[SC-L] Disable Bounds Checking?
Back around 1980, when Ada was new, it was common for compiler manufacturers to claim it is best to disable bound checking for performance reasons. Getting your program to run slightly faster trumped knowing that any of your buffers was overflowing. Code that silently trashes memory can be expected to produce some truly creative results. My practice is to code defensively, to ensure my program is operating according to policies that I set for it. I want to know when it is misbehaving. Should there be a performance hit, I instrument the program to find the hot spots and optimize those and only those.___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Mainframe Security
> At 11:45 PM +0100 11/2/07, Florian Weimer wrote: > >>> My limited exposure to Cobol makes me think it is as unlikely to have >>> a buffer overflow as PL/I or Ada. >> >> Usually, Ada programmers switch off bounds checking before shipping >> code. I don't know why Ada has such a reputation for robustness. > > Can you provide a pointer to the study showing that ? A lot of programmers used to follow the example of GNAT's run-time library, which is compiled with -gnatp, turning off bounds checks (among others). There's also a certain influence from the certification crowd who detests dead code. But it seems that there's been a move away from -gnatp during the last couple of years. I hadn't noticed this. Thanks. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___