51

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> Perhaps I do not understand something, but PD> int n, m; PD> read (m, n);//input whence PD> int a [m];//we select storage and we create array PD> a [n] = 1; PD> As it is possible to check up this fragment statically? At correct m and n all will be remarkable. At big n we freely now can leave in kernel addresses, for as we receive AV PD> And statically - as? Basically, idea simple. Whether we can tell, looking at this code, what it of 100 % is correct? No. We cannot state it. And the verifier, naturally, too cannot. Result? A compilation error. How to make, that the code was compiled? To convince the verifier that the code is safe. int n, m; read (m, n);//input whence if (stack_available (m))//stack_available - the special function, known to the verifier {int a [m]; //we select storage and we create an array if (is_valid_index (a, n))//is_valid_index - the special function, known to the verifier {a [n] = 1;} else {//here we wanted to address to the incorrect address, but rantajm-check to us did not give//what to do? Probably to return an error or to produce any message}} else {//here rantajm-check showed, what the place on a stack is not present, create an array we cannot//and what to us to do? Well, everything, it is possible to return an error or to name process} So idea simple enough. There, where the verifier does not know, correct operation or not - it forces the programmer to interpose rantajm-check. Certainly, these explicit checks  the code, but a potential scoring that them can be not too much. It as data types. If we want to accept in function int the compiler does not allow to us to put there string. Similarly we can demand a precondition like "is_valid_index" and then in function of this check any more will not be - it will be somewhere above on call stack. Yes, such code to write more difficult. But it is possible. Approximately so write a software for mars rovers and planes. I think that such variant is possible for the most low-level parts of OS, and more high-level it is possible to write something already in controlled languages, more brake, but also more simple.

52

Re: And if all from the beginning?

Hello, AlexRK, you wrote: ARK> Basically, idea simple. Whether we can tell, looking at this code, what it of 100 % is correct? No. We cannot state it. And the verifier, naturally, too cannot. Result? A compilation error. <skipped> it is clear, but looks . For me, at least. All is at one stroke destroyed existing  the code. It practically from 100 % probability does not transit this check so, it is necessary to rewrite in it very many. Further. Imagine that it is the program of the linear algebra. There these a [i] [j] in each line can be on  pieces. If to force each such description to verify on your mechanism - the code behind these verifications it will be visible any more, and debugging turns to a hell. Instead of you will forbid. And controlled languages do not help. You were going to do OS, and what, you to me will tell, what in this OS to write "the heavy" code it is possible only in controlled languages? It and without that heavy, there O (N^3), for example, and me, quits, optimally it is impossible to write it? Besides, why you decided, what the array is led out in a stack? For it rather simply to write stack_available. And if in a heap? Moreover two-dimensional both thus jagged? And thus also not square-topped, and it is good if only triangular? It not seems to you, what such "static" check simply does not turn out? And still realloc (in) is. And still union in it is. Something at me such sensation that this medicine is worse than illness. Now as to the programmer at least all is clear to me - I can do (in ) that I want, for the disgraces in  I answer part  itself (by the way, and here to me help, access to not selected addresses is locked), and for disgrace attempt in system part  will beat from 100 % a warranty. And I thus write the code, how it always wrote. And here it is offered to write it absolutely in another way, with mass of an overhead charge, and the success is not guaranteed. No, I do not believe that it goes.

53

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> Hm, did not understand. How there can be a processor of 21 centuries without storage protection? I spoke, the period of labor fulfillments does not transit for nothing. That storage protection is necessary, I wrote to Philosophies in 2005 in  wars. And about Itanium, I will repeat, I know nothing. And reading in a head does not climb for the reason which I just marked. Later I to it will return. P>> and if is it is possible to invent a C ++ and if is not present the Oberon? However, with last not all so is simple. More shortly, the Fortran , whatever one may do. PD> a Fortran our youth And after all works till now. And  such that a C ++ also did not dream.

54

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> all is at one stroke destroyed existing  the code. It practically from 100 % probability does not transit this check so, it is necessary to rewrite in it very many. Unconditionally. The existing code  in a safe context . PD> Further. Imagine that it is the program of the linear algebra. There these a [i] [j] in each line can be on  pieces. If to force each such description to verify on your mechanism - the code behind these verifications it will be visible any more, and debugging turns to a hell. Truly. But speech not about a mathematical software. It generally to write more conveniently by means of perfect other means and languages. PD> instead of you will forbid. And controlled languages do not help. You were going to do OS, and what, you to me will tell, what in this OS to write "the heavy" code it is possible only in controlled languages? It and without that heavy, there O (N^3), for example, and me, quits, optimally it is impossible to write it? For verified  the code in OS not too it is a lot of applications,  - a kernel, the manager of storage, the process manager, well can still file system. It is possible and  a little. And the remaining code - simply does not use crude pointers as I wrote in the beginning (thus it can be and not is mandatory controlled, there can be something of type Rust). PD> Besides, why you decided, what the array is led out in a stack? For it rather simply to write stack_available. And if in a heap? Moreover two-dimensional both thus jagged? And thus also not square-topped, and it is good if only triangular? It not seems to you, what such "static" check simply does not turn out? I can that I do not understand, but in what the basic difference? Well there will be still a function "heap_available". Triangular-square-topped - it is reduced to additional checks of the same functions. If I am wrong, show the pseudocode that you mean. PD> and still realloc (in) is. It is replaced on typified  (not simply crude memory block). PD> And still union in it is. It is added by the "tag" describing current contents. PD> Something at me such sensation that this medicine is worse than illness. In noncritical places to safety - yes. PD> And here it is offered to write it absolutely in another way, with mass of an overhead charge, and the success is not guaranteed. Well, the success is never guaranteed. About an overhead charge - they generally will be more at a spelling and code attending, but - besides, generally - it is less by program operation (especially if to consider that it is possible to refuse hardware protection in the processor). PD> Is not present, I do not believe that it goes. To masses does not go. In OS kernels - can quite be, .

55

Re: And if all from the beginning?

Hello, AlexRK, you wrote: ARK> it is true. But speech not about a mathematical software. It generally to write more conveniently by means of perfect other means and languages. ARK> for verified  the code in OS not too it is a lot of applications,  - a kernel, the manager of storage, the process manager, well can still file system. It is possible and  a little. ARK> To masses does not go. In OS kernels - can quite be, . No, excuse, give we specify. If it was a question that at existing architecture of the processor and OS is offered to add this static verification is one. You suggest existing architecture to replace such in which there will be no protection equipment room generally. So, all applications can do that it takes in head, if static verification only does not prevent. And then one or the other. Or you will forbid to write on  the code any not system a software (and on it nobody goes), or it is necessary to pray to static verification in hope that it is faultless. Both are worse.

56

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> all is at one stroke destroyed existing  the code. It practically from 100 % probability does not transit this check so, it is necessary to rewrite in it very many. On a topic condition we Imagine free imagination. All existing a software in one stage disappeared. All.

57

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> You suggest existing architecture to replace such in which there will be no protection equipment room generally. So, all applications can do that it takes in head, if static verification only does not prevent. Yes, all is true. PD> or it is necessary to pray to static verification in hope that it is faultless. Both are worse. Yes, here this variant. But I do not see, why this variant is less reliable, than hardware protection in the processor. In what the basic difference?

58

Re: And if all from the beginning?

Hello, AlexRK, you wrote: ARK> Yes, here this variant. But I do not see, why this variant is less reliable, than hardware protection in the processor. In what the basic difference? In number of variants. Hardware protection in the processor, roughly speaking it is arranged so. Do there in the program that want. To the processor on all it to spit. As you there calculate addresses that thus do - it does not concern. And only when you try to get access to storage, the processor checks up you. Regardless of the fact that you there did before. In effect, at the processor only one variant. Or the pass  then go, or  - then go reversely. And program execution is, generally speaking, NP variants and to prove by means of static analysis that all NP these ways do not lead to a protection error - I doubt.

59

Re: And if all from the beginning?

Hello, samius, you wrote: PD>> all is at one stroke destroyed existing  the code. It practically from 100 % probability does not transit this check so, it is necessary to rewrite in it very many. S> on a condition of topic S> S> we Imagine free imagination. S> all existing a software in one stage disappeared. All. Yes. Caught But nevertheless give we finish speaking it up to the end. Yes, all software disappeared. But the demiurge should recreate it, too on topic conditions. He is not obliged to recreate a C/C ++, but or he is obliged 1. Or to create new  language 2. Or to forbid  language at least for the user programs. In OS you will not forbid - who will control this managed code? 3. Or to invent something such in which there is no concept  and managed code (for example, hardware Java the machine) the Third is impossible, as to the demiurge is not allowed to change equipment besides on topic conditions. At existing equipment  the code exists on determination. What from first two you select? If the first - the same problems, not on With ++, so in other language. Because a problem not in language, and in access to storage to the address. If the second is means that you put all authors of a software for the user in conditions when they cannot use all power of the processor.

60

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: ARK>> Yes, here this variant. But I do not see, why this variant is less reliable, than hardware protection in the processor. In what the basic difference? PD> in number of variants. Well, an amount of variants in both cases about the identical. PD> in effect, at the processor only one variant. Or the pass  then go, or  - then go reversely. At  as. Or the given piece of the code , or is not present. He should not look all maximum programme only current function. PD> and program execution is, generally speaking, NP variants and to prove by means of static analysis that all NP these ways do not lead to a protection error - I doubt. And it is not necessary to check all ways of execution. The verifier deals only with an input and a function output. Here there is no all possible set of ways of execution, we analyze only function preconditions (well,  still operation with global variables though it is better, of course, without them). The main difference that in case of hardware protection rantajm-check is fulfilled automatically by the processor at each performance of the instruction, and in a case with program verification initiates check the program, and not for each instruction, but only there where it is necessary. At the expense of it the scoring in speed is reached. The feeble place of program verification is possibility of the machine failures leading to distortions of values in storage. Well, here there's nothing to be done - for critical things of checks it is necessary as much as possible, and for user it is not so important,  (because to exploit such failures rather inconveniently). I understand that at intuitive level to accept such difficult. But, nevertheless, there are real examples of similar implementations - above-stated Singularity, Verve, relying only on programming checks.

61

Re: And if all from the beginning?

Hello, AlexRK, you wrote: ARK> the Main difference that in case of hardware protection rantajm-check is fulfilled automatically by the processor at each performance of the instruction, and in a case with program verification initiates check the program, and not for each instruction, For an equipment room - at all for each instruction, but only for what address to storage. Remaining it is not checked at all in this plan.> but only there where it is necessary. At the expense of it the scoring in speed is reached. I am afraid nevertheless that to define places "there where is necessary", it is necessary to analyze that code which at hardware protection generally is not exposed to any check. ARK> I understand that at intuitive level to accept such difficult. But, nevertheless, there are real examples of similar implementations - above-stated Singularity, Verve, relying only on programming checks. If still was though any statistics about how much it is reliable. If there was an information on the one who and as tried to crack it, and that from this quitted. And so they meanwhile Imperceptible Joe.

62

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> For an equipment room - at all for each instruction, but only for what address to storage. Remaining it is not checked at all in this plan. Yes, I speak about such instructions.>> but only there where it is necessary. At the expense of it the scoring in speed is reached. PD> I Am afraid nevertheless that to define places "there where is necessary", it is necessary to analyze that code which at hardware protection generally is not exposed to any check. It is necessary to analyze, but only in compile time. In runtime of an overhead charge will be, generally, less. double Log10 (double d) requires d> 0 {//we calculate a logarithm, no checks are present - argument "d"  more zero} void Test1 (double val) {//double log1 = Log10 (val);//, it is not compiled, to us the interval "val" if (val> 0)//unique check which remains in the machine code {double log2 = Log10 (val) is unknown; //it is excellent, it is compiled - we checked up val and precisely we know that it is positive}} void Test2 (double val) requires val> 0//the precondition guarantees positive "val" {double log1 = Log10 (val);//and here now all is compiled and without checks - the one who causes this function} As you can see should make all checks, we do not look for boundaries of functions - that came, we analyze. And only in compile time, in runtime no analysis happens, no less than "superfluous" checks. PD> if still was though any statistics about how much it is reliable. If there was an information on the one who and as tried to crack it, and that from this quitted. And so they meanwhile Imperceptible Joe. Meanwhile in commercial operation the such is applied restrictedly (in the main space a software) so yes, here while it is not clear.

63

Re: And if all from the beginning?

Hello, AlexRK, you wrote: ARK> if (val> 0)//unique check which remains in the machine code if (val> any_complex_function_whch_calls_a_tree_of_subfunctions ()) double log2 = Log10 (val);//it is compiled?

64

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> if (val> any_complex_function_whch_calls_a_tree_of_subfunctions ()) PD> double log2 = Log10 (val);//it is compiled? If "any_complex_function_whch_calls_a_tree_of_subfunctions" it is declared so: double any_complex_function_whch_calls_a_tree_of_subfunctions () ensures result> 0 {//...} that is compiled. If here so: double any_complex_function_whch_calls_a_tree_of_subfunctions () {//...} or, for example, so: double any_complex_function_whch_calls_a_tree_of_subfunctions () ensures (result> 0) || (abs (result)> = 2) {//...} that is not present. Certainly, possibilities of logic of first order too are not infinite, therefore any especially difficult preconditions or postconditions to write does not quit. The computer, of course, cannot prove Poincare's theorem. But it in kernels of OS also is not necessary.

65

Re: And if all from the beginning?

Hello, AlexRK, you wrote: ARK> that is compiled. If here so: ARK> ARK> double any_complex_function_whch_calls_a_tree_of_subfunctions () ARK> {ARK>//... ARK>} ARK> ARK> that is not present. And what to me to do, if I cannot tell at all, what it ensures? She does not guarantee anything, I cannot give a warranty. Generally this calls_a_tree_of_subfunctions, I hope, returns> 0, differently something is not perfectly in order with my algorithm, well and if nevertheless can <0 sometimes return? At the normal approach if there are suspicions - delivered try-catch, and all affairs. For example, the certain approximate algorithm executed on a row samples. The best, alas, no. And this approximate algorithm as it the confidant, on some sample can produce generally nonsense, into a zero to divide, INF to arrange, a logarithm from a negative number to take. On conditions of the project it is authorized to me sample to discard simply this - well could not. The example quite real, was in such situation though and it is a little differently.

66

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> And what to me to do, if I cannot tell at all, what it ensures? She does not guarantee anything, I cannot give a warranty. Generally this calls_a_tree_of_subfunctions, I hope, returns> 0, differently something is not perfectly in order with my algorithm, well and if nevertheless can <0 sometimes return? At the normal approach if there are suspicions - delivered try-catch, and all affairs. PD> for example, the certain approximate algorithm executed on a row samples. The best, alas, no. And this approximate algorithm as it the confidant, on some sample can produce generally nonsense, into a zero to divide, INF to arrange, a logarithm from a negative number to take. On conditions of the project it is authorized to me sample to discard simply this - well could not. PD> the example quite real, was in such situation though and it is a little differently. Then it is simple still check: double temp = any_complex_function_whch_calls_a_tree_of_subfunctions (); if ((temp> 0) && (val> temp)) {double log2 = Log10 (val);} Everywhere, where we do not know that with value - the compiler forces to interpose explicit check. If we know - that check is not necessary to us.

67

Re: And if all from the beginning?

Hello, AlexRK, you wrote: ARK> Then it is simple still check: <skipped> Well and to what we came? In some (concerning simple) cases it turns out, truly, static analysis. And in more difficult cases - it is necessary to interpose a condition, that is to check in , not statically. Actually you will force the programmer to write all these checks in the code instead of starting up all on normal  and to catch exceptions if it began to flow not there. So I and with storage can do without hardware check basically. More precisely not to manage, and to make so that it always will be successful. I will get at myself the code checking at each storage access the pointer on a validity. The table of admissible addresses and the sizes and check on it. In general, welcome to IndexOutOfBoundException in  a variant. Here only faster it will not be. Because 99.9 % of calls normally , so here superfluous checks, and anything else. And hardware control is as a matter of fact the same approach - to neglect and catch an exception in case of trouble. In 99.9 their % also will not be. By the way, I am not assured even that there all checks are produced. If, say, *p reversal transited, whether there will be a check on * (p+1), if it within one page? It seems to me, thus TLB works, and check actually will not be. Probably, I am mistaken.

68

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> In some (concerning simple) cases it turns out, truly, static analysis. And in more difficult cases - it is necessary to interpose a condition, that is to check in , not statically. Actually you will force the programmer to write all these checks in the code instead of starting up all on normal  and to catch exceptions if it began to flow not there. Yes, all is true. PD> here only faster it will not be. Because 99.9 % of calls normally , so here superfluous checks, and anything else. PD> and hardware control is as a matter of fact the same approach - to neglect and catch an exception in case of trouble. In 99.9 their % also will not be. By the way, I am not assured even that there all checks are produced. If, say, *p reversal transited, whether there will be a check on * (p+1), if it within one page? It seems to me, thus TLB works, and check actually will not be. Probably, I am mistaken. You forget about switchings of a context which very strongly reduce productivity and are fulfilled in  with hardware protection __. Static verification allows to fulfill all code in one "ring" (yes, actually, rings are absolutely not necessary).

69

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> Further. Imagine that it is the program of the linear algebra. There these a [i] [j] in each line can be on  pieces. If to force each such description to verify on your mechanism - the code behind these verifications it will be visible any more, and debugging turns to a hell. http://halide-lang.org/ tears With ++ as  a hot-water bottle. Thus it does all these checks. But does them cleverly. Not on everyone a [i] [j], and once on all chain of operations. PD> instead of you will forbid. And controlled languages do not help. That you do not know that as does not mean that it is impossible to make it. Your problem that you outside of With ++ do not try to study anything at all. Here to you still an example: Dafny the proof of sorting by a choice. The author: WolfHound Date: 29.04.16 There  it is proved that the code: 1) does not fall outside the limits an array. 2) the resultant array is swap of an initial array. 3) the resultant array is sorted. 4) the code is completed. All that is inside requires, ensures and invariant works exceptional at a stage of compilation and the resultant code does not influence.... <<RSDN@Home 1.0.0 alpha 5 rev. 0>>

70

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> But nevertheless give we finish speaking it up to the end. Yes, all software disappeared. But the demiurge should recreate it, too on topic conditions. He is not obliged to recreate a C/C ++, but or he is obliged PD> 1. Or to create new  language PD> 2. Or to forbid  language at least for the user programs. In OS you will not forbid - who will control this managed code? PD> 3. Or to invent something such in which there is no concept  and managed code (for example, hardware Java the machine) PD> the Third is impossible, as to the demiurge is not allowed to change equipment besides on topic conditions. At existing equipment  the code exists on determination. PD> that from first two you select? But it after all not mutually exclusive things. PD> if the first - the same problems, not on With ++, so in other language. Because a problem not in language, and in access to storage to the address. PD> If the second is means that you put all authors of a software for the user in conditions when they cannot use all power of the processor. And unless static verification of the program on  language somehow restricts power of the processor? Here it is pure what for the sake of , I offer a special mode of multitasking: programs with an unproved correctness of storage accesses cannot be fulfilled simultaneously with programs to which the warranty of inaccessibility of their storage is necessary.

71

Re: And if all from the beginning?

Hello, MTD, you wrote: MTD> 2. HTML, CSS,   on , instead of all it the general-purpose markup language with the sizes in millimeters (to display correctly task of the driver of a piece of iron) for all from printers, to phone screen. All icons strictly vectorial And the task of army of designers and  to impose design in millimeters for each screen.

72

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> And protection? You suggest it to do at purely software level? But then and to check each time it is necessary with software usage, it hardly will be quickly Is not present. The modern environments work not so. PD> char * p = to something PD> *p = 0; PD> And how here on software level to check, whether I have access right there? To build in on everyone mov check commands? As in C# or Java - there is a static verification of the code. "Casual" pointers in the code does not happen. It is impossible to take simply the square root from Pi and to use as the pointer. PD> a question not in restrictions, and in architecture. It not seems to you, what the same interface GET with parameters it would be possible to replace with something more elegant? And at the same time Header to alter. At GET there are no parameters. In the same place only URI. Where is more elegant? To expand a dial-up of supported characters? What for?... With titles too all is good.

73

Re: And if all from the beginning?

Hello, Sharov, you wrote: S> What for? Than type dialects t-sql do not arrange? Possibilities on decomposition and on diagnostics of errors.

74

Re: And if all from the beginning?

Hello, Pavel Dvorkin, you wrote: PD> That from this, what is put in existing a software, made how and it would be necessary "on mind" to make, and what it would be necessary to make differently, yes only, alas, it is impossible - hinder damned compatibility and huge operating time? As all turned out so because of gravitation, and it is impossible to touch it... Then it would be necessary to refuse only static typification and to allow  to work only in a diving suit.

75

Re: And if all from the beginning?

Hello, Ziaw, you wrote: Z> And the task of army of designers and  to impose design in millimeters for each screen. Here look. A finger of the average person, we admit has a stain of contact 5 on 5 mm, it follows from this that it is necessary to make a button 10 on 10 mm, conditionally. Then, there is a text, it is known that it is well read in the size 7 mm, too is conditional. If to set the sizes in mm and it will be identical to look everywhere and will interact probably equally. Once again - 1 time to set, receive one and too everywhere. Now we pass to the conditional parrots in  - depending on density  the size changes in times, so your comment is actual now if to pass to millimeters life seriously to become simpler.