P
pete
Richard said:pete said:
How do you write to a file without
calling a function (or function-like macro)?
I don't know.
Why do you ask?
Richard said:pete said:
How do you write to a file without
calling a function (or function-like macro)?
[...]Richard Heathfield said:[Followups set to comp.lang.c]
Robert Seacord said:
We would like to invite the C community to review and comment on the
current version of the CERT C Secure Coding Standard available online at
www.securecoding.cert.org <http://www.securecoding.cert.org> before
Version 1.0 is published.
Here are my comments on the preprocessor section, PRE00-A to PRE31-C.
These comments can also be found at
http://www.cpax.org.uk/prg/portable/c/reviews/seccode.php [...]
PRE07-A. Avoid using repeated question marks
The point of this advice is to protect you from accidental trigraphs! And
of course it's sound advice. The example, though, is an interesting one.
It introduces a problem for which the blame should probably be shared
about evenly between single-line comments and trigraphs, and presents a
solution in which both have been eliminated. I'm not complaining about
this, but it seems to lack focus. (Note that the simplest fix would have
been the introduction of a space after, or even just the removal of, the
second question mark.)
If you don't use trigraphs, see if you can get your implementation to
disable them. (Some do this by default - you actually have to turn them
on, rather than off.) If you can't disable them (either because your
implementation won't let you or because you do actually use them), it's
worth grepping your source code occasionally in search of trigraph
sequences, so that you can decide on a case-by-case basis whether you
intended to use a trigraph in that situation.
(I wonder which is more common in real-world code, deliberate use of
trigraphs or accidental use of trigraphs.)
pete said:I don't know.
Why do you ask?
PRE31-C. Never invoke an unsafe macro with
arguments containing assignment,
increment, decrement, or function call
You agreed with:
suggesting that there's something wrong with a program like new.c.
When I thought, recently, to have seen a trigraph, I saw two question marksRichard Heathfield said:Keith Thompson said:
Number of times I've accidentally trigraphed: 0 IIRC
Number of times I've deliberately trigraphed in real-world code: N
(for very large N).
Richard said:pete said:
I wrote:
"By 'unsafe macro',
SECCODE means a macro that evaluates at least one of
its arguments more than once.
It is clearly a bad idea to pass to such a
macro any argument that has side effects."
The four side effects that are
singled(?!) out in the title are in fact the only four I can think of
but if you do manage to think of any others, don't pass those to
macros either, okay?
Richard Heathfield said:Keith Thompson said:
Number of times I've accidentally trigraphed: 0 IIRC
Number of times I've deliberately trigraphed in real-world code: N
(for very large N).
And then you wrote in the next sentence in the same paragraph:
Which is the fourth side effect singled(?!) out in the title?
It looks like "function call",
as though you mean to say
that a function call is a side effect.
Richard Heathfield <[email protected]> writes:
Interesting.
Number of times I've accidentally trigraphed: None that I know of, but
who knows??!
Number of times I've deliberately trigraphed in real-world code: 0
I suspect (with no real evidence) that my trigraphing pattern is more
common than yours.
trigraph use has been on ECBDIC-based mainframes (that's where you
used trigraphs, right?),
pete said:The first three are only one kind of side effect: assignment.
Richard said:pete said:
You make a fair point.
(The review was, after all, written at a ridiculous
time of day!)
In the Web version of this review,
I have inserted the following paragraph:
"Note, by the way,
that function calls only have side effects if they have
side effects! They are not required to, obviously.
There is no particular problem with passing, say,
sin(x) to an 'unsafe' macro, although of course
there will be a minor performance penalty
associated with the multiple evaluation."
Will that suit?
[...] Worse still, the name is misleading -
char * is not a synonym for string in C,
and to suggest (via the typedef) that it is,
is a disservice to the code reader.
Keith Thompson said:(I wonder which is more common in real-world code, deliberate use of
trigraphs or accidental use of trigraphs.)
Robert said:We would like to invite the C community to review and comment on the
current version of the CERT C Secure Coding Standard available online at
www.securecoding.cert.org <http://www.securecoding.cert.org> before
Version 1.0 is published. To comment, you can create an account on the
Secure Coding wiki and post your comments there.
Our intent is to complete major development of Version 1.0 by April 18,
2008, with the published version of the standard being available in
September. Once Version 1.0 of the standard goes to the publisher, we
will begin development of Version 2.0. That is, we will continue to
maintain the wiki to further advance the "working version" of the CERT C
Secure Coding Standard. The published 1.0 version will become the
official version, until replaced by a future version. It is unlikely a
subsequent version will be released any time in the next 2-3 years, so
we would like to ensure that Version 1.0 will be a high quality product
that will promote and encourage secure coding practices.
Thanks for any help and assistance you have already provided and for any
additional contribution you may make. There are currently 184
individuals who have contributed to the development of this standard,
without whom this effort could not have succeeded.
I saw you have an equivalent C++ standard, but there isn't such a post
in comp.lang.c++. I would like to see a relevant post there.
John said:I hadn't read this before, but I just came back from the
Embedded Systems Conference, where three vendors were selling
checking tools to find bugs in real-time C code. Sometimes
they can detect array bounds errors by static analysis. But
the approaches used aren't airtight.
Reading the "CERT C Secure Coding Standard" is interesting,
but a program compliant with the rules can still have memory
access violations. That's the trouble with viewing this as
a stylistic problem.
We could do much better, but would have to extend the C language
to do so. Is there any interest in that? C99 has a few halting
steps in the right direction, like the use of "static" in array
arguments in function declarations to indicate the minimum size
of the array passed. I've been writing up something in this area,
but unless there's serious political interest, it's not something
I would spend time on.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.