Plenty of unnecessary contraint tests (Was: Size code Ada and C)

comp.lang.ada
 help / color / mirror / Atom feed

From: pfk@schnecke.offl.uni-jena.de (Frank Klemm)
Subject: Plenty of unnecessary contraint tests (Was: Size code Ada and C)
Date: 1998/07/09
Date: 1998-07-09T00:00:00+00:00	[thread overview]
Message-ID: <slrn6q9dnh.9o.pfk@schnecke.offl.uni-jena.de> (raw)
In-Reply-To: 359A53E2.41C6@lanl.gov

robin wrote:
> <snip>
> It's never a good idea in a real-time system to
> avoid run-time checks.  A run-time check on the magnitude
> would have caught the error and would not have caused
> the total failure of Ariane 5.
> <snip>
>
Ada was designed to make it possible to do range checking.

Array index boundary checking is always a good idea, because out-of-boundary
write access is a very bad idea.

Arithmetic boundary checking is problem depending, it is dangerous on
arbitrary set boundaries (i.e. balance of an checking account for non
commercian usage: range -99_999.99 .. 999_999.99).

So on the security point of view array index checking should be always on.

Now another problem. Boundary checks cost CPU time. This CPU time can be
minimized. So I tested the behaviour of gnat. The main problem of gnat is, that the 
compiler do test the ranges of a value every time it needs this value.
That's a very time consumpting behaviour.

1. problem: unneccesary tests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   Every variable need an internal boundary attribute to determine
   possible ranges of a variable to avoid this.

=========================================================================   
procedure a1 is

  j : integer range 1..10;
  s : integer;
  
begin

  s := 0;
  for i in 0 .. 9 loop
    j := i + 1;
    ...
  end loop;

end a1;
==========================================================================
	xorl %ecx,%ecx
	xorl %edx,%edx
	.align 4
.L5:
	incl %edx
	testl %edx,%edx		-- perfect nonsense
	jle .L8
	cmpl $10,%edx		-- perfect nonsense
	jle .L6
.L8:
	call __gnat_raise_constraint_error	-- never called at all
	.align 4
.L6:
        ...
	cmpl $9,%edx
	jle .L5
==========================================================================
Example was generated with -O2, 

Another example:
==========================================================================

  ...
  
  prim : array (0 .. 1_000_000) of boolean;
  
begin

  -- Initialisierung
  for i in prim'range loop
    prim(i) := true;	--  rep stosb  or  rep stosd is much more efficient
  end loop;
  
  prim(0) := false;
  prim(1) := false;
  
  -- Sieben
  for i in 0 .. 1_000 loop
    if prim(i) then	-- really unnecessary boundary test
      siebe:
        declare
          k : natural;
        begin
          k := 2*i;		-- k is > 0
          while k <= 1_000_000 loop
            prim(k) := false;	-- index test unneccesary, k *is* k<=1_000_000
            k := k + i;		-- increment
          end loop;
      end siebe;
    end if;
  end loop;
  
  -- Ausgabe
  for i in prim'range loop
    if prim(i) then		-- i *is* in range of of prim'range, no test necessary
      Put_Int(i);
      Put(" ");
    end if;
  end loop;

==========================================================================
   
I tested several examples and found out, that gnat never do such a compile
time checking for unneccesary boundray tests. Removing redundant tests
results in a speedup of 120% (x2.2) on my computer for some small programs.

You can always disable range checking in Ada, but was this the idea of Ada ???

var'cmin is in the following notation the smallest possible value, var'cmax
the largest.

Possible compile time range:

 i : integer range a..b;		-- i can only be in the range a..b;
 
 i := 12;				-- i can only be in the range 12..12;
 
 j := a + b;				-- j can only be in the range a'cmin+b'cmin..a'cmax+b'cmax
 j := c + 1;				-- j can only be in the range c'cmin+1..c'cmax+1
 
 j := nat1 * nat2;			-- j can only be in the range a'cmin*b'cmin..a'cmax*b'cmax
 k := int1 * int2;			-- if int1 and int2 can be <0 it's a little bit more difficult
 
 for i in arr'range loop		-- i can only in arr'range
 
 if i < 1000 then .... end fi;		-- for .... i must be <1000
 
 j := array[i]; ....			-- for .... i must be in array'range				
 
 if cond then a1; else a2; end fi; ....	-- for .... the variable ranges in a1 and a2 must be merged

 
2. problem: bad assembler code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   * test of var in 0..max
   
     It will be tested, that (signed)var < 0 and (signed)var > max,
     faster is a simple test (unsigned)var > max .
   
     Why build one when you can build two for twice the price?
  
   * always jump around the exception call
   
     Extremly slow on CPUs with no jump prediction or if the jump prediction
     buffer overflows.

-- 
Frank Klemm

 /------\  /-----------------------------------------------------\
| eMail: || pfk@uni-jena.de | home: pfk@schnecke.offl.uni-jena.de |
| Tel:   ||                 | home: +49 (3641) 390545             |
| sMail: ||  Frank Klemm, Ziegesarstr. 1, D-07747 Jena, Germany   |
 \------/  \-----------------------------------------------------/

next prev parent reply	other threads:[~1998-07-09  0:00 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <35921271.E51E36DF@aonix.fr>
     [not found] ` <3598358A.73FF35CC@pipeline.com>
     [not found]   ` <dewar.899298949@merv>
1998-07-03  0:00     ` Performance Ada and C, was Re: Size code Ada and C Van Snyder
1998-07-03  0:00       ` Performance " Markus Kuhn
1998-07-03  0:00         ` Robert Dewar
1998-07-03  0:00           ` Markus Kuhn
1998-07-04  0:00             ` ak
1998-07-07  0:00             ` Frank Klemm
1998-07-13  0:00               ` Daren Scot Wilson
     [not found] ` <m3zpf1tyr8.fsf@zaphod.enst.fr>
     [not found]   ` <6mtiv0$9j3@gcsin3.geccs.gecm.com>
     [not found]     ` <dewar.898962846@merv>
     [not found]       ` <6n8393$hoi$2@platane.wanadoo.fr>
     [not found]         ` <6n84im$79q@gcsin3.geccs.gecm.com>
     [not found]           ` <m3u35470ds.fsf@zaphod.enst.fr>
     [not found]             ` <6n8b7u$9hm@gcsin3.geccs.gecm.com>
     [not found]               ` <m3vhpk5f0d.fsf@zaphod.enst.fr>
     [not found]                 ` <3597db2d.1017430@news.demon.co.uk>
     [not found]                   ` <EACHUS.98Jun30173656@spectre.mitre.org>
1998-07-03  0:00                     ` Size code " John McCabe
1998-07-03  0:00                       ` Larry Elmore
1998-07-03  0:00                         ` John McCabe
1998-07-07  0:00                         ` Robert I. Eachus
     [not found]         ` <dewar.899298821@merv>
1998-07-07  0:00           ` Robert I. Eachus
     [not found]       ` <6n7jut$al0$1@nnrp1.dejanews.com>
     [not found]         ` <6navqt$shc$1@goanna.cs.rmit.edu.au>
     [not found]           ` <359A53E2.41C6@lanl.gov>
     [not found]             ` <dewar.899334821@merv>
     [not found]               ` <6nfp0v$dgl@gcsin3.geccs.gecm.com>
1998-07-02  0:00                 ` Ariane 5 failure (Was: Size code Ada and C) Jean-Pierre Rosen
1998-07-03  0:00             ` robin
1998-07-02  0:00               ` William Clodius
1998-07-09  0:00             ` Frank Klemm [this message]
1998-07-09  0:00               ` Plenty of unnecessary contraint tests " Robert Dewar
1998-07-10  0:00                 ` Frank Klemm
1998-07-10  0:00               ` Ariane 5 failure " Dale Stanbrough
1998-07-10  0:00                 ` John McCabe
1998-07-10  0:00                   ` Frank Klemm
1998-07-10  0:00                   ` Pat Rogers
1998-07-10  0:00               ` Plenty of unnecessary contraint tests " Robert S. White

replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox