Software Assurance Reference Dataset

bearophile via Digitalmars-d digitalmars-d at puremagic.com
Thu Jun 26 02:19:04 PDT 2014


Walter Bright:

> It's an interesting list, and an opportunity for D. I once said 
> that my job was to put Coverity out of business. The more of 
> these issues D can automatically prevent with @safe, the better.

One kind of problem left is to avoid stack overflows. I have had 
several such cases in my D code (perhaps because I use 
fixed-sized arrays a lot).

I think they can be caused by:
1) Too much large allocations in stack frames;
2) By alloca();
3) By recursion and co-recursion chains;

The first cause is probably sufficiently easy to solve 
mechanically, with a conservative call tree analysis of the code. 
This is a job for external tools.

The second cause can be solved with a formal proof of the upper 
bounds of the arguments of alloca, or even more conservatively 
disallowing alloca.

The third cause, a cycle in the call graph, can be found with an 
external too, but in theory it's also easy to avoid with a 
@no_call_cyles annotation :-) Such annotation looks useful only 
if you want to avoid stack overflows, so it's better to use a 
more general annotation that also forbids alloca(). Something 
like @fixed_stack or @constant_memory.

I think adding this annotation to D is a little overkill (despite 
SPARK and Ada analysers are doing stack size analysis since many 
years). So I think a better solution (beside creating an external 
tool) is to add to D a more general feature to attach some 
compile-time semantics to user-defined annotations. To do this 
you need a trait that returns a sequence of all the functions 
called by a function.

Bye,
bearophile


More information about the Digitalmars-d mailing list