Out-of-bounds pointers

Doug Gwyn gwyn at smoke.BRL.MIL
Sat Oct 7 05:49:42 AEST 1989 

In article <868 at crdos1.crd.ge.COM> davidsen at crdos1.UUCP (bill davidsen) writes:
>In article <12570028 at hpclwjm.HP.COM>, walter at hpclwjm.HP.COM (Walter Murray) writes:
>|  Doug Gwyn:
>|  > It's not even "legal" to compute an invalid address, whether or not
>|  > it is dereferenced.
>  While this is obviously true, I have never understood the rationale of
>this decision. Given that (a) there are existing programs which do this,
>for reasons other than sloppy programming,

How could they?  If a computation produces a genuinely meaningless
result, how can a reasonable program rely on it?

>(b) most implementations happily allow this,

You mean, most implementations don't provide any sensible check for
this.  The worst bugs I've found in UNIX software were due to
computing invalid pointers as an intermediate step in an algorithm.
When it happened to work, it was BY ACCIDENT.  When it failed, it
was a MYSTERY (until I finally tracked it down).  If you think that
this is desirable behavior, then you're nuts.

>(c) if you are allowed to declare an auto pointer at all then obviously
>the hardware supports uninitialized pointers,

Obviously?  Allocation of storage is not the same as accessing its
contents.

>I fail to see what benefit is gained.

The "benefit" is that faster, more natural C implementations are
permitted on architectures where this is an issue.

Another benefit is that we do not have to figure out rules for
assigning meanings to inherently meaningless address-arithmetic
results, as we would be obliged to do if they were guaranteed
legitimate by the standard.

The final benefit is to bring the non-portable (and often unsafe)
nature of such operations clearly before the eyes of the C
programming public.

>Could someone clarify this, since it certainly is not prevailing
>practice? 

I have no idea what you mean by "prevailing practice".  The only
significant prevailing C "standard" was K&R 1st Edition Appendix A.
It certainly did not promise that randomly computed addresses would
always be valid pointer values.

More information about the Comp.std.c mailing list