Bounds checking and safety in C

We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

jacob navia said:

>We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

The C Standard neither requires nor forbids bounds checking. A strictly
conforming program will violate no bounds, and so presumably will not

be able to detect the existence of a bounds checker. Therefore, it's
perfectly acceptable for an implementation to incorporate this feature.
And indeed some do, although typically only in debug mode, for what I
hope are obvious reasons. This is entirely a QoI issue.

<snip>

Richard Heathfield <rj*@see.sig.invalidwrites:

>jacob navia said:

>>We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

The C Standard neither requires nor forbids bounds checking. A
strictly conforming program will violate no bounds, and so presumably
will not

A conforming program can still have bugs. Or?

>
Somehow, we are not realizing that with the extreme power of the
CPUs now at our disposal, it is a very good idea to try to
minimize the time we stay behind the debugger when developing
software. A balance should be sought for improving the safety
of the language without overly compromising the speed of the
generated code.

Richard said:

>Richard Heathfield <rj*@see.sig.invalidwrites:

>>jacob navia said:

We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

The C Standard neither requires nor forbids bounds checking. A
strictly conforming program will violate no bounds, and so presumably
will not

A conforming program can still have bugs. Or?

I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot violate
any bounds.

Richard Heathfield schrieb:

>I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot
violate any bounds.

Ok, but that is completely irrelevant for programming practice;
it's pure theory.

Richard Heathfield <rj*@see.sig.invalidwrites:

>A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot
violate any bounds.

How does a program get so certified?

Richard Heathfield schrieb:

>I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If
it did, it would not be strictly conforming.) Therefore, it cannot
violate any bounds.

Ok, but that is completely irrelevant for programming practice;
it's pure theory.

There are alternatives to C if you want performance and better memory
safety.

Ian Collins wrote:

>There are alternatives to C if you want performance and better memory
safety.

Well, that is precisely the issue here.

I think that C should address those problems instead of
telling people:

"C is an obsolete language. Please use another one".

Bounds checking is nice and all, but it certainly is no panacea.
It may even not be *that* useful IMO. Here is why:

1. No bounds checking. You read or write data outside bounds. It
generates an exception.

(All implementations where it doesn't always
generate an exception, or worse, where it can lead to code execution, is
brain-dead IMO, but that's another story. Thus, it's not a problem of
bounds checking or not.)

2. Bounds checking. You read or write data outside bounds. It generates
an 'out of bounds' exception.

Not that much different. In both cases, you need to handle the
exception. How you must handle it in its particular context really *is*
the main issue here, and the main difficulty.

"Manual" bounds checking here and there in your code can be useful -
mostly because you know why you want to check that at this point and how
you're gonna handle the occasional out-of-bounds cases.

But systematic bounds checking? I don't believe in that.
You opinion may vary. But I'm waiting for strong arguments.

We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

Several researchers of UCSD have published an interesting
paper about this problem.

http://www.jilp.org/vol9/v9paper10.pdf

Specifically, they measured the overhead of a bounds
checking implementation compared to a normal one, and
found that in some cases the overhead can be reduced
to a mere 8.3% in some cases...

I quote from that paper

< quote >
To summarize, our meta-data layout coupled with meta-check instruction
reduce the average overhead of bounds checking to 21% slowdown which is
a significant reduction when compared to 81% incurred by current
software implementations when providing complete bounds checking.
< end quote>

This 21% slowdown is the overhead of checking EACH POINTER
access, and each (possible) dangling pointer dereference.

If we extrapolate to the alleged overhead of using some extra
arguments to strcpy to allow for safer functions (the "evil
empire" proposal) the overhead should be practically ZERO.

Somehow, we are not realizing that with the extreme power of the
CPUs now at our disposal, it is a very good idea to try to
minimize the time we stay behind the debugger when developing
software. A balance should be sought for improving the safety
of the language without overly compromising the speed of the
generated code.

I quote again from that paper:

< quote >
As high GHZ processors become prevalent, adding hardware support to
ensure the correctness and security of programs will be just as
important, for the average user, as further increases in processor
performance. The goal of our research is to focus on developing
compiler and hardware support for efficiently performing software checks
that can be left on all of the time, even in production code releases,
to provide a signi cant increase in the correctness and security of
software.

< end quote >

The C language, as it is perceived by many people here, seems
frozen in the past without any desire to incorporate the changing
hardware/software relationship into the language itself.

When this issues are raised, the "argument" most often presented is
"Efficiency" or just "it is like that".

This has lead to the language being perceived as a backward and error
prone, only good for outdated software or "legacy" systems.

This pleases again the C++ people, that insist in seeing their language
as the "better C", and obviously, C++ is much better in some ways as
C, specially what string handling/common algorithms in the STL/ and
many other advances.

What strikes me is that this need not be, since C could with minimal
improvements be a much safer and general purpose language than it is
now.

Discussion about this possibility is nearly impossible, since a widely
read forum about C (besides this newsgroup) is non existing.

Hence this message.

To summarize:

o Bounds checking and safer, language supported constructs are NOT
impossible because too much overhead
o Constructs like a better run time library could be implemented in a
much safer manner if we would redesign the library from scratch,
without any effective run time cost.

jacob

P.S. If you think this article is off topic, please just ignore it.
I am tired of this stupid polemics.

jacob navia wrote:

>Ian Collins wrote:

>>There are alternatives to C if you want performance and better memory
safety.

Well, that is precisely the issue here.

I think that C should address those problems instead of
telling people:

"C is an obsolete language. Please use another one".

No, it doesn't say that. There is nothing to stop a tool vendor
providing some form of access and leak checking tool. From my
perspective, such a feature is an indication of the quality of their tools.

Bjoern Vian <Bj*********@gmx.liwrites:

>Richard Heathfield schrieb:

>>I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If
it did, it would not be strictly conforming.) Therefore, it cannot
violate any bounds.

Ok, but that is completely irrelevant for programming practice;
it's pure theory.

I agree that the category of "strictly conforming programs" is too
narrow to be particularly useful to programmers. (It's useful
primarily in defining conforming implementations, I think.)

On the other hand, there are some presumably valid C constructs that
could break in the presence of bounds checking, such as the classic
"struct hack" and code that assumes two-dimensional arrays can be
accessed as one-dimensional arrays.

Bjoern Vian wrote:

>Richard Heathfield schrieb:

>>I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If
it did, it would not be strictly conforming.) Therefore, it cannot
violate any bounds.

Ok, but that is completely irrelevant for programming practice;
it's pure theory.

It is not even theory

What he is saying is:

"A strictly conforming program does not contain any instances of
undefined behavior."

What this abstraction bring to us in useful consequences is
zero since nowhere it is specified how to prove/disprove
that program "a" is strictly conforming or not!

>
But let's close this parentheses. Heathfield posted that
message 9 minutes after I posted mine,

>
There are alternatives to C if you want performance and better memory
safety.

Ian Collins wrote:

>jacob navia wrote:

>>Ian Collins wrote:
There are alternatives to C if you want performance and better memory
safety.

Well, that is precisely the issue here.

I think that C should address those problems instead of
telling people:

"C is an obsolete language. Please use another one".

No, it doesn't say that. There is nothing to stop a tool vendor
providing some form of access and leak checking tool. From my
perspective, such a feature is an indication of the quality of their
tools.

Yes, there are a lot of tools, and their existence PROVES the gaping
hole in the language. The problem is that developing such tools
is very system specific and in most cases not available.

o They are NOT available in many embedded platforms

o They are NOT available in many respected systems like,
(for instance) AIX, or SUN, as far as I know.

>
What I am aiming at is a general language construct that would
allow more easy compiler checking in the existing toolset,
i.e. the compiler and the linker.

>
Is it reasonable to suggest that if you don't think C is safe, or
needs bounds checking, then develop or use another language that is
safer?

Or use a tool / development environment that does bounds
checking. I've used Java and C# a lot and really like them.

But C is a
different kind of language.

One thing I really I like about C is that
it does NOT impose extra overhead, such as mandatory bounds checking,
that the programmer is stuck with.

I don't think it makes sense to
make suggestions that would radically change the nature of an existing
programming language.

>o They are NOT available in many embedded platforms

You can test the code off-target.

>

>o They are NOT available in many respected systems like,
(for instance) AIX, or SUN, as far as I know.

News to me, I've been using Sun's dbx with its access/leak checking for
many years.

>What I am aiming at is a general language construct that would
allow more easy compiler checking in the existing toolset,
i.e. the compiler and the linker.

Why impost the extra burden on the vendor when they can provides optinal
tools?

Bounds checking is nice and all, but it certainly is no panacea.
It may even not be *that* useful IMO. Here is why:

1. No bounds checking. You read or write data outside bounds. It
generates an exception. (All implementations where it doesn't always
generate an exception, or worse, where it can lead to code execution,
is brain-dead IMO, but that's another story. Thus, it's not a problem
of bounds checking or not.)

Bjoern Vian wrote:

>Richard Heathfield schrieb:

>>I actually said "strictly conforming program". A strictly
conforming program does not contain any instances of undefined
behaviour. (If it did, it would not be strictly conforming.)
Therefore, it cannot violate any bounds.

Ok, but that is completely irrelevant for programming practice;
it's pure theory.

It is not even theory

What he is saying is:

"A strictly conforming program does not contain any instances of
undefined behavior."

What this abstraction bring to us in useful consequences is
zero since nowhere it is specified how to prove/disprove
that program "a" is strictly conforming or not!

But let's close this parentheses. Heathfield posted that
message 9 minutes after I posted mine, with some "bla bla"
without substance. He did not read the article of those
researchers, and he addresses NONE of the issues I raised.

Please let's return to those issues!

Ian Collins wrote:

>>o They are NOT available in many embedded platforms

You can test the code off-target.

No. The code will run on target and you would have to
simulate the conditions on target, not always an easy task,
mind you.

>>

>>o They are NOT available in many respected systems like,
(for instance) AIX, or SUN, as far as I know.

News to me, I've been using Sun's dbx with its access/leak checking for
many years.

Impossible to use because the program will slow down for a factor
of 1,000 at least...

>>What I am aiming at is a general language construct that would
allow more easy compiler checking in the existing toolset,
i.e. the compiler and the linker.

Why impost the extra burden on the vendor when they can provides optinal
tools?

Because not every vendor can provide such tools, and a small language
modifications would suffice to provide for most bound
checking applications.

dan wrote:

Is it reasonable to suggest that if you don't think C is safe, or
needs bounds checking, then develop or use another language that is
safer?

Excuse me but I do not see why I would need another computer
language to write:

int Strcmp(String s1,String s2);

Where String could be defined as:

typedef struct tagString {
size_t len;
char *chars;

};

Why can't we use this in C instead of being stuck with zero
terminated strings forever?

Why can't arrays be first class objects like structures that do NOT
decay into unbounded pointers eliminating all size information and
making size checks impossible?

Or use a tool / development environment that does bounds

checking. I've used Java and C# a lot and really like them.

Nice, but I think that C should give an answer to this problems,
should address this problems instead of saying to people

"Go away and use a real computer language"

But C is a
different kind of language.

Really?

What kind of language then?

One thing I really I like about C is that
it does NOT impose extra overhead, such as mandatory bounds checking,
that the programmer is stuck with.

Pascal has an optional bound checking that can be turned on/off with
specific programmer's instructions.

I don't think it makes sense to
make suggestions that would radically change the nature of an existing
programming language.

int Strcmp(String s1,String s2);

That changes radically the language?

Maybe, I do not know.

In any case if we go on like this the language is doomed.

I remember what happened when I suggested C last time at work.

"It would be incovenient" people told me.

And that was it.

Keith Thompson said:

>On the other hand, there are some presumably valid C constructs that
could break in the presence of bounds checking, such as the classic
"struct hack" and code that assumes two-dimensional arrays can be
accessed as one-dimensional arrays.

Do you have any examples of valid C constructs that are actually valid?

Both the struct hack and the 2d/1d hack are actually invalid C. And
before you start: the codification of the struct hack in C99 involved a
syntax change, so you can put /that/ Get Out Of Jail Free card back in
the pack! :-)

dan wrote:

>Is it reasonable to suggest that if you don't think C is safe, or
needs bounds checking, then develop or use another language that is
safer?

Excuse me but I do not see why I would need another computer
language to write:

int Strcmp(String s1,String s2);

Where String could be defined as:

typedef struct tagString {
size_t len;
char *chars;
};

Why can't we use this in C instead of being stuck with zero
terminated strings forever?

Why can't arrays be first class objects like structures that do NOT
decay into unbounded pointers eliminating all size information and
making size checks impossible?

>I don't think it makes sense to
make suggestions that would radically change the nature of an existing
programming language.

int Strcmp(String s1,String s2);

That changes radically the language?

Maybe, I do not know.

jacob navia <ja***@jacob.remcomp.frwrites:

>Why can't arrays be first class objects like structures that do NOT
decay into unbounded pointers eliminating all size information and
making size checks impossible?

Because making such a change would break existing code.

If you want a new array-like construct, either you can already
implement it in C, or it requires unrealisticly drastic changes to the
language.

It would be great if bounds checking could be turned on or off in C.
But by your example, it's already possible to accomplish that within
the current C language. Instead of calling strcmp directly, just call
it within another function that does the bounds checking. If this is
important to you or someone else, why don't you write a version of the
C library that does bounds checking? My guess is someone else has
already done this. From your example, it seems like your argument is
really to get rid of 0 as the convention for ending a string. You
don't think that would be a radical change? Sounds pretty radical to
me.

>We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

Several researchers of UCSD have published an interesting
paper about this problem.

http://www.jilp.org/vol9/v9paper10.pdf

Specifically, they measured the overhead of a bounds
checking implementation compared to a normal one, and
found that in some cases the overhead can be reduced
to a mere 8.3% in some cases...

I quote from that paper

< quote >
To summarize, our meta-data layout coupled with meta-check instruction
reduce the average overhead of bounds checking to 21% slowdown which is
a significant reduction when compared to 81% incurred by current
software implementations when providing complete bounds checking.
< end quote>

This 21% slowdown is the overhead of checking EACH POINTER
access, and each (possible) dangling pointer dereference.

If we extrapolate to the alleged overhead of using some extra
arguments to strcpy to allow for safer functions (the "evil
empire" proposal) the overhead should be practically ZERO.

Somehow, we are not realizing that with the extreme power of the
CPUs now at our disposal, it is a very good idea to try to
minimize the time we stay behind the debugger when developing
software. A balance should be sought for improving the safety
of the language without overly compromising the speed of the
generated code.

I quote again from that paper:

< quote >
As high GHZ processors become prevalent, adding hardware support to
ensure the correctness and security of programs will be just as
important, for the average user, as further increases in processor
performance. The goal of our research is to focus on developing
compiler and hardware support for efficiently performing software checks
that can be left on all of the time, even in production code releases,
to provide a signi cant increase in the correctness and security of
software.

< end quote >

The C language, as it is perceived by many people here, seems
frozen in the past without any desire to incorporate the changing
hardware/software relationship into the language itself.

When this issues are raised, the "argument" most often presented is
"Efficiency" or just "it is like that".

This has lead to the language being perceived as a backward and error
prone, only good for outdated software or "legacy" systems.

This pleases again the C++ people, that insist in seeing their language
as the "better C", and obviously, C++ is much better in some ways as
C, specially what string handling/common algorithms in the STL/ and
many other advances.

What strikes me is that this need not be, since C could with minimal
improvements be a much safer and general purpose language than it is
now.

Discussion about this possibility is nearly impossible, since a widely
read forum about C (besides this newsgroup) is non existing.

Hence this message.

To summarize:

o Bounds checking and safer, language supported constructs are NOT
impossible because too much overhead
o Constructs like a better run time library could be implemented in a
much safer manner if we would redesign the library from scratch,
without any effective run time cost.

jacob

P.S. If you think this article is off topic, please just ignore it.
I am tired of this stupid polemics.

Richard Heathfield schrieb:

I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot violate
any bounds.

Ok, but that is completely irrelevant for programming practice;
it's pure theory.

If it _were_ possible for a strictly conforming program
to violate object bounds, a bounds checking implementation would be
legal.

Bjoern Vian <Bj*********@gmx.liwrote:

>Richard Heathfield schrieb:

>>I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot violate
any bounds.

Ok, but that is completely irrelevant for programming practice;
it's pure theory.

No, it isn't. If it _were_ possible for a strictly conforming program to
violate object bounds, a bounds checking implementation would be legal.
Since it is _not_ possible, a bounds checking implementation is legal
and, get this, on occasion very _practical_ to discover where your
program is not strictly conforming in a bounds-violating way.

Richard

I read (or tried to read) the article. It does not suggest changing
the C language.

I don't think you understood much of the article,

if
you read their conclusions carefully. You totally missed the point
that the authors said hardware changes would be needed to make the
bounds checking not use excessive resources.

Maybe it would have been
better if your original post was ignored, since it was so poorly
thought out.

Nobody disagrees that messing up pointer and array
operations in C produces very nasty bugs, and that there is a need to
reduce the risk.

But your idea about changing the C language to get
rid of strings ending with 0 is totally unworkable, because it would
break tons of existing code, as others have pointed out.

Richard said:

>Richard Heathfield <rj*@see.sig.invalidwrites:

<snip>

>>A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot
violate any bounds.

How does a program get so certified?

"Certified", I wouldn't know about. But the definition of "strictly
conforming" is not a secret:

"A strictly conforming program shall use only those features of
the language and library specified in this Standard. It shall
not produce output dependent on any unspecified, undefined, or
implementation-defined behavior, and shall not exceed any minimum
implementation limit."

>This whole rubbish is just to destroy any technical
discussion about the issues I raised, using this
pseudo technical language legalese.

>This whole rubbish is just to destroy any technical
discussion about the issues I raised, using this
pseudo technical language legalese.

Bjoern Vian <Bj*********@gmx.liwrote:

>Richard Heathfield schrieb:

I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot violate
any bounds.

Ok, but that is completely irrelevant for programming practice;
it's pure theory.

No, it isn't. If it _were_ possible for a strictly conforming program to
violate object bounds, a bounds checking implementation would be
legal.

Since it is _not_ possible, a bounds checking implementation is legal
and, get this, on occasion very _practical_ to discover where your

program is not strictly conforming in a bounds-violating way.

>
Richard

Guillaume wrote:

>Bounds checking is nice and all, but it certainly is no panacea.
It may even not be *that* useful IMO. Here is why:

1. No bounds checking. You read or write data outside bounds. It
generates an exception.

NO, in most cases writing beyond a variable's specified length doesn't
produce any exception.

Consider this program:
int fn(int *p,int c)
{
return p[c];
}

int main(void)
{
int tab[3];

int s = fn(tab,3);
}

Please tell me a compiler system where this program generates an
exception.

Richard Bos wrote:

>Bjoern Vian <Bj*********@gmx.liwrote:

>>Richard Heathfield schrieb:

I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If
it did, it would not be strictly conforming.) Therefore, it cannot
violate any bounds.
Ok, but that is completely irrelevant for programming practice;
it's pure theory.

No, it isn't. If it _were_ possible for a strictly conforming program to
violate object bounds, a bounds checking implementation would be legal.

>Since it is _not_ possible, a bounds checking implementation is legal
and, get this, on occasion very _practical_ to discover where your
program is not strictly conforming in a bounds-violating way.

Richard

Are you a lawyer?

It looks like.

tell me then, how can I know if a program is
"strictly conforming" then?

That is worst than the halting problem!

This whole rubbish is just to destroy any technical
discussion about the issues I raised, using this
pseudo technical language legalese.

jacob navia wrote:

>Ian Collins wrote:

>>>o They are NOT available in many embedded platforms
You can test the code off-target.

No. The code will run on target and you would have to
simulate the conditions on target, not always an easy task,
mind you.

Well I still support a couple of embedded projects and I can't remember
the last time I did any debugging on the targets. Everything is
developed and unit tested on the host, even the acceptance test suite
can run against both the target and the host simulation.

>>>What I am aiming at is a general language construct that would
allow more easy compiler checking in the existing toolset,
i.e. the compiler and the linker.
Why impost the extra burden on the vendor when they can provides optinal
tools?

Because not every vendor can provide such tools, and a small language
modifications would suffice to provide for most bound
checking applications.

But they are not required everywhere. On many embedded targets, there
simply would not be space for the extra code.

tell me then, how can I know if a program is
"strictly conforming" then?

That is worst than the halting problem!

This whole rubbish is just to destroy any technical
discussion about the issues I raised, using this
pseudo technical language legalese.

I do have my thick head on. I don't understand anything of the past
few points about "conforming" programs. It sounds like a load of mumbo
jumbo.

Even more important is what is the implementation going to do if it
detects an out-of-bounds access?

I certainly don't want to have to
switch off my car when doing 70MPH in the fast lane of the M25!

Richard said:

<snip>

>I do have my thick head on. I don't understand anything of the past
few points about "conforming" programs. It sounds like a load of mumbo
jumbo.

If further proof were needed that there is no point engaging with Mr
Riley, this would seem to be it. I apologise to the group for treating
him seriously; it is now evident to me that this was a waste of time.

jacob navia wrote:

>Ian Collins wrote:

>>>o They are NOT available in many embedded platforms
You can test the code off-target.

No. The code will run on target and you would have to
simulate the conditions on target, not always an easy task,
mind you.

Well I still support a couple of embedded projects and I can't remember
the last time I did any debugging on the targets. Everything is
developed and unit tested on the host, even the acceptance test suite
can run against both the target and the host simulation.

>

>>>o They are NOT available in many respected systems like,
(for instance) AIX, or SUN, as far as I know.
News to me, I've been using Sun's dbx with its access/leak checking for
many years.

Impossible to use because the program will slow down for a factor
of 1,000 at least...

It's no where near that bad. Yes there is a performance penalty, but
this can be mitigated by only applying the full set of checks to
selected parts of the application.

>>>What I am aiming at is a general language construct that would
allow more easy compiler checking in the existing toolset,
i.e. the compiler and the linker.
Why impost the extra burden on the vendor when they can provides optinal
tools?

Because not every vendor can provide such tools, and a small language
modifications would suffice to provide for most bound
checking applications.

But they are not required everywhere. On many embedded targets, there
simply would not be space for the extra code.

Richard Heathfield <rj*@see.sig.invalidwrites:

>Richard said:

>>Richard Heathfield <rj*@see.sig.invalidwrites:

<snip>

>>>A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot
violate any bounds.
How does a program get so certified?

"Certified", I wouldn't know about. But the definition of "strictly
conforming" is not a secret:

"A strictly conforming program shall use only those features of
the language and library specified in this Standard. It shall
not produce output dependent on any unspecified, undefined, or
implementation-defined behavior, and shall not exceed any minimum
implementation limit."

So theory then and almost impossible to achieve in real life since it's
impossible to, IMO, to predetermine that your program will react
properly under all variations of potential user input.

>On Jul 29, 2:43 pm, jacob navia <ja...@jacob.remcomp.frwrote:

>We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

Several researchers of UCSD have published an interesting
paper about this problem.

http://www.jilp.org/vol9/v9paper10.pdf

Specifically, they measured the overhead of a bounds
checking implementation compared to a normal one, and
found that in some cases the overhead can be reduced
to a mere 8.3% in some cases...

>>Specifically, they measured the overhead of a bounds
checking implementation compared to a normal one, and
found that in some cases the overhead can be reduced
to a mere 8.3% in some cases...

>for me it is all wrong
the % of slowness should be 0%