From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: **
X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00,FROM_WORDY,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: f849b,b8d52151b7b306d2
X-Google-Attributes: gidf849b,public
X-Google-Thread: 103376,a00006d3c4735d70
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-12-27 07:34:54 PST
Path: 
 archiver1.google.com!news2.google.com!news.maxwell.syr.edu!newsfeed.media.kyoto-u.ac.jp!newsfeed.gol.com!199.184.165.244.MISMATCH!rcn!feed3.news.rcn.net!not-for-mail
Reply-To: "Frank J. Lhota" <NOSPAM.FrankLho@rcn.com>
From: "Frank J. Lhota" <NOSPAM.FrankLho@rcn.com>
Newsgroups: comp.arch.embedded,comp.lang.ada
References: <3fe00b82.90228601@News.CIS.DFN.DE> <3FE026A8.3CD6A3A@yahoo.com>
 <$km9afA3DB7$EAYO@phaedsys.demon.co.uk>
 <bcEFNEK9esyI@eisner.encompasserve.org>
 <p$OIcVFWHL7$EA6t@phaedsys.demon.co.uk>
 <wccekur4151.fsf@shell01.TheWorld.com>
 <Xns945DE49836882jimmaureenrogers@204.127.36.1>
Subject: Re: Certified C compilers for safety-critical embedded systems
Date: Sat, 27 Dec 2003 10:34:50 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <3feda69d$0$4765$61fed72c@news.rcn.com>
NNTP-Posting-Host: 209.6.176.101
X-Trace: 1072539293 reader3.news.rcn.net 4765 209.6.176.101:1095
X-Complaints-To: abuse@rcn.com
Xref: archiver1.google.com comp.arch.embedded:6154 comp.lang.ada:3848
Date: 2003-12-27T10:34:50-05:00
List-Id: <comp.lang.ada>


"James Rogers" <jimmaureenrogers@att.net> wrote in message
news:Xns945DE49836882jimmaureenrogers@204.127.36.1...
> The C standard explicitly permits accessing one element beyond the end
> of an array.

Careful! All that the standard guarantees is that the address of the one
element beyond the should compare in the expected fashion with the addresses
of the other array elements. For example, if we have

    int foo[10];
    int* bar = foo + 10;

then the C standard will guarantee that

    bar > foo + i

for any i in the range 0 .. 9 inclusive. Although the standard guarantees
the behavior of a pointer one past the end of an array, it explicitly does
NOT guarantee anything about accessing an element past the end of an array.
An attempt to read or write *bar leads to unpredictable results.

> Neither the C compiler nor lint can determine if an array
> index is outside the bounds of the array.

It depends. I would imagine that some C compilers and lint might catch
something like this:

    int foo[10];
    ...
    j = foo[10];

The real problem is that once an array is passed to a function, length
information is lost. This is one area where the C++ vector template made a
real advance. Of course, Ada had the approach to arrays all along, in that
it never divorced the length from the array data.