Re: Certified C compilers for safety-critical embedded systems

From: Georg Bauhaus (sb463ba_at_l1-hrz.uni-duisburg.de)
Date: 12/27/03 

Date: Sat, 27 Dec 2003 16:49:11 +0000 (UTC)

In comp.lang.ada Ian Bell <ian@ruffrecordsdotworldonline.co.uk> wrote:
:James Rogers> foo : My_Array_Type;
:>
:> for num in 0..99 loop
:> foo(num) := num;
:> end loop;
:>
:> All Ada compilers will correctly identify the error in the for loop.
:> [...]
:
: I know nothing about ada so this is a genuine query rather than a ctiticism.
: The above example is fine as long as literals are used - even a C compiler
: could be devised to make this check - but what happens when the array index
: is computed?

Wouldn't that become a famous compiler that finds out, at compile
time, which value a certain variable is going to have? :-)

If you want a hole in your foot, you can make one, though it might
not be easy:

with Interfaces;
with Ada.Integer_Text_IO; use Ada;

procedure t is
   -- read a positive value from standard input and create an
   -- array of that size, which is filled (hopping excessively)

   procedure rubber_buffer(limit: Positive) is

      subtype Index is Positive range 1 .. limit;
      -- a range constraint on Positive, determined at call time

      buffer: array(Index) of Interfaces.Unsigned_8;
      -- storage for 1 .. limit 8bit quantities

   begin
      -- demonstration of constraint_error

      off_buffer: -- k grows too large for a buffer index

          for k in Index'first .. 2 * Index'last loop
             buffer(k) := 42; -- index check failed, at run time
          end loop off_buffer;

      off_index_range: -- k gets too large for Index subtype's range

          for
            k in Index'first .. Index(2 * Index'last)
                                -- range check failed, at run time
          loop
             buffer(k) := 42;
          end loop off_index_range;

   end rubber_buffer;

   n: Positive;
   -- upper limit of 1-based buffer, read at run time

begin
   Integer_Text_IO.get(n);
   rubber_buffer(n);
end t;

That's why language-defined array constructs such as
the 'range attribute are useful. You can write

  for k in buffer'range loop
     buffer(k) := 42;
  end loop;

(or in this case more simply, using language defined `others'

  buffer := (others => 42);)

no matter what the buffer's index range currently is.

-- Georg

Relevant Pages

  • Re: Letter to US Sen. Byron Dorgan re unpaid overtime
    ... >> both less efficient and less safe than the Fortran and Basic standard. ... >> The C for loop is actually trying to do what a do loop does. ... sloppy thinking that results from confusing a programming language ... > I do not believe that you are capable of writing a conforming C compiler. ...
    (comp.programming)
  • Re: Letter to US Sen. Byron Dorgan re unpaid overtime
    ... it's a for loop in the C sense. ... > sloppy thinking that results from confusing a programming language ... >> I do not believe that you are capable of writing a conforming C compiler. ... Does Microsoft's C compiler perform this optimisation? ...
    (comp.programming)
  • Re: Histogram of character frequencies
    ... generated object code may simply be a loop in which elements are ... believe any C compiler anywhere would reject it. ... On the first iteration of the loop you test the end of file indicator ...
    (comp.lang.c)
  • Re: Fridays the thirteenth. (And a little puzzle.)
    ... -- compiler) is the usual method ... int febdays ... -- We're going to go round a loop dealing with each year in turn. ... -- other languages call) ...
    (uk.people.silversurfers)
  • Re: Interesting article by Randall Hyde
    ... >>> a test before executing the loop. ... is a compiler writer forced to ... And another thing you might consider is that compiler optimization was ... Then the programmer will have to protect the execution of that loop. ...
    (comp.lang.asm.x86)