On 02/11/13 10:55, bearophile wrote:
To make high integrity software you have to start with reliable tools
I know what you're saying, but there is an inherent assumption in the concept of "reliable tools". So far as I can see the important thing is to assume that _nothing_ in the system is reliable, and that anything can fail.
If you rely on the language or on the compiler to detect integral overflows, you're not necessarily safer -- your safety rests on the assumption that the compiler will implement these things correctly, and will ALWAYS do so regardless of circumstances. How can you tell if the automated integral overflow checking is working as it should? And even if it is a high-quality implementation, how do you protect yourself against extreme pathological cases which may arise in very rare circumstances?
"Necessary but not sufficient" seems a good phrase to use here.
