[Prev][Next][Index][Thread]
Re: Memory safe implementations of C/C++
Corky, Phil --
Happy New Year!
When you say:
> Ellis and Detlefs did the pioneering work on the memory-safe implementation
> of C/C++ almost a decade ago. See
>
> http://citeseer.nj.nec.com/ellis93safe.html
It may be that you're too kind. Or perhaps accurate, if "pioneering"
means "early and leaving lots of room for later improvement" :-)
I'm just learning about CCured (and, in a very similar vein, Cyclone
language from Cornell and AT&T). One advantage both of these have
over our original proposal is that we made some draconian restrictions
that these proposals relax. One of these, for example, is that we
declared it illegal to take the address of an automatic (i.e., local)
variable; the fear being that this address might be stored in some
data structure, and persist the lifetime of the variable whose address
was taken. This operation is allowed by (in controlled ways) by
CCured and by Cyclone. This is important for C, because the idiom
T var;
foo(&var);
is how call-by-reference is coded. Note that our proposal was
explicitly for C++ rather than C, making the situation is somewhat
different. C++ adds "reference" types, so the above could be coded by
declaring foo's argument to be a "T&":
void foo(T& v);
Then the address of "var" is implicitly taken at the call site:
T var;
foo(var);
There are restrictions on the use of reference types (T&) in C++
that are not present for T* pointer types. In particular, you can't
assign to a variable of a reference type; in the body of "foo(T& v)",
v = e;
is desugared to "*v = e" in the C idiom. You can initialize a
reference with an existing reference value, so we prevented dangling
references (distinct from pointers) by requiring run-time checks on
initialization of reference fields in heap-allocated objects.
Thanks for bringing back some interesting memories. I'm happy to see
a new flurry of activity in these areas.
Dave
References: