User: Password:
|
|
Subscribe / Log in / New account

C and C++ could have non_nullable pointers, easily

C and C++ could have non_nullable pointers, easily

Posted Aug 20, 2009 20:22 UTC (Thu) by nix (subscriber, #2304)
In reply to: C and C++ could have non_nullable pointers, easily by hummassa
Parent article: Null pointers, one month later

Great. Now what does malloc() return on error?

How will you *create* one of these pointers?


(Log in to post comments)

C and C++ could have non_nullable pointers, easily

Posted Aug 21, 2009 4:47 UTC (Fri) by njs (guest, #40338) [Link]

Malloc returns a maybe-NULL pointer, just like now. The type system requires you to check for errors before it will let you dereference this pointer. (xmalloc can return a non-NULL pointer, though, because it has done the check.)

So... no problem?

C and C++ could have non_nullable pointers, easily

Posted Aug 21, 2009 7:27 UTC (Fri) by nix (subscriber, #2304) [Link]

No improvement, more like. All it does is automates away the null checks
everyone should already be doing anyway, and replaces it with something
which is sufficiently automated that I can't see how it could provide
helpful output at runtime (unless it did a longjmp() or EH got added to C
or something).

So at best it'd give you something like a dump of program state at the
time of the unintended NULL dereference: i.e., a core dump. The only
advantage is that the set of places you could get core dumps from might be
slightly smaller (at allocation, rather than at first dereference).

C and C++ could have non_nullable pointers, easily

Posted Aug 21, 2009 8:05 UTC (Fri) by njs (guest, #40338) [Link]

Well, xmalloc has all those effects, but that's the *point* of xmalloc, so I don't see what it has to do type-distinguishing nullable and non-nullable pointers... the point of which is to force people to think about whether a pointer can be null every time they want to dereference it, in a relatively painless way.

(This is all relatively common in languages with real type systems.)

C and C++ could have non_nullable pointers, easily

Posted Aug 21, 2009 18:50 UTC (Fri) by bronson (subscriber, #4806) [Link]

> All it does is automates away the null checks everyone should already be doing anyway

More like it mandates the null checks that everybody is supposed to do but even the most skilled programmers can't get 100% correct. It should raise the quality of all C programs.

> at best it'd give you something like a dump of program state at the
time of the unintended NULL dereference

Yes, that's better than dereferencing and getting rooted isn't it?

C and C++ could have non_nullable pointers, easily

Posted Aug 21, 2009 19:06 UTC (Fri) by nix (subscriber, #2304) [Link]

True indeed. However, for nearly all programs (i.e., everything other than
kernels and those very rare userspace programs that dereference things at
address zero or have structures whose sizeof() is in the multimegabyte
range), dereferencing null pointers doesn't lead to a root hole, but to a
crash. DoSes are bad enough, and it's still a bug...

So, yes, it's an improvement, but I'm not sure it's a large one. (I also
fear it would turn out like 'const' too often does: the semiclued majority
would just use nullable pointers everywhere because non-nullable ones
are 'too annoying'. But security-important software and software written
by clued people which can't use real languages like ocaml ;) would of
course benefit. And perhaps that's all we can hope for.)

C and C++ could have non_nullable pointers, easily

Posted Aug 27, 2009 19:30 UTC (Thu) by hummassa (subscriber, #307) [Link]

That's why, in my example, I stated that (sorry):

YOU CANNOT DEREFERENCE A NULLABLE POINTER

if you want to use the star, check if it is nullable. People will start to use non-nullable pointers everywhere in their interfaces because they don't want to be checking for null all the time. :-D Cunning, eh?

C and C++ could have non_nullable pointers, easily

Posted Aug 27, 2009 19:31 UTC (Thu) by hummassa (subscriber, #307) [Link]

Forgot to explain: dereferencing a nullable pointer should be a syntax error. Uh, and no static_cast between nullable and non-nullable pointers, either... no cheating :-D


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds