------- Comment #12 from rob1weld at aol dot com 2007-06-23 07:51 ------- > Send a patch that implements your argflaps
Cyclone uses what it calls "thin" and "fat" pointers. We could implement this in GCC. An extra byte per variable could store the type and a bit of code could check it (at run-time) and perform "run-time conversion", use "Syntactic Sugar" or "C overloading" - depending on what you would like to call it.. Investigating: 1): Cyclone is a dialect of C that retains its transparency and control, but adds the benefits of safety (no unchecked runtime errors, for instance). In Cyclone, buffer overflows and related bugs are prevented for all programs, whether written by security experts or by novices. The changes required to achieve safety are pervasive, but Cyclone is still recognizably C. http://www.eecs.harvard.edu/~greg/cyclone/ 2a): CIL (C Intermediate Language) is a high-level representation along with a set of tools that permit easy analysis and source-to-source transformation of C programs. http://hal.cs.berkeley.edu/cil/ . This intermediate language is used to stage both Deputy and CCured. 2b): CCured is a source-to-source translator for C. It analyzes the C program to determine the smallest number of run-time checks that must be inserted in the program to prevent all memory safety violations. The resulting program is memory safe, meaning that it will stop rather than overrun a buffer or scribble over memory that it shouldn't touch. Many programs can be made memory-safe this way while losing only 1060% run-time performance (the performance cost is smaller for cleaner programs, and can be improved further by holding CCured's hand on the parts of the program that it does not understand by itself). Using CCured we have found bugs that Purify misses with an order of magnitude smaller run-time cost. http://hal.cs.berkeley.edu/ccured/index.html 2c): Deputy is a C compiler that is capable of preventing common C programming errors, including out-of-bounds memory accesses as well as many other common type-safety errors. It is designed to work on real-world code, up to and including the Linux kernel itself. Deputy allows C programmers to provide simple type annotations that describe pointer bounds and other important program invariants. Deputy verifies that your program adheres to these invariants through a combination of compile-time and run-time checking. http://deputy.cs.berkeley.edu/ These projects have been operating for many years, come from a reputable source and integrate with gcc (albiet they do not seem to have tried 4.3.0). A paper on Deputy - Static Analysis of C for Hybrid Type Checking http://www.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-1.pdf The difference between Duputy and CCured (both implemented on top of the CIL framework) is: CCured is a whole program analysis that instruments pointers with bounds information. As in Deputy the bounds information may need to be checked at runtime. The CCured system includes an optimization phase that also attempts to reason about bounds checks, null checks, and others. The Deputy type system presents its optimizer with some different challenges than those seen by the CCured optimizer. The primary challenge is the sheer volume of runtime checks added by the type system. On the benchmarks presented here, deputized code achieves better performance than cured code, however CCured also enforces allocation safety, which Deputy does not. The "license" for these in one case is to simply credit the authors. -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=32448
