Path: utzoo!utgpu!attcan!uunet!yale!husc6!think!barmar
From: barmar@think.COM (Barry Margolin)
Newsgroups: comp.lang.c
Subject: Re: data validation (was re self-modifying code)
Message-ID: <24593@think.UUCP>
Date: 28 Jul 88 22:56:12 GMT
References: <61251@sun.uucp> <3084@geac.UUCP>
Sender: usenet@think.UUCP
Reply-To: barmar@kulla.think.com.UUCP (Barry Margolin)
Organization: Thinking Machines Corporation, Cambridge, MA
Lines: 47

In article <3084@geac.UUCP> daveb@geac.UUCP (David Collier-Brown) writes:
>  This is for a machine [Multics] which happily passes descriptors of arrays
>around, and manages to bounds-check array references in parallell
>with the fetch. 

Sorry, but this is not true.  None of the hardware architectures that
Multics was implemented on had parallel array-bounds checking.  There
was an option to the PL/I compiler that caused it to include
bounds-checking code before all array references.

And array descriptors were only passed when the receiving procedure
was declared as accepting variable-length arrays or strings.  This is
necessary because PL/I has builtin functions that return the array
dimensions and operations that can be done on an entire array (e.g.
"array(*) = 0;" will fill the array with zeroes) or slice of an array.

Perhaps David is thinking of segment bounds checking.  Multics has a
segmented address space (but it isn't nearly as cumbersome to use as
the 80x86 -- most programmers never really notice it), and it is
possible to set the maximum length of a segment to the length of the
array it contains.  This will cause an error if the application
attempts to reference too far into the segment.  Using this feature
requires explicit use of segments.  Most applications simply allocate
arrays from the heap using the PL/I "allocate" statement (similar to
C's calloc() function), and this does not put each object in its own
segment (Multics doesn't really support large numbers of small
segments well, because a single process is used for an entire login
session, and every program, dynamically-linked subroutine library, and
directory that you've referenced gets its own segment, and there is a
limit of 12 bits to the segment number in some pointer formats).  The
only part of the system that I think uses this feature is the
detection of runaway recursion.  By default, the max length of the
stack segment is set smaller than the hardware limit, and when this is
passed the handler increases the max length and signals an error (the
max length has to be increased so that the stack frame of the error
handler can be pushed).  Also, the default max length of all segments
is one page less than the maximum physically addressible; this catches
negative array indexes, but I've been told that it was done because
some versions of the processor had trouble when you auto-incremented
pointers that point to the last word of a segment.


Barry Margolin
Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar