[SC-L] Disable Bounds Checking?

2007-11-03 Thread Mark Rockman
Back around 1980, when Ada was new, it was common for compiler manufacturers to 
claim it is best to disable bound checking for performance reasons.  Getting 
your program to run slightly faster trumped knowing that any of your buffers 
was overflowing. Code that silently trashes memory can be expected to produce 
some truly creative results.   My practice is to code defensively, to ensure my 
program is operating according to policies that I set for it.  I want to know 
when it is misbehaving.  Should there be a performance hit, I instrument the 
program to find the hot spots and optimize those and only those.___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Mainframe Security

2007-11-03 Thread Florian Weimer
 At 11:45 PM +0100 11/2/07, Florian Weimer wrote:

 My limited exposure to Cobol makes me think it is as unlikely to have
 a buffer overflow as PL/I or Ada.
 
 Usually, Ada programmers switch off bounds checking before shipping
 code.  I don't know why Ada has such a reputation for robustness.

 Can you provide a pointer to the study showing that ?

A lot of programmers used to follow the example of GNAT's run-time
library, which is compiled with -gnatp, turning off bounds checks (among
others). There's also a certain influence from the certification crowd
who detests dead code.

But it seems that there's been a move away from -gnatp during the last
couple of years.  I hadn't noticed this.  Thanks.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___