Table of Contents
- The presence of statically verifiable loop bounds and the absence of recursion prevent runaway code, and help to secure predictable performance for all tasks. The absence of recursion also simplifies the task of deriving reliable bounds on stack use. The two rules combined secure a strictly acyclic function call graph and control-flow structure, which in turn enhances the capabilities for static checking tools to catch a broad range of coding defects.
- One way to enforce secure loop bounds is to add an explicit upper-bound to all loops that can have a variable number of iterations (e.g., code that traverses a linked list). When the upper-bound is exceeded an assertion failure and error exit can be triggered. For standard for-loops, the loop bound requirement can be satisfied by making sure that the loop variables are not referenced or modified inside the body of the loop.
- The purpose of these rules is that all code remains readily understandable and maintainable, also years after it is written, and especially when examined under time pressure and by anyone other than the original developer. Code does not just serve to communicate a developer’s intent to a computer, but also to current and future colleagues that must be able to maintain, revise, or extend the code reliably. Code clarity cannot easily be captured in a comprehensive set of mechanically verifiable checks, so the specific rules included here serve primarily as examples of safe coding practice.