From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 109fba,582dff0b3f065a52 X-Google-Attributes: gid109fba,public X-Google-Thread: 1014db,582dff0b3f065a52 X-Google-Attributes: gid1014db,public X-Google-Thread: 103376,bc1361a952ec75ca X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2001-08-07 16:30:04 PST Path: archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!sunqbc.risq.qc.ca!torn!news.ccs.queensu.ca!not-for-mail From: Chris Wolfe Newsgroups: comp.lang.ada,comp.lang.c++,comp.lang.c Subject: Re: How Ada could have prevented the Red Code distributed denial of service attack. Date: Tue, 07 Aug 2001 19:20:03 -0400 Organization: Queen's University, Kingston Message-ID: <3B7077A3.77D2BBE5@globetrotter.qc.ca> References: <3b690498.1111845720@news.worldonline.nl> <9kbu15$9bj@augusta.math.psu.edu> <3b6a453c.1193942215@news.worldonline.nl> <9keejl$fhj@augusta.math.psu.edu> <3c30da40.0108060848.796d9bd9@posting.google.com> <3B6F3216.F410BBFF@home.com> <3B6F3FAE.B9B9FFCF@globetrotter.qc.ca> <3B6F5BB2.A879B933@worldnet.att.net> NNTP-Posting-Host: d150-159-162.home.cgocable.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en Xref: archiver1.google.com comp.lang.ada:11553 comp.lang.c++:80811 comp.lang.c:72780 Date: 2001-08-07T19:20:03-04:00 List-Id: James Rogers wrote: > > Chris Wolfe wrote: > > > > It does not require any overwhelming work to convert an Ada > > program directly into a functionally identical C++ program using > > appropriate (non-standard) templates. > > Be careful about such expansive statements. It is easy to read your > reply to imply that you can convert ANY Ada program to C++ without > overwhelming work. That *was* my statement. > Specifically, how would you code the C++ program to contain all the > checks built in by the Ada compiler, including the checks done at > compile time? Most likely using templates and the type-safety system included in C++. There are a few (like the assignment of a <= 0 value to Positive) that would be trivial to optimize in any case ("Error: This call will always cause precondition Foo in Bar to fail."); > How would you, without overwhelming work, convert > an Ada multi-tasking program using Ada protected objects for > asynchronous task communication, into C++? Unless I've completely forgotten my Ada... // If not declared here, in the library. template class Inventory { typedef Integer<1, Max_Size> Buf_Index; // one-based array of Items with Buf_Index elements typedef BasedArray<1, Buf_Index, Items> Parts_Buffer; class Parts_Buf { public: void Put(const Array &item) { Access::Ptr ptr = Parts_Buf_Ptr.Lock(); if (Size >= Buffer.Last) throw IllegalArgumentException; Item = Buffer[Oldest]; if (Oldest < Buffer.Last) { Oldest++; } else { Oldest = Buffer.First; } Size--; } void Get(Array &item) { Access::Ptr ptr = Parts_Buf_Ptr.Lock(); if (Size <= 0) throw InvalidArgumentException; // ... } private: Access Parts_Buf_Ptr; Parts_Buffer Buffer; Positive Oldest = 1; Positive Newest = 1; Natural Size = 0; }; }; > You will need to implement the full functionality of protected objects > including entry queuing, object locking Stock utils lib. > , and boundary conditions. Checked manually for parameters. I forget which compiler supported external expression lists for pre- and post-conditions (and did allow you to leave them active at run-time). > You will also need to implement the integer range bounds limitations > created by the definition of the Positive subtype. Positive(int v) { assert(v > 0); ... } > It would be nice > if you could also define arrays with a beginning index of 1 rather > than 0, but you would probably assert that 0 based indexing is > equivalent to 1 based indexing. Curious, if it is equivalent, then > why can't C++ implement such an array directly? Stock utils lib. A lot of C++ provides things that are difficult for a human to implement by hand, and ignores things that are as trivial as array[i - 1]. > Oh yes, when calling the Put and Get entries, your code must execute > in the calling thread. That thread must suspend until the entry > executes. Stock utils lib. I remember seeing blocks-in-which-methods-protected-by-lock somewhere, and it is trivial to add. > The entry may only execute when the boundary condition is true, and > no other entry is concurrently accessing the protected object. And when boundary condition is false? I'm assuming a runtime error of some sort, unless the wait is clearly documented. > You will have to implement the protected object as a template to be > equivalent. This means that you must find some way to specify that > one of the generic parameters is an integer greater than or equal to > 1. I think that's possible if the compiler is smart enough to optimize the static cast from int to Positive. If not, it's an optimization that could easily be added, as it is pretty trivial to discover that Positive's cast constructor will always fail for values <= 0 (especially with explicit preconditions, which I have also encountered). > If the parameter does not meet this requirement the code must not > compile. Putting the check in runtime code is not equivalent. > > To make the code truly equivalent you must not define your data to > be dynamically allocated. All items placed on the buffer must be > statically allocated. Stock utils lib. So you are sort of correct, there are some features of Ada that would require minor changes to the 'default' C++ compiler behaviors to provide with the same level of hand-holding provided by Ada. I have already encountered compilers that do most of these, and I would bet that the rest have been implemented somewhere. Chris