On Wed, 15 Apr 2026 17:56:55 +1000
Viktor Dukhovni via Postfix-users <[email protected]> wrote:
> On Wed, Apr 15, 2026 at 08:22:33AM +0100, Sad Clouds via Postfix-users wrote:
>
> > This is where Ada really shines. With a supported runtime, such as the
> > Ravenscar Profile or Jorvik Profile, you effectively get a lightweight
> > RTOS built into the language itself. Unfortunately, there doesn’t seem
> > to be a runtime available for SPARC V9 yet.
>
> Sure, but I am not sure that this digression is on-topic for this list.
> FWIW, when I reach for a safer language, especially with a rich runtime,
> and strong support for concurrency, I reach for Haskell, but that's all
> I am going to say about that on this list.
I’m not suggesting rewriting Postfix in Ada or any other language. The
discussion started in the context of AI tools for static code analysis.
I went a bit off topic to upsell Ada. While the AI tools can be helpful,
they don’t provide the same level of assurance as formal methods and
specific language safety constructs. Some programming languages are
better suited to formal verification than others, which is why I
mentioned Ada.
To bring this on topic, let's take Postfix src/util/mymalloc.c
void *mymalloc(ssize_t len)
{
...
/*
* Note: for safety reasons the request length is a signed type. This
* allows us to catch integer overflow problems that weren't already
* caught up-stream.
*/
if (len < 1)
msg_panic("mymalloc: requested length %ld", (long) len);
...
}
I assume the goal here is to detect integer overflow by checking the
input value. However, this approach may have several problems:
1. The C standard specifies that signed integer overflow may result in
undefined behavior.
2. Depending on how the overflow/underflow occurs, the result may still
be a positive value.
This is what the AI tool probably picked up.
Ada for example, gives you much better and more robust facilities:
subtype Malloc_Size is Integer range 1 .. Integer'Last;
Any values outside of this range will be caught automatically and
generate Constraint_Error at runtime.
It’s not my intention to persistently criticize C, we’re all familiar
with its pitfalls, but rather to encourage a discussion about
alternative approaches.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
