Array bounds checking with C????

[Karl Heuer]

In article <1990Aug30.134537.26326 at diku.dk> njk at diku.dk (Niels J|rgen Kruse) writes:
>Assume the following code [on a bounds-checking implementation]:
>        char *a,*c; double *b,d[17/sizeof(double)];
>        if (a = malloc (17)) {
>          b = (double *)a;
>          c = (char *)b;
>Is c[16] legal?

I believe it is, and therefore that the cast to (double *) must not actually
reduce the known range of the pointer to that which is pointable from a
double.  Thus, a bounds-checking C implementation must maintain the bounds of
a pointer by using a byte count (or byte pointer) rather than an object count
(or object pointer).

>What kind of object is b pointing to?  How does it differ from
>the object pointed to by (d+0)?

Assume for concreteness that sizeof(double)==8.  Then b is <double *, pointer
to beginning of 17-byte block>, which is room for 2 doubles plus a spare byte
at the end that cannot be referenced without casting b.  But d is <double *,
pointer to beginning of 16-byte block>, which is room for 2 doubles exactly.

>What does your bounds-checking C compiler have to say?
>What does the standard say?

This is my interpretation of the Standard.  I don't have a bounds-checking C
compiler at hand, and I wonder if it would get this right.  (Particularly on a
word-addressible architecture.)

Karl W. Z. Heuer (karl at kelp.ima.isc.com or ima!kelp!karl), The Walking Lint