[7350] in bugtraq
Re: EMERGENCY: new remote root exploit in UW imapd
daemon@ATHENA.MIT.EDU (Craig Spannring)
Wed Jul 22 14:41:14 1998
Date: Tue, 21 Jul 1998 15:00:19 -0700
Reply-To: Craig Spannring <cts@INTERNETCDS.COM>
From: Craig Spannring <cts@INTERNETCDS.COM>
X-To: Kragen <kragen@POBOX.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SUN.3.96.980721122913.6874H-100000@picard.dnaco.net>
Kragen writes:
>
> I've heard that bounds-checking typically increases the time to do
> things by 30-50%. The bounds-checking egcs people are optimistic that
> this can be reduced. Even so, it's much smaller than the variance
> introduced by different degrees of optimization and efficient
> design.
Since C was never designed to do bounds checking it will be hard to
retrofit it efficiently.
Other languages such as Ada have a much easier time. For instance if
you compile the following program with gnat the compiler figures out
that no array bounds checking is needed and you take a 0% performance
hit.
with Ada.Text_Io; use Ada.Text_Io;
with Ada.Integer_Text_Io; use Ada.Integer_Text_Io;
procedure Foo is
type My_Index is range -10..10;
type My_Array is array(My_index) of Integer;
A: My_Array;
function Sum(Arr: in My_Array) return Integer is
Result: Integer := 0;
begin
for I in My_Index loop
Result := Result + Arr(I);
end loop;
return Result;
end Sum;
T: Integer;
begin
for I in My_Index loop
Put("Input a number ");
Get(A(I));
end loop;
Put("The sum is "); Put(Sum(A)); New_Line;
end Foo;
In fact the gnat people say that the assembly output is almost
identical to what gcc would produce with an equivalent C program.
I haven't written a lot of Ada code and none professionally, but I did
play around writing the bootstrap code for a PC once. The boot strap
code needs to fit into the first 7K of a floppy and that's not a lot
of space. If the code had raised any exceptions the required runtime
exception functions would not have fit in the space allowed.
It was the code size I had to worry about, not the speed, but in this
case being able to show that I wasn't taking a code size hit also
showed that I wasn't taking a performance hit either.
--
=======================================================================
Life is short. | Craig Spannring
Ski hard, Bike fast. | cts@internetcds.com
--------------------------------+------------------------------------
Any sufficiently perverted technology is indistinguishable from Perl.
=======================================================================
