C中的边界检查和安全性 [英] Bounds checking and safety in C

问题描述

我们经常在这个讨论小组中听到

界限检查，或安全测试太贵了

将在C中使用。

加州大学圣地亚哥分校的几位研究人员发表了一篇关于这个问题的有趣的文章。

http://www.jilp.org/vol9/v9paper10.pdf


具体来说，他们测量了一个边界的开销

检查实现与普通的相比，

发现在某些情况下可以降低开销

到在某些情况下只有8.3％...


我引用那篇论文


<引用>

总结一下，我们的元数据布局加上元检查指令

将边界检查的平均开销减少到21％减速，这是
与提供完整边界检查时当前

软件实施产生的81％相比，
a显着减少。

<结束报价>


这21％的减速是检查每个指针

访问的开销，以及每个（可能的）悬空指针解除引用。


如果我们推断为strcpy使用一些额外的

参数以允许更安全的函数（邪恶的

帝国提案）所谓的开销）开销实际上应该是零。


不知何故，我们现在还没有意识到，现在我们可以使用的是具有极高功率的CPU，它是一个在开发

软件时，最好尽量减少我们留在调试器后面的时间。应该寻求一种平衡来提高语言的安全性，而不会过度降低

生成代码的速度。


我再次引用那篇论文：


<引用>

随着高GHZ处理器的普及，增加硬件支持

确保程序的正确性和安全性就像

重要，对于普通用户来说，处理器的性能进一步提高了。我们研究的目标是专注于开发

编译器和硬件支持，以便有效地执行软件检查

，即使在生产代码版本中也可以留下，

，以显着提高

软件的正确性和安全性。


<最终报价>


C语言在这里很多人都认为，过去似乎冻结了b / b
而没有任何愿意融入变化的

与语言本身的硬件/软件关系。


当提出这个问题时，参数最常见的是

效率或者只是它就像那样。


这导致语言被认为是落后的并且容易出错，只对过时的软件有用或遗产或遗产系统。


这让C ++人再次高兴，他们坚持将他们的语言看作是b更好的C，显然，C ++要好得多在某些方面，如
C，特别是STL中的字符串处理/常用算法/和

许多其他进展。


令我印象深刻的是，这不是必须的，因为C可以用最少的b / b
改进是比现在更加安全和通用的语言

。


关于这种可能性的讨论几乎是不可能的，因为关于C（除了这个新闻组）的广泛

阅读论坛是不存在的。


因此这条消息。


总结：


o边界检查和更安全，语言支持的结构不是

不可能，因为太多的开销

o如果我们从scra重新设计库，那么像一个更好的运行时库的构造可以以更安全的方式实现。 tch，

没有任何有效的运行时间费用。

jacob


P.S.如果您认为这篇文章不合适，请忽略它。

我厌倦了这种愚蠢的辩论。

We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

Several researchers of UCSD have published an interesting
paper about this problem.

http://www.jilp.org/vol9/v9paper10.pdf

Specifically, they measured the overhead of a bounds
checking implementation compared to a normal one, and
found that in some cases the overhead can be reduced
to a mere 8.3% in some cases...

I quote from that paper

< quote >
To summarize, our meta-data layout coupled with meta-check instruction
reduce the average overhead of bounds checking to 21% slowdown which is
a significant reduction when compared to 81% incurred by current
software implementations when providing complete bounds checking.
< end quote>

This 21% slowdown is the overhead of checking EACH POINTER
access, and each (possible) dangling pointer dereference.

If we extrapolate to the alleged overhead of using some extra
arguments to strcpy to allow for safer functions (the "evil
empire" proposal) the overhead should be practically ZERO.

Somehow, we are not realizing that with the extreme power of the
CPUs now at our disposal, it is a very good idea to try to
minimize the time we stay behind the debugger when developing
software. A balance should be sought for improving the safety
of the language without overly compromising the speed of the
generated code.

I quote again from that paper:

< quote >
As high GHZ processors become prevalent, adding hardware support to
ensure the correctness and security of programs will be just as
important, for the average user, as further increases in processor
performance. The goal of our research is to focus on developing
compiler and hardware support for efficiently performing software checks
that can be left on all of the time, even in production code releases,
to provide a signicant increase in the correctness and security of
software.

< end quote >

The C language, as it is perceived by many people here, seems
frozen in the past without any desire to incorporate the changing
hardware/software relationship into the language itself.

When this issues are raised, the "argument" most often presented is
"Efficiency" or just "it is like that".

This has lead to the language being perceived as a backward and error
prone, only good for outdated software or "legacy" systems.

This pleases again the C++ people, that insist in seeing their language
as the "better C", and obviously, C++ is much better in some ways as
C, specially what string handling/common algorithms in the STL/ and
many other advances.

What strikes me is that this need not be, since C could with minimal
improvements be a much safer and general purpose language than it is
now.

Discussion about this possibility is nearly impossible, since a widely
read forum about C (besides this newsgroup) is non existing.

Hence this message.

To summarize:

o Bounds checking and safer, language supported constructs are NOT
impossible because too much overhead
o Constructs like a better run time library could be implemented in a
much safer manner if we would redesign the library from scratch,
without any effective run time cost.
jacob

P.S. If you think this article is off topic, please just ignore it.
I am tired of this stupid polemics.

推荐答案

jacob navia说：

jacob navia said:

我们经常在这个讨论小组中听到

边界检查，或安全测试也是如此昂贵的

用于C.

We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

C标准既不要求也不要禁止边界检查。一个严格的符合b * b b b的程序将不会违反任何界限，因此可能无法检测到边界检查器的存在。因此，对于包含此功能的实现来说，它是完全可以接受的。

确实有些人这样做，虽然通常只在调试模式下，但是对于我来说>
希望是显而易见的原因。这完全是一个QoI问题。


< snip>


-

Richard Heathfield< http ：//www.cpax.org.uk>

电子邮件：-www。 + rjh @

谷歌用户：< http://www.cpax.org.uk/prg/writings/googly.php>

Usenet是一个奇怪的放置" - dmr 1999年7月29日

The C Standard neither requires nor forbids bounds checking. A strictly
conforming program will violate no bounds, and so presumably will not
be able to detect the existence of a bounds checker. Therefore, it''s
perfectly acceptable for an implementation to incorporate this feature.
And indeed some do, although typically only in debug mode, for what I
hope are obvious reasons. This is entirely a QoI issue.

<snip>

--
Richard Heathfield <http://www.cpax.org.uk>
Email: -www. +rjh@
Google users: <http://www.cpax.org.uk/prg/writings/googly.php>
"Usenet is a strange place" - dmr 29 July 1999

Richard Heathfield< rj*@see.sig.invalidwrites：

Richard Heathfield <rj*@see.sig.invalidwrites:

jacob navia说：

jacob navia said:

>我们经常在这个讨论组中听到
边界检查，或者安全测试太贵了
要使用in C.

>We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

C标准既不要求也不要禁止边界检查。严格符合
的程序将不会违反任何限制，因此可能不会

The C Standard neither requires nor forbids bounds checking. A strictly
conforming program will violate no bounds, and so presumably will not

符合规定的程序仍然可能存在错误。或者？

A conforming program can still have bugs. Or?

能够检测到边界检查器的存在。因此，对于包含此功能的实现来说，它是完全可以接受的。

确实有些人这样做，虽然通常只在调试模式下，但是对于我来说>
希望是显而易见的原因。这完全是一个QoI问题。


< snip>

be able to detect the existence of a bounds checker. Therefore, it''s
perfectly acceptable for an implementation to incorporate this feature.
And indeed some do, although typically only in debug mode, for what I
hope are obvious reasons. This is entirely a QoI issue.

<snip>

-

--

Richard说：

Richard said:

Richard Heathfield< rj*@see.sig.invalidwrites：

Richard Heathfield <rj*@see.sig.invalidwrites:

> jacob navia说：

>jacob navia said:

>>我们经常在这个讨论小组中听到
边界检查，或者安全测试太昂贵，无法用于C.

>>We hear very often in this discussion group that
bounds checking, or safety tests are too expensive
to be used in C.

C标准既不要求也不要禁止边界检查。一个严格遵守的程序将不会违反任何限制，因此可能不会

The C Standard neither requires nor forbids bounds checking. A
strictly conforming program will violate no bounds, and so presumably
will not

符合规定的程序仍然可能存在错误。要么？

A conforming program can still have bugs. Or?

我实际上说的是严格符合程序。严格符合

程序不包含任何未定义行为的实例。 （如果它确实是b $ b，那就不会严格遵守。）因此，它不能违反

任何界限。


- -

Richard Heathfield< http://www.cpax.org.uk>

电子邮件：-www。 + rjh @

谷歌用户：< http://www.cpax.org.uk/prg/writings/googly.php>

Usenet是一个奇怪的放置" - dmr 1999年7月29日

I actually said "strictly conforming program". A strictly conforming
program does not contain any instances of undefined behaviour. (If it
did, it would not be strictly conforming.) Therefore, it cannot violate
any bounds.

--
Richard Heathfield <http://www.cpax.org.uk>
Email: -www. +rjh@
Google users: <http://www.cpax.org.uk/prg/writings/googly.php>
"Usenet is a strange place" - dmr 29 July 1999

这篇关于C中的边界检查和安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！