From: LLeweLLyn <llewelly.at@xmission.dot.com>
Subject: Re: C bug of the day
Date: 14 Jun 2003 05:53:26 -0400
Date: 2003-06-14T05:53:26-04:00 [thread overview]
Message-ID: <m1adcmt0xq.fsf@xmission.dot.com> (raw)
In-Reply-To: Xns9398C378C97C4jimmaureenrogers@204.127.36.1
James Rogers <jimmaureenrogers@att.net> writes:
> "Balog Pal" <pasa@lib.hu> wrote in news:3ee8901a@andromeda.datanet.hu:
>
> > "James Rogers" <jimmaureenrogers@att.net> wrote in message
> > news:Xns9397C17B49692jimmaureenrogers@204.127.36.1...
> >
> >> Interesting. Do you think the fundamental safety problem in C code
> >> is ininitialized integers?
> >
> > Not "the" bat a very seriously fundamental problem I find in practice.
> >
> >> What about memory leaks
> >
> > Memleaks: I find not a problem in C++. (it is in C) [user shall not
> > handle memory in C++, containers and self-managing classes can solve
> > that
> > problem.]
>
> Do you ever deal with C++ code written using C style primitives such
> as arrays? I understand that such code still exists.
Yes, it does, and will continue to do so - std::vector<> handles dynamic
memory allocation nicely, but if one must avoid dynamic memory
allocation, one must either use an array, or download an
apropriate array wrapper. Additionally, std::vector<> is for
variable sized arrays, and not all arrays should be variable
sized.
IMO the real solution to this is for more implementations to provide
bounded pointers - unfortunately, that doesn't happen. What C++
needs is a revolt against the old gaurd that fails to provide such
things simply because they have always failed to provide such
things.
>
> >
> >> de-referencing
> >> null pointers, and array bounds violations?
> >
> > null pointers: not really. Dangling pointers is a problem. But it is not
> > a
> > coding-level problem but more generic, object lifetime problem on the
> > design
> > level.
>
> I agree that pointer lifetime issues are a design issue. One of the
> sometimes more difficult rules in Ada deals with pointer lifetime
> issues. (In Ada they are called access variables, but the lifetime
> issue applies here.) The language has very strict rules about access
> value lifetimes. The compilers enforce those rules. The result is
> a very low occurrance of dangling pointers.
In C++ one downloads, writes, or finds in the standard library a smart
pointer that (via the compiler) enforces such rules. No, this is
not as good as what Ada access types provide; though the
functionality may be as good or better, the fact that standard
library only provides one kind (an IMO auto_ptr is not a
particularly good kind of smart pointer), is in practice a
significant, but not insurmountable, problem in encouraging the
use of safer smart pointers.
> >
> > Array bounds: C, not C++. As normally in C++ we use containers, and
> > those do
> > bounts checks in debug build, that's enough to cath the typos/offby1
> > goofing. Generally.
>
> Again, what about C++ code written using C style primitives such as
> strings and other forms of arrays?
>
> What C++ allows, and provides for "free" with the STL, is the
> ability to wrap the C style primitives such as arrays in a class,
> with all the bounds checking built into the class.
>
> This provides safety at the expense of some efficiency. Although
> the STL is part of the language definition, it is not part of the
> language syntax. A C++ compiler cannot optimize out bounds checks
> from STL or other container classes.
I think you have some minor misunderstaings here. First, the ISO C++
standard says nothing about bounds checking of standard library
iterators, and if one is not careful about the bad habit of
passing references to containers to functions, one can get some
nasty surprises from iterator invalidation rules. If one misuses
an iterator, either via a container operation that invalidates it,
or via an arithmetic operation that takes it out of bounds, the
ISO C++ standard says (essentially) 'the behavior is
undefined'. This has obvious drawbacks.
In practice, several implementations provide a 'debug mode' behavior,
which throws exceptions, or aborts with appropriate error
messages, when one does inappropriate things with iterators, and a
'release mode' behavior, where 'undefined behavior' is some
compromise between best performance, and whatever the implementor
found most convienient. One can usually use what amount to
compiler flags to change modes, though since the standard library
provider is sometimes not the same as the core language provider,
these flags may be interesting. :-)
Second, while no compiler I know of does this, I believe it is
possible to optimize bounds checking out of a bounds checked
standard library implementation, though it likely requires
extensive co-operation between standard library provider and
compiler provider (again, sometimes not the same entity) to be
practical.
>
> > My guess is "we're cool guys not using lint". ;-o
In my experience this and related problems have everything to do with
ignorance, and nothing to do with thinking 'we're cool ...'
I've said it before, and I'll say it again - ignorance is C++'s worst
problem. Having Ada's safer defaults, checks, etc, would help, but
not has much as an aggressive campaign against ignornace. (And in
practice such a campaign would be necessary part of getting
Ada-like safer defaults and checks in C++.)
> > btw lint will pick every case of uninited variable I guess, how you tell
> > it
> > to pass those you actually want uninited?
> >
> >> The reason is that many programmers neglect to use tools such as
> >> lint, which support my point. Programmers are frequently lazy.
> >
> > Well, if it was part of the package -- I still don't know whether I used
> > it
> > or not. (More probably yes.) with C++ it's quite a crude tool, isn't
> > it?
>
> Do modern C++ compilers produce the level of diagnostic output available
> from (or better than) lint?
For the cases of uinitialized variables, type checking, things that
are not too hard to detect and almost certainly wrong, the answer
is often yes - but for higher level tasks the answer is no.
>
> >
> > Can you tune it to pick up most real problems while not producing 10
> > times
> > more noise?
>
> This has always been an issue with lint. Tuning the output to give
> no false reports while still not missing any real problems is not
> easy.
> >
> >> A language that requires extra work to achieve safety will
> >> frequently be used to create unsafe programs. This is not
> >> because it is impossible to create safe programs with the language.
> >> It is because doing so requires extra work.
> >
> > Sure, that's why the other poster claimed the uninitialised is a bad
> > default
> > behavior.
>
> I agree it is bad. I just did not think it was the most often encountered
> problem.
I don't think it is the most often encountered problem either. I've
worked in some places with awful coding habits, but everywhere
I've been the compiler warning flags for uninitialised variables
are used and heeded.
>
> Ada goes a bit further in this area than most C++ programs.
> Ada allows you to define your own numeric types (as primitives, not
> classes). You are allowed to define several characteristics about
> these types.
>
> type My_Index is range 1..10;
That's possible in C++, but it isn't that easy - it could be, but
neither the standard library (nor boost) provide ranged integers.
>
> The above line defines an integer type with a valid range of values
> from 1 through 10 inclusive. Now, let's combine that definition with
> an array type definition:
>
> type Nums is array (My_Index) of Float;
>
> This defines an array type indexed by the type My_Index. Each element
> of the array is a Float.
>
> The compiler can now optimize out bounds checking for accessing
> an array of Nums. The only index type allowed is type My_Index.
> Every possible value of that type maps to an array element.
>
> Trying to assign an out of range value to a variable of My_Index
> causes the program to raise the exception Constraint_Error at run
> time.
[snip]
Hm. This sounds like the bounds checking is not being optimized out,
but moved from the array to the index type. This seems an
improvement - I suspect assigments to index variables are somewhat
less common than using them in the array, but the compiler still
can't get rid of all checks. (Yes this is still an improvement
over the C++ situation w.r.t. to bounds checking.)
[synch stuff snipped]
[ Send an empty e-mail to c++-help@netlab.cs.rpi.edu for info ]
[ about comp.lang.c++.moderated. First time posters: do this! ]
next prev parent reply other threads:[~2003-06-14 9:53 UTC|newest]
Thread overview: 195+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-03 13:38 C bug of the day Hyman Rosen
2003-06-03 21:35 ` Ron Natalie
2003-06-03 21:38 ` John H. Lindsay
2003-06-04 13:25 ` Hyman Rosen
2003-06-03 21:49 ` Warren W. Gay VE3WWG
2003-06-04 13:26 ` Hyman Rosen
2003-06-05 7:35 ` Raoul Gough
2003-06-04 17:59 ` Carlos Moreno
2003-06-04 18:02 ` Ken Hagan
2003-06-10 16:51 ` Matthew Heaney
2003-06-04 18:05 ` Peter van Merkerk
2003-06-05 7:36 ` Hyman Rosen
2003-06-05 15:58 ` Terje Slettebø
2003-06-05 20:51 ` Dave Harris
2003-06-10 13:20 ` kanze
2003-06-10 13:40 ` Vinzent Hoefler
2003-06-10 13:51 ` Preben Randhol
2003-06-10 20:32 ` Jim Rogers
2003-06-11 4:01 ` Wesley Groleau
2003-06-11 4:25 ` Hyman Rosen
2003-06-11 9:41 ` kanze
2003-06-11 9:31 ` kanze
2003-06-11 12:48 ` James Rogers
2003-06-11 16:43 ` Wesley Groleau
2003-06-11 21:41 ` Mike Silva
2003-06-12 12:39 ` kanze
2003-06-12 12:52 ` Preben Randhol
2003-06-13 1:32 ` James Rogers
2003-06-13 9:37 ` AG
2003-06-13 12:21 ` Peter Amey
2003-06-13 13:38 ` Ed Falis
2003-06-13 14:43 ` kanze
2003-06-13 16:06 ` Wesley Groleau
2003-06-13 21:32 ` AG
2003-06-11 9:22 ` kanze
2003-06-11 9:49 ` Erlo Haugen
2003-06-11 10:11 ` Vinzent Hoefler
2003-06-11 10:50 ` Erlo Haugen
2003-06-11 11:08 ` Vinzent Hoefler
2003-06-11 11:29 ` Erlo Haugen
2003-06-11 11:58 ` Vinzent Hoefler
2003-06-11 12:38 ` Erlo Haugen
2003-06-11 12:59 ` Vinzent Hoefler
2003-06-11 13:13 ` Erlo Haugen
2003-06-12 3:26 ` Wesley Groleau
2003-06-12 20:24 ` Pascal Obry
2003-06-13 23:40 ` Randy Brukardt
2003-06-14 10:57 ` Replacement for Text_IO? (was Re: C bug of the day) Dale Stanbrough
2003-06-16 22:06 ` Randy Brukardt
2003-06-16 22:35 ` Gautier Write-only
2003-06-17 1:31 ` Randy Brukardt
2003-06-17 1:56 ` Dale Stanbrough
2003-06-17 8:46 ` Georg Bauhaus
2003-06-17 11:42 ` Dale Stanbrough
2003-06-17 12:53 ` Larry Kilgallen
[not found] ` <sqilr-9d3.ln1@beastie.ix.netcom.com>
2003-06-12 7:35 ` Compilers on old machines (was: " Vinzent Hoefler
2003-06-13 23:33 ` C bug of the day Randy Brukardt
2003-06-16 11:23 ` Vinzent Hoefler
2003-06-16 21:41 ` Randy Brukardt
2003-06-16 21:45 ` Vinzent Hoefler
2003-06-17 10:52 ` Replacement for Text_IO? (was Re: C bug of the day) Larry Kilgallen
2003-06-11 10:36 ` C bug of the day Peter Hermann
2003-06-11 10:43 ` Erlo Haugen
2003-06-11 13:12 ` Bernd Trog
2003-06-11 16:40 ` Warren W. Gay VE3WWG
2003-06-12 7:16 ` Erlo Haugen
2003-06-11 16:40 ` Wesley Groleau
2003-06-11 16:59 ` Larry Kilgallen
2003-06-12 3:28 ` Wesley Groleau
2003-06-11 18:05 ` Robert I. Eachus
2003-06-12 12:56 ` kanze
2003-06-11 22:31 ` Kevin Cline
2003-06-12 7:06 ` Vinzent Hoefler
2003-06-12 18:40 ` Mike Silva
2003-06-12 19:03 ` Robert I. Eachus
2003-06-13 15:07 ` kanze
2003-06-13 15:23 ` Vinzent Hoefler
2003-06-12 10:21 ` Georg Bauhaus
2003-06-12 21:58 ` Matthew Heaney
2003-06-13 15:13 ` kanze
2003-06-14 6:10 ` Simon Wright
2003-06-12 14:23 ` kanze
2003-06-13 1:52 ` James Rogers
2003-06-13 15:24 ` kanze
2003-06-13 15:31 ` Vinzent Hoefler
2003-06-14 10:37 ` Preben Randhol
2003-06-14 6:12 ` Simon Wright
2003-06-14 14:39 ` Larry Kilgallen
2003-06-12 17:33 ` Matthew Heaney
2003-06-12 20:38 ` Simon Wright
2003-06-10 16:55 ` Preben Randhol
2003-06-11 10:10 ` James Rogers
2003-06-12 0:12 ` Andrei Alexandrescu
2003-06-12 9:23 ` James Rogers
2003-06-12 10:27 ` Andrei Alexandrescu
2003-06-13 8:16 ` James Rogers
2003-06-13 15:55 ` Terje Slettebø
2003-06-14 9:57 ` Ron Natalie
2003-06-14 20:27 ` Terje Slettebø
2003-06-16 22:46 ` kanze
2003-06-16 22:54 ` Ron Natalie
2003-06-15 0:07 ` Dave Harris
2003-06-16 22:50 ` kanze
2003-06-17 15:33 ` Dave Harris
2003-06-15 1:54 ` Wesley Groleau
2003-06-15 10:07 ` Terje Slettebø
2003-06-18 21:15 ` Balog Pal
2003-06-14 20:27 ` Francis Glassborow
2003-06-15 10:06 ` Terje Slettebø
2003-06-15 18:31 ` Francis Glassborow
2003-06-16 8:45 ` Terje Slettebø
2003-06-16 22:42 ` Francis Glassborow
2003-06-17 17:51 ` kanze
2003-06-18 15:47 ` John Potter
2003-06-15 15:04 ` John Potter
2003-06-15 21:55 ` Francis Glassborow
2003-06-16 9:06 ` John Potter
2003-06-16 22:43 ` Francis Glassborow
2003-06-13 19:22 ` Hyman Rosen
2003-06-14 9:50 ` kanze
2003-06-14 9:51 ` Wesley Groleau
2003-06-14 10:01 ` Dave Harris
2003-06-15 0:45 ` Terje Slettebø
2003-06-15 18:12 ` Dave Harris
2003-06-16 22:52 ` kanze
2003-06-17 10:46 ` Larry Kilgallen
2003-06-14 10:15 ` Andrei Alexandrescu
2003-06-14 16:16 ` Simon Wright
2003-06-18 21:15 ` Balog Pal
2003-06-12 19:43 ` Balog Pal
2003-06-13 8:17 ` James Rogers
2003-06-13 19:10 ` Terje Slettebø
2003-06-14 9:53 ` LLeweLLyn [this message]
2003-06-14 17:10 ` Addding new attributes to Ada0Y Robert I. Eachus
2003-06-12 13:25 ` C bug of the day kanze
2003-06-13 0:39 ` Larry Kilgallen
2003-06-13 21:25 ` LLeweLLyn
2003-06-13 23:42 ` Wesley Groleau
2003-06-16 22:53 ` kanze
2003-06-17 15:43 ` Terje Slettebø
2003-06-18 1:41 ` Wesley Groleau
2003-06-18 13:52 ` Hyman Rosen
2003-06-18 14:37 ` Vinzent Hoefler
2003-06-18 15:17 ` Hyman Rosen
2003-06-19 8:30 ` Dmitry A. Kazakov
2003-06-19 23:33 ` Hyman Rosen
2003-06-20 1:18 ` Wesley Groleau
2003-06-20 4:56 ` Robert I. Eachus
2003-06-20 5:05 ` Hyman Rosen
2003-06-20 5:54 ` Robert I. Eachus
2003-06-20 7:10 ` Dmitry A. Kazakov
2003-06-20 21:12 ` Mark A. Biggar
2003-06-21 7:28 ` Dmitry A. Kazakov
2003-06-18 21:12 ` kanze
2003-06-19 3:24 ` James Rogers
2003-06-19 14:02 ` kanze
2003-06-19 23:29 ` tmoran
2003-06-20 9:38 ` Hyman Rosen
2003-06-20 12:25 ` kanze
2003-06-24 1:59 ` Matthew Heaney
2003-06-20 0:42 ` Jim Rogers
2003-06-20 9:38 ` Wesley Groleau
2003-06-20 9:39 ` Hyman Rosen
2003-06-19 4:28 ` Wesley Groleau
2003-06-20 23:02 ` Stephen Leake
2003-06-21 19:41 ` Dave Harris
2003-06-23 0:02 ` Terje Slettebø
2003-06-23 15:51 ` Dave Harris
2003-06-17 10:35 ` Andy Sawyer
2003-06-17 17:48 ` Ludovic Brenta
2003-06-17 17:52 ` Larry Kilgallen
2003-06-18 14:10 ` Preben Randhol
2003-06-18 15:39 ` Andy Sawyer
2003-06-13 8:00 ` Mike Silva
2003-06-15 0:40 ` Robert I. Eachus
2003-06-16 22:57 ` kanze
2003-06-13 8:05 ` Wesley Groleau
2003-06-14 9:56 ` LLeweLLyn
2003-06-15 0:42 ` Ed Avis
2003-06-15 10:01 ` LLeweLLyn
2003-06-15 21:59 ` Ed Avis
2003-06-16 9:04 ` Wesley Groleau
2003-06-15 0:45 ` Wesley Groleau
2003-06-13 8:17 ` James Rogers
2003-06-14 9:52 ` kanze
2003-06-15 0:43 ` James Rogers
2003-06-15 18:48 ` Garbage Collector [Was: C bug of the day] Martin Krischik
2003-06-16 23:30 ` Robert A Duff
2003-06-17 3:51 ` Robert I. Eachus
2003-06-14 16:22 ` Bounded integer types (was: C bug of the day) Ed Avis
2003-06-03 21:59 ` C bug of the day Mike Silva
2003-06-04 16:41 ` LLeweLLyn
2003-06-04 22:37 ` Wesley Groleau
2003-06-09 23:50 ` Balog Pal
2003-06-21 19:26 ` Florian Weimer
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox