From: Antti Sykari <jsykari@gamma.hut.fi>
Subject: Re: Ada style of passing 'in' parameters considered dangerous?
Date: Tue, 11 Feb 2003 13:49:38 GMT
Date: 2003-02-11T13:49:38+00:00 [thread overview]
Message-ID: <86adh3q6g2.fsf@hoastest1-8c.hoasnet.inet.fi> (raw)
In-Reply-To: 17cd177c.0302110114.2c46b52@posting.google.com
gautier_niouzes@hotmail.com (Gautier) writes:
>> - If there are such cases, could it have been prevented by having
>> different policy in the language? Do you think it would've been
>> better to force the programmer to specify the parameter passing
>> mechanism, for example?
>
> Yes and no: the explicit passing mechanism has the advantage of
being
> ...explicit, but it is not always optimal according to target
system.
> The "in,in/out,out" is very readable and catches a lot of errors.
> The "in", especially, ensures a fast mode and avoiding an explicit
> modification. The security problem happens rarely, but it happens.
>
> I'd suggest that compilers issue a warning when the following
> conditions meet:
> - there are parameters of the same type, some IN, some [IN] OUT
> - the compiler decides to pass the IN by reference
> - an IN parameter is referenced after an IN OUT was modified
> and also:
> - for a call, when the same variable is passed to an IN
> by reference and an [IN] OUT (it doesn't solve the issue of
> ".all" objects!).
I don't think this is enough. For example, you can pass a largish
part of a record as an IN OUT parameter (I think you can: I'm not
exactly an Ada expert), and the record itself as IN parameter, and
modify your IN parameter that way.
Or you could call any other subprogram which has access to the record,
and modify it that way. In fact, any subprogram call could change it,
so it's really impossible to know when to warn. You should be able to
guarantee that an IN OUT object is unchanged (unless don't change it
directly yourself) and that an IN object is unchanged.
One (partial) solution would be restricted types, which guarantee that
they are the only means to change the object which they denote. (As
with C99's restrict-qualified pointers, which are there primarily to
allow optimization and don't change the meaning of a correct program).
However, I'm not sure if you can actually trust the compiler to catch
all errors even in the presence of such types. In C99, for example,
you can still have two restrict-qualified pointers to the same array
if you promise not to use them to access the same values.
Maybe they would be more useful in a more sophisticated type system
(such as Ada's) - or maybe not. A complicated thing.
-Antti
next prev parent reply other threads:[~2003-02-11 13:49 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-08 22:24 Ada style of passing 'in' parameters considered dangerous? Antti Sykari
2003-02-09 0:41 ` James S. Rogers
2003-02-09 2:11 ` Robert A Duff
2003-02-09 2:25 ` Jeffrey Carter
2003-02-11 8:39 ` Gautier
2003-02-09 2:01 ` Robert A Duff
2003-02-09 2:33 ` Vinzent Hoefler
2003-02-09 6:07 ` Richard Riehle
2003-02-09 7:13 ` Robert I. Eachus
2003-02-10 4:40 ` Martin Dowie
2003-02-09 2:08 ` Jeffrey Carter
2003-02-10 0:13 ` Leif Holmgren
2003-02-10 9:49 ` Rod Chapman
2003-02-11 9:14 ` Gautier
2003-02-11 13:49 ` Antti Sykari [this message]
2003-02-11 17:18 ` Gautier
2003-02-11 17:29 ` Vinzent Hoefler
2003-02-12 1:09 ` Richard Riehle
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox