From: Dave Thompson <david.thompson1@worldnet.att.net>
Subject: Re: C's trikery semantic opens up backdoor in new Linux kernel
Date: Wed, 19 Nov 2003 04:13:57 GMT
Date: 2003-11-19T04:13:57+00:00 [thread overview]
Message-ID: <7uqlrv4l846co3ear20eotlkaj2t6aioho@4ax.com> (raw)
In-Reply-To: mailman.332.1068645284.25614.comp.lang.ada@ada-france.org
On Wed, 12 Nov 2003 14:38:06 +0100, Duncan Sands <baldrick@free.fr>
wrote:
> > >IMHO the real problem is that
<snip>
> > >uid is not an opaque type and can
> > >be changed with a simple assignment. Much better if that required
> > >a function call.
> >
> > You can almost always find a workaround. The problem is to use it
> > everytime and force people to use it.
>
> I was under the impression that (using preprocessor trickery) it was possible
> to get the equivalent of an Ada private type in C. Then everyone is forced
> to use function calls to get/set the value, unless they do type casts etc.
> In all cases, abuse would stand out more than it does now.
>
There's nothing you can do with the C preprocessor that can't be done
directly in source -- because the preprocessor is a source-to-source
transform (actually source to lexed-source, but that's equivalent in
capability). The only compiler-enforced opaque types in C are
incomplete aka "forward" struct and union tags. And, probably sadly,
there are enough places in most large C programs where casts are
legitimately used that a few more don't stand out that much.
You can make it harder to find/see things, like typedefs, by burying
them in #include files, perhaps several layers deep in confusing
#if's, but they're there somewhere and someone who goes to the effort
can find and use them. You can use BIG_UGLY_NAMES that attract
scrutiny if actually written in source -- like Ada's UNCHECKED_* but
more so because you can't substitute lowercase.
For assignment, you can with a little extra work create and expose
only a const pointer to data that is actually variable; this then can
be assigned to only in code that has the "variable view" OR by casting
the pointer to non-const, which is at least mildly inconvenient.
- David.Thompson1 at worldnet.att.net
next prev parent reply other threads:[~2003-11-19 4:13 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-12 3:17 C's trikery semantic opens up backdoor in new Linux kernel Adrian Hoe
2003-11-12 4:26 ` Stephane Richard
2003-11-12 5:13 ` J Cusick
2003-11-12 7:18 ` Vinzent 'Gadget' Hoefler
2003-11-12 7:50 ` Duncan Sands
2003-11-12 12:08 ` Vinzent 'Gadget' Hoefler
2003-11-12 13:38 ` Duncan Sands
2003-11-12 14:09 ` Vinzent 'Gadget' Hoefler
2003-11-13 21:04 ` Craig Carey
2003-11-14 6:45 ` Freejack
2003-11-14 8:33 ` Erlo Haugen
2003-11-14 9:44 ` Vinzent 'Gadget' Hoefler
2003-11-14 10:16 ` Dmitry A. Kazakov
2003-11-25 10:06 ` Craig Carey
2003-11-25 11:20 ` Dmitry A. Kazakov
2003-11-14 15:31 ` Robert I. Eachus
2003-11-14 13:12 ` Georg Bauhaus
2003-11-14 13:31 ` Duncan Sands
2003-11-14 14:56 ` Vinzent 'Gadget' Hoefler
2003-11-14 15:08 ` Georg Bauhaus
2003-11-14 15:38 ` Duncan Sands
2003-11-14 17:57 ` Georg Bauhaus
2003-11-14 15:47 ` Robert I. Eachus
2003-11-14 16:38 ` Vinzent 'Gadget' Hoefler
2003-11-19 4:13 ` Dave Thompson [this message]
2003-11-21 15:34 ` Martin Krischik
2003-11-23 2:20 ` Hyman Rosen
2003-11-27 4:22 ` Dave Thompson
2003-11-28 14:01 ` Hyman Rosen
2003-11-12 17:37 ` tmoran
2003-11-12 18:03 ` Warren W. Gay VE3WWG
2003-11-12 8:51 ` Adrian Hoe
2003-11-12 12:32 ` Preben Randhol
2003-11-13 5:50 ` Chad R. Meiners
2003-11-12 22:59 ` Wes Groleau
2003-11-14 3:31 ` Adrian Hoe
2003-11-14 11:00 ` Dmytry Lavrov
2003-11-15 5:00 ` Adrian Hoe
2003-11-15 5:02 ` Adrian Hoe
2003-11-16 11:29 ` Dmytry Lavrov
2003-11-17 17:07 ` Warren W. Gay VE3WWG
2003-11-16 11:35 ` Dmytry Lavrov
2003-11-15 19:30 ` Wes Groleau
2003-11-12 8:52 ` Adrian Hoe
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox