safer C coding

9: news.cyb/dev.c/avoiding remote code execution:
leafsr:

. some C library functions are often used incorrectly,
and that consequently result in
remote code execution vulnerabilities:
strcpy, sprintf, memcpy, CopyMemory,
RtlCopyMemory, strcat, alloca
and many more Win32 specific stuff.
. much of the legacy software that is
still critical to many enterprises
contains code that calls these vulnerable library functions.
Despite modern memory protections
like ASLR and DEP
the vulnerabilities these functions introduce
are still exploitable under the right conditions .

 . here's the safe C library
– that implements strcpy_s and friends
as an open source library (MIT license).

19: news.cyb/dev.c/SAFECode updates secure dev guide:
.  pubs from safecode.org .
scmagazine:

The Software Assurance Forum for
Excellence in Code (SAFECode),
a nonprofit seeking to advance software assurance,
released an updated guidance document .
The free report includes verification methods and tools
that can be used to confirm whether
development teams have followed prescribed practices.

the standardized subtype.tag

12.8: adda/oop/the standardized subtype.tag:
27: summary:
. the most important feature of object orientation
is the support of polymorphism,
such that a "supertype" can declare variant formats
known as "subtypes" and know the current variant
by the value of a subtype.tag .
. if a type mgt supports subtyping,
then it also supports an object format
that puts the subtype.tag in a standard location,
so that it can be co-managed
by both the type mgt and the system run-time .
. subtypes codify not only the format variant
but also whether the object is constant,
and whether it is a value vs pointer vs function .

in-mode param use cases

12.8: adda/oop/in-mode param use cases:
8.731: 9.812:
. in-mode parameters that are offering values
(vs pointers) don't need an is-constant bit,
since they are copies that the callee can operate on;
in-mode pointers could use an is-constant bit
for describing whether the target can be modified?
the compiler can enforce constancy
by ensuring that the in-mode pointer's components
are passed only to other in-mode param's .
8.748:
. the primary reason for
in-mode param's being pointers
is when the callee expects the value to be
a large data structure,
and is agreeing to treat the pointer's target
as read-only rather than a writable copy .
. but another reason for an in-mode pointer
is that the pointer's target
is under the control of a different process
that will be changing the value in real time .
. so the formal in-mode pointer
needs to declare whether it honors read-only;
if it doesn't and an actual parameter is read-only
there could be a copy-on-write mechanism
where if the callee's code branched to
a place where it wanted to modify the target,
then the pointer was replaced to point to
a local copy of the target .
9.817: conclusion:
. an actual param has several cases:
# is a value (not a pointer):
. the value is copied,
and the callee's local version is modifiable .
# is a ptr real-time modified:
. the callee is getting a newsfeed
so there is no local version to modify
and it is considered read-only by callee .
# is a ptr not real-time modified:
. if the callee decides to modify the local version
one is created on demand (copy ptr target on modify).

subtypes of values vs addresses #terminology

12.10: mis.adda/oop/terminology/subtypes of values vs addresses:
. I'm misusing the term "subtype"?
let's review,
2010/04/polymorphic-vs-evolutionary-subtyping.html
2012/02/def-supertype-supratype-surtype.html
2012/10/infratypes-of-surtypes-phyla-of-taxa.html

"you mean that N is a subset of Z,
but then that implies Z is a subtype of N?
that depends on the direction:
you can represent any N value with a Z,
but if I need the address to an N,
a Z is no substitute because it
doesn't enforce my range constraint ."

so, "subtype" is the right word sometimes .

# for passing a value in:
. if the actual is a subrange of the formal,
then it will fit, and the actual is
serving both types, and that's what a subtype is .
. if the actual is a
constant version of the formal's type,
no changes are needed so input is accepted,
and constant T is a subtype of T here .

# for passing a value out:
. if the actual is a subrange of the formal,
the formal is saying
"I might send out a large number"
and the actual is saying
"I can't handle large numbers";
therefore access to subrange of T
is not a subtype of access to T .
. if the actual is
a constant version of the formal
the constant fails to accept any of the output;
therefore access to constant T
is not a subtype of access to T .

. after reading notes on terminology
I decided on yet another revision to that:
"surtype" is the system's typeclass
(pointer, valuetype, subprogram, aggregate, ...);
because, a surtype can classify
every object found in a programming environment .
. a polymorphic typeclass like number.type
is an example of a "polymorphtype" .
. the types {N,Z,Q,C,R}
are all the "morphtypes" of number;
"morphsubtypes" are constrained subtypes of morphtypes;
"infratypes" are implementations of a morphtype,
eg, the machine type Z32 (32-bit integer)
may implement a subrange of morphtype Z .

design by autocrat

11.20:  addx/design by autocrat:
. what if you are deluded, and need others' help
to show you that your design is fundamentally flawed;
but you are drugged by the freedom of working alone?
well, I've wanted to reuse some other work
but I've often found the documentation unreadable,
so this is about building an understanding
through finding that my design was flawed .
. at least I will be on the step toward
both designing a program I like,
and writing some documentation I can read
(likely others can read it too,
because I'm very forgetful,
so I will need to be thorough).

Parython is a #ParaSail version based on #python

11.22: news.adda/co/Parython is a ParaSail version based on python:
. a recent ParaSail article mentions Parython, (sources)
more on that earlier? yes but just a mention:

Achieving parallelism and safety at the same time
by eliminating rather than adding features
has worked out better than we originally expected.
One of the lessons of the process has been that
just a small number of key ideas are sufficient to
achieve safe and easy parallelism.
Probably the biggest is the elimination of pointers,
with the substitution of expandable objects.
The other big one is the elimination of
direct access to global variables,
instead requiring that a variable be
passed as a (var or in out) parameter
if a function is going to update it.
Other important ones include
the elimination of parameter aliasing,
and the replacement of exception handling
with a combination of more
pre-condition checking at compile time
and a more task-friendly
event handling mechanism at run time.
So the question now is whether
some of these same key ideas
can be applied to existing languages,
to produce something with much the same look and feel
of the original, while moving toward a much more
parallel-, multicore-, human-friendly semantics.

news.adda/co/ParaSail at oopsla:
. parasail is featured at recent oopsla:
# bringing value semantics to parallel oop,
# parallel tutorial with 
decomposition and work-stealing  .

#stackless #python dis- #continuations

11.20: news.adda/stackless python/dis-continuations:
Christian Tismer 2000:

. this paper presents an implementation
of "Stackless Python" (a Python which
does not keep state on the C stack) .
By decoupling the frame stack from the C stack,
we now have the ability to keep references to frames
and to do non-local jumps.
This turns the frame stack into a tree,
and every leaf of the tree can now be a jump target.
While exploring this idea,
we will recognize ordinary function calls and returns
to be just special cases of so-called continuations, ... .

why should stackless be popular?

. the maximum recursion level would be a user option
and not a limit set by C's stack .
There would be pickleable execution states;
that means you can save your running program
and send it in a file to another computer
where it can continue running .

multi-language to univeral data format (UDF)

addx/multi-lang like .net:
10.2: 12.11:
. the addx system needs to be like
Microsoft's ".NET" such that it lets us
command addx with a variety of languages
-- adda would just be the default language .
. a new language being ported to addx
would provide a compiler that emits
addm's high-level code (HLC)
that is similar to .NET's assemblies .

efficient Levenshtein distance

10.15: news.adds/algorithm/efficient Levenshtein distance:
. the Levenshtein distance between two words
is the minimum number of single-character edits
(insertion, deletion, substitution)
required to change one word into the other.
. finding the Lev' distance takes a long time,
on the order of (length of longer string
times length of shorter string),
so we are looking for ways to avoid it .

constant.subtype vs mutable.subclass

adda/oop/mutable types as subclasses of a constant type:
10.20:
. I'm reviewing Apple's Cocoa Objective-C,
and noticing again a mutable type is
seen as a subclass of a constant?
it would seem more intuitive if
constancy was an orthogonal attribute:
any type can optionally be described as
constrained to a constant state .

module permissions

adda/cstr/module/permits:
12.8: intro:
. just as corporations are composed of
people with various levels of trustability
and access to classified resources,
a program is composed of modules
that are trusted with various sensitive resources
by being being granted a permit to gain access .
. obvious things in need of permissions
include access to the file system, internet,
or the user's contact list .
. recently under consideration
is the idea that modules need to get permits
before they can access any other modules .

implicit parameters

10.4: adda/cstr/module/specification/implicit params:
. another dimension of the module's specification
is access to certain implicit parameters:
ie, it would expect every caller to have
certain locals having specific names,
as well as specific types .
. that's no different than a var param
except it's constant; ie the declaration is saying
I don't want just any local you care to assign,
I want a local with a certain name .
12.8:
. this is like what a nested subprogram can do;
but is trying to apply the same idea to
non-nested subprograms .
. the generic way to give a subprogram
an implicit parameter,
is have the subprogram packaged in a tuple,
and have the other fields of the tuple
be pointers that can linked to locals .
. the tuple is declared locally,
the links are set to locals,
and then, whenever the subprogram is called,
it uses the links as implicit parameters .

type.tags for aggregates

10.17: adda/oop/type.tags for aggregates:
[12.8: intro:
. if we were to have a generic aggregate,
what would its type.tag look like?
(the purpose of a generic aggregate
is having something that packs objects together,
and can be easily created and traversed .

MS`Portable Class Libraries

10.2: news.adda/MS`Portable Class Libraries:

Windows 8 programming model is like Xamarin,
[ where you write your apps entirely in C#,
and can run the resulting code on many platforms:
iOS, Android, Windows and Mac.]-12.8
. MS does this with Portable Class Libraries (PCL's)
which are subprograms that can be used anywhere
by attaching to whatever gui is on the current device
(supporting device-specific user interfaces).
PCLs let you wrap common code into a library,
ready for use by various gui's .

12.8: adda gui access is based on similar idea:

"( subprograms should not be controlling a gui interface,
rather they should be designed primarily for
use by other subprograms,
just as unix tools are meant to be .
(well, unix takes a shortcuts by
making its tool language a character string
that could also be readable by humans
but that was a security blunder because of parsing errors
that confuse critical datatypes like
{filenames, command names}).
. so, anyway, back to how humans fit in:
in order for a human to interact with
a subprogram that speaks type-tagged binary,
the human needs an agent who will
convert this robot speak into a gui .
. this agent is the Controller of the Model subprogram,
and it creates a View the human can interact with .)

10.2: 12.8:
. rather than having a subprogram export gui interactions
they are generating output like html
meant for describing what to display
but instead of being text a human can understand
it is encoded for quick access by other subprograms
including the human user's interaction agent
which builds a gui like html does .
. all native data types,
from which all other data types are composed,
have a gui presentation .
for instance, a tuple data type
is naturally represented as a dialog window,
and dialogs are then nestable like tuples can be .

target-owning vs aliasing pointers

12.7: summary:
. this explores types of pointers
needed for adda's space-efficient style of oop,
and support of safe pointers .

.NET Gadgeteer

10.22: news.adds/openware/.NET Gadgeteer:
. the .NET Gadgeteer

 was created by researchers at Microsoft
as an internal prototyping tool,
but because of external interest,
particularly from educators and hobbyists,
MS turned it into open source software
which now has a vibrant hardware ecosystem
from multiple manufacturers.
The platform is built on the .NET Micro Framework,
which allows small devices to be
programmed in the C# language
and make use of Visual Studio's developer tools .

. components can be bought here .
zdnet:

. it is praised for being simple to build and code,
and for offering processors clocked at
several times the speed of those on
the vast majority of Arduino boards.
However Gadgeteer modules also cost more
compared to modules for the similar
Grove prototype system.

many fewer soldiers needed soon #robotics

10.1: news.adds/robotics/many fewer soldiers needed soon:
. within the next 2 years
.mil is going to transition 100,000-plus
out of the military soon .
--[ for some balance there are medical jobs: ]
The American Association of Medical College
Center for Workforce Studies estimates

 the country will need 45,000 more PCPs [primary care physician]
and 46,000 more surgeons and medical specialists
 within the next decade.
. medical schools are turning to a
3-year diploma solution
 to hedge against the looming
 primary care physician (PCP) shortage,
offering an accelerated program
and major savings to future primary care doctors.

12.4:
. surgery will be easier to learn
and easily packed into a 3-year degree
because of the use of robotic assistance .