From: Peter Amey <pna@praxis-cs.co.uk>
Subject: Re: Idea: Array Boundary Checks on Write Access Only
Date: 1998/06/15
Date: 1998-06-15T00:00:00+00:00 [thread overview]
Message-ID: <35858FBC.4E5E@praxis-cs.co.uk> (raw)
In-Reply-To: 35851B64.5BF271C4@cl.cam.ac.uk
Markus Kuhn wrote:
>
> Here is a suggestion for Ada compiler developers:
>
> Add a compiler configuration option that suppresses array index
> boundary checks only for *read* access to array elements.
>
> Array boundary checks in Ada are a major advantage over C/C++
> and add a lot to the safety and debugability of the language.
> However the checks are also a significant performance loss
> unless they are deactivated. A useful compromise would be an
> option that causes the compiler to add boundary checks only
> when an array element is written, but not when it is read.
> Out-of-boundary array write accesses are dangerous because they can
> destroy other data structures and can cause failure inside completely
> unrelated objects. Therefore, in security critical applications,
> it is very desireable to deactivate for performance reasons
> only the checks for the less dangerous read accesses that if
> they go wrong should not cause malfunction within other objects.
>
> Are there already Ada compilers around that do this?
>
> Markus
Working in the safety-critical, real-time field I frequently encounter the
tension between the need for checking and the desire for speed. Another
factor is the need to generate very high levels of object-code test coverage
to satisfy some regulatory regimes; this is rather hard if the compiler has
inserted run-time checks that in practice are unncessary and therefore
cannot be externally stimulated. In this environement I am not very happy
with the idea that reading out of bounds is any less unsatisfactory than
writing: both show that the code is broken and may misbehave.
It was to square this particular circle that we invested so much effort in
the proof of absence of run-time errors facility in SPARK (Markus, I know
you are familiar with this...). Having conducted a proof that code is
exception free it is possible to turn compiler-generated checks off with a
clear conscience and get the benefit of smaller, faster code as a bonus.
Peter
--
---------------------------------------------------------------------------
__ Peter Amey, Product Manager
) Praxis Critical Systems Ltd
/ 20, Manvers Street, Bath, BA1 1PX
/ 0 Tel: +44 (0)1225 466991
(_/ Fax: +44 (0)1225 469006
http://www.praxis-cs.co.uk/
--------------------------------------------------------------------------
next prev parent reply other threads:[~1998-06-15 0:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
1998-06-15 0:00 Idea: Array Boundary Checks on Write Access Only Markus Kuhn
1998-06-15 0:00 ` Peter Amey [this message]
1998-06-20 0:00 ` Robert Dewar
1998-06-21 0:00 ` Markus Kuhn
[not found] ` <dewar.898490510@merv>
1998-07-09 0:00 ` Frank Klemm
1998-06-17 0:00 ` Stephen Leake
1998-06-17 0:00 ` Markus Kuhn
1998-06-17 0:00 ` Robert A Duff
1998-06-18 0:00 ` Anonymous
1998-06-18 0:00 ` Stuart Palin
[not found] ` <6m8v02$r2l$1@xenon.inbe.net>
1998-06-18 0:00 ` Markus Kuhn
1998-06-18 0:00 ` Lieven Marchand
1998-06-20 0:00 ` Robert I. Eachus
1998-06-18 0:00 ` dennison
1998-06-20 0:00 ` Robert Dewar
1998-06-18 0:00 ` Stuart Palin
1998-06-18 0:00 ` dennison
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox