Re: VMS

Rich <rich@example.invalid> writes:

Ada accomplished it years ago (i.e., Rust is nothing new in that
regard).  But....  it did so by inserting in the compiled output all
the checks for buffer sizes before use and checks of error return codes
that so often get omitted in C code.  And the performance hit was
sufficient that Ada only found a niche in very safety critical
environments (aircraft avionics, etc.).

I don’t know what Ada’s approach was in detail, but I have a few points
to make here.

First, just because an automated check isn’t reflected in comparable C
code doesn’t mean the check isn’t necessary; and as the stream of
vulnerabilities over the last few decades show, often omitted checks
_are_ necessary. Comparing buggy C code with correctly functioning Ada
code is not really an argument for using C.

Secondly, many checks can be optimized out. e.g. iterating over an array
(or a prefix of it) doesn’t need a check on every access, it just needs
a check that the loop bound doesn’t exceed the array bound[1]. This kind
of optimization is easy mode for compilers;
https://godbolt.org/z/Tz5KGq6vais shows an example in C++ (the at()
method is bounds-checked array indexing).

  [1] provided of course that the array can’t change size during the
      loop; experience doesn’t really support the idea that humans are
      good at noticing whether this condition is true.

Finally, on all but the least powerful microprocessors, a correctly
predicted branch is almost free, and a passed bounds check is easy mode
for a branch predictor.

With that in mind, with compilers and microprocessors from this century,
the impact of this sort of thing is rather small. (Ada dates back to
1980, at which time a lot of these technologies were much less mature.)

--
https://www.greenend.org.uk/rjk/