Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.csd.uwm.edu!uakari.primate.wisc.edu!ames!think!barmar
From: barmar@think.COM (Barry Margolin)
Newsgroups: comp.lang.c
Subject: Re: effect of free()
Message-ID: <29011@news.Think.COM>
Date: 8 Sep 89 07:13:43 GMT
References: <319@cubmol.BIO.COLUMBIA.EDU> <3756@buengc.BU.EDU> <10971@smoke.BRL.MIL> <2054@munnari.oz.au>
Sender: news@Think.COM
Organization: Thinking Machines Corporation, Cambridge MA, USA
Lines: 50

In article <2054@munnari.oz.au> ok@cs.mu.oz.au (Richard O'Keefe) writes:
>  Presumably, whatever bit pattern represents the NULL
>pointer on such machines may _also_ cause a trap if loaded into an
>address register

If an implementation compares pointers by loading them into address
registers, and loading the NULL pointer into an address register
causes a trap, then the implementation is not conforming.
Implementations are required to allow comparisons to NULL and
assignments of NULL to other variables.  They aren't, however,
required to allow comparisons to or assignments from pointers to freed
memory.

I agree that a processor that faults on loads (as opposed to
dereferences) of invalid pointers is brain damaged.  However, I recall
a processor that does this: the Honeywell DPS-88.  I used to be in the
Multics development group at Honeywell, and when we were investigating
porting Multics to this processor (a followon to the DPS-8, the
processor Multics currently runs on), we discovered this misfeature in
the new processor's design.  In all the previous architectures we had
been using a pointer into segment 07777 as the null pointer (the
segment table only has 2^12 entries, so any segment number with
non-zero high-order three bits is automatically invalid).  By the time
we discovered this flaw, I think it was too late to change the design.
(It turned out not to be a problem, because the porting project was
never undertaken.)

Why would an implementation want to do pointer comparisons and
assignments using address registers?  In some architectures, pointers
contain additional fields besides just the address, and the address
register data paths automatically take the address apart properly.
For instance, Multics pointers have a ring number field and several
bits called "fault tags", as well as some unused bits.  When comparing
address registers, the extra fields are automatically ignored.  There
are also two formats of pointers (one-word "packed" pointers that omit
the above fields, and two-word full pointers), with different
instructions for loading and storing each.  If the comparisons were
done using arithmetic registers lots of shifting and masking would be
necessary.  During assignments, the address registers automatically
perform various security checks on the ring number field (the ring
number loaded into the address register is forced to be the maximum of
the ring number of the pointer, the ring number of the segment it is
read from, and the current ring of execution).


Barry Margolin
Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar