comp.lang.ada
 help / color / mirror / Atom feed
From: "Jeffrey R. Carter" <spam@spam.com>
Subject: Re: Buffer overflow Article - CACM
Date: Thu, 01 Dec 2005 17:58:54 GMT
Date: 2005-12-01T17:58:54+00:00	[thread overview]
Message-ID: <yRGjf.2661$YT3.1128@newsread3.news.pas.earthlink.net> (raw)
In-Reply-To: <1133427713.922566.268390@g43g2000cwa.googlegroups.com>

Harald Korneliussen wrote:
> 
> Thank you, that's very interesting. I'm still a bit sceptical about
> this static-sized internal structures thing, though. Isn't programming
> without dynamic allocation difficult? Last time I did it was in
> Commodore Basic, and that's because I didn't know how to do it then :-)
> 
> I would think that some software (for instance the browser and
> windowing system I'm using now) would be practically impossible to
> write in SPARK or similar languages?

SPARK is primarily for critical SW, where max sizes for things are typically 
known at compile time. But one can use SPARK for only the critical parts of a 
system, hiding the rest of the system from the SPARK tools.

Consider a stack of Integers:

package Integer_Stack
--# own State;
--# initializes State;
is
    function Is_Empty return Boolean;
    --# global State;

    procedure Clear;
    --# global out State;
    --# derives State from ;
    --
    --# post Is_Empty (State);

    procedure Push (Item : in Integer);
    --# global in out State;
    --# derives State from State, Item;
    --
    --# post not Is_Empty (State);

    procedure Pop (Item : out Integer);
    --# global in out State;
    --# derives State, Item from State;
    --
    --# pre not Is_Empty (State);
end Integer_Stack;

Now you can implement Integer_Stack in SPARK. Or you could hide the 
implementation from SPARK. In that case, it could use an instantiation of 
PragmARC.Stack_Bounded, adhering to the spirit of SPARK (static size) but not 
the letter (no generics). Or it could use an instantiation of 
PragmARC.Stack_Unbounded and have a dynamic size. (I deliberately omitted 
Is_Full and pre/post-conditions about fullness to allow such an implementation.)

SPARK puts 2 kinds of restrictions on Ada. There are restrictions that are 
needed to allow the kinds of analysis SPARK does, and there are restrictions to 
ensure everything is sized statically (of course, some fall into both 
categories). When you're writing SW for a PC, you generally can assume lots of 
storage and might be willing to allow dynamic sizing. It would be nice to still 
be able to do the SPARK analysis and be more confident that your SW is correct. 
That would entail an option to the tools that turns off the 2nd kind of 
restriction checking. I'm not even sure that would be possible, but I'd find it 
useful if it were.

-- 
Jeff Carter
"You tiny-brained wipers of other people's bottoms!"
Monty Python & the Holy Grail
18



      parent reply	other threads:[~2005-12-01 17:58 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-13  5:14 Buffer overflow Article - CACM adaworks
2005-11-13  7:35 ` tmoran
2005-11-13  8:49 ` Martin Krischik
2005-11-13 11:55   ` Georg Bauhaus
2005-11-13 14:58     ` Florian Weimer
2005-11-14 13:44       ` Marc A. Criley
2005-11-14 19:13     ` Martin Krischik
2005-11-13 15:02 ` Florian Weimer
2005-11-13 15:44 ` Stephen Leake
2005-11-14 14:40   ` adaworks
2005-11-13 23:57 ` Jeffrey R. Carter
2005-11-14  6:51   ` Martin Dowie
2005-11-14 17:55     ` Jeffrey R. Carter
2005-11-15  9:14       ` Martin Dowie
2005-11-14  7:09   ` Pascal Obry
2005-11-14  8:35     ` Dmitry A. Kazakov
2005-11-14 20:57       ` Simon Wright
2005-11-15  8:49         ` Dmitry A. Kazakov
2005-11-15 14:03           ` Georg Bauhaus
2005-11-15 15:14             ` Dmitry A. Kazakov
2005-11-15 22:32               ` Georg Bauhaus
2005-11-16  1:21                 ` Robert A Duff
2005-11-16  9:26                 ` Dmitry A. Kazakov
2005-11-16 13:02                   ` adaworks
2005-11-17 11:13                     ` Martin Dowie
2005-11-14 17:58     ` Jeffrey R. Carter
2005-11-14 18:44       ` Larry Kilgallen
2005-11-25  5:56       ` Christopher Browne
2005-11-26  1:31         ` Jeffrey R. Carter
2005-11-27 21:36         ` adaworks
2005-11-28 12:12           ` Simon Clubley
2005-12-01  2:35           ` robin
2005-12-01  7:05             ` adaworks
2005-12-03 13:42               ` robin
2005-12-03 18:18                 ` adaworks
2005-12-12  1:23                   ` robin
2005-12-31  7:39                   ` robin
2005-12-31 17:03                     ` Georg Bauhaus
2006-01-01 12:12                     ` Martin Krischik
2006-01-01 23:12                       ` robin
2006-01-02  3:37                         ` jimmaureenrogers
2006-01-12 22:10                           ` robin
2006-01-03  9:52                         ` Georg Bauhaus
2006-01-12 22:10                           ` robin
2006-01-12 22:36                             ` Georg Bauhaus
2006-01-13 19:53                             ` Keith Thompson
2006-01-13 20:22                               ` Dan Nagle
2006-01-14 17:50                               ` Björn Persson
     [not found]                             ` <12ces1lv5dvm6pifdapj11o1hrtlm6ec7q@4ax.com>
2006-01-13 23:28                               ` robin
2005-11-30 15:27         ` robin
2005-11-14 10:17   ` Peter Amey
2005-11-29  8:16     ` Harald Korneliussen
2005-11-29 10:48       ` Peter Amey
2005-11-30 21:21       ` Brian May
2005-12-01  5:36         ` Jeffrey R. Carter
2005-12-01  9:01           ` Harald Korneliussen
2005-12-01 11:21             ` Martin Dowie
2005-12-01 17:58             ` Jeffrey R. Carter [this message]

replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox