kqhw9$.10by8ooz0jy1b.dlg@40tude.net>
NNTP-Posting-Date: 15 Nov 2005 09:47:34 MET
NNTP-Posting-Host: 1ad0c62c.newsread2.arcor-online.net
X-Trace: 
 DXC=21R8Mb2ae<U40bn3J7ld6QQ5U85hF6f;TjW\KbG]kaMXQ>n?D9BSA]\XA5UN1o<oo_[6LHn;2LCV^7enW;^6ZC`T<=9bOTW=MN^
X-Complaints-To: usenet-abuse@arcor.de
Xref: g2news1.google.com comp.lang.ada:6391
Date: 2005-11-15T09:47:34+01:00
List-Id: <comp.lang.ada>

On Mon, 14 Nov 2005 20:57:40 +0000, Simon Wright wrote:

> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
> 
>> This is not the whole truth. I agree that overhead caused by
>> run-time checks is not a big deal. But that is not the problem in my
>> view. Let they be 0%! The real problem is that a check may fail
>> while program crash is not an option. This means that there must be
>> some error handling. More errors may happen at run-time more complex
>> infrastructure one would require. Add here unit tests for these
>> errors etc.
> 
> For information -- is your point that we should design the program
> (using eg SPARK) so that there isn't any need for runtime checking?

Yes, when possible.

> (I don't think it likely that you want us not to bother to do any
> checking!)

We should draw line between "functional" and "non-functional" checks. When
checks is an artefact of program/language/environment design then its
penalty is more than just run-time overhead. Of course the distinction is
not absolute. For example End_Error might look functional, but probably in
a better OS with OO interface you will never have it working with a string
container, XML document rather than with a raw byte stream. Buffer overflow
checks is a clear "non-functional" candidate to me. This is also a reason
why I'm skeptical about the design of Unbounded_String and Ada.Container.
They don't support safe iteration constructs "for I in X'Range loop".

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de