Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!uwm.edu!psuvax1!husc6!spdcc!ima!haddock!karl
From: karl@haddock.ima.isc.com (Karl Heuer)
Newsgroups: comp.lang.c
Subject: Re: Array bounds checking with C????
Message-ID: <17596@haddock.ima.isc.com>
Date: 30 Aug 90 22:54:37 GMT
References: <7611@ucdavis.ucdavis.edu> <869@qmfl.jrdc.go.jp> <425@taumet.com> <1990Aug30.134537.26326@diku.dk>
Reply-To: karl@kelp.ima.isc.com (Karl Heuer)
Organization: Interactive Systems, Cambridge, MA 02138-5302
Lines: 30

In article <1990Aug30.134537.26326@diku.dk> njk@diku.dk (Niels J|rgen Kruse) writes:
>Assume the following code [on a bounds-checking implementation]:
>        char *a,*c; double *b,d[17/sizeof(double)];
>        if (a = malloc (17)) {
>          b = (double *)a;
>          c = (char *)b;
>Is c[16] legal?

I believe it is, and therefore that the cast to (double *) must not actually
reduce the known range of the pointer to that which is pointable from a
double.  Thus, a bounds-checking C implementation must maintain the bounds of
a pointer by using a byte count (or byte pointer) rather than an object count
(or object pointer).

>What kind of object is b pointing to?  How does it differ from
>the object pointed to by (d+0)?

Assume for concreteness that sizeof(double)==8.  Then b is <double *, pointer
to beginning of 17-byte block>, which is room for 2 doubles plus a spare byte
at the end that cannot be referenced without casting b.  But d is <double *,
pointer to beginning of 16-byte block>, which is room for 2 doubles exactly.

>What does your bounds-checking C compiler have to say?
>What does the standard say?

This is my interpretation of the Standard.  I don't have a bounds-checking C
compiler at hand, and I wonder if it would get this right.  (Particularly on a
word-addressible architecture.)

Karl W. Z. Heuer (karl@kelp.ima.isc.com or ima!kelp!karl), The Walking Lint