jacob navia said:
Walter Roberson wrote: [...]
Jacob specifically quoted the DR about "Corrupting memory" being
part of "the range of undefined behavior", and took exception to that.
That is a more general dissatisfaction than with the result of
the single library function asctime(). Fixing asctime() alone would
not fix the more general issue that as far as C is concerned,
corrupting memory is an acceptable part of the range of
"undefined behavior".
NO!
I want asctime(à fixed because it can be done VERY EASILY!!!
It suffices to specify correctly the size of the buffer OR
the allowed range of the arguments. That is not rocket science!
Of course I am not against eliminating all possible UB in all
possible programs, what are you talking about?
Your proposal is therefor just a band-aid over one particular wart;
removing the possibility that corrupting memory is permitted
behavior for "undefined behaviour" everywhere in the C standard would
require the sort of checks I outline, such as mandatory bounds checking
and run-time memory alignment checking for unions.
Look Mr, maybe removing THIS wart is not such a big deal but it would
be at least THIS WART GONE!
What is this philosophy?
"C is so fucked up that removing this wart wouldn't make any difference"
jacob, if you stopped SHOUTING for just a moment you might realize (a)
that a lot of us here actually agree with you that the asctime
specification in the standard can and should be fixed, and (b) that
most of us here are in no position to do anything about it.
Having said that, I think you're underestimating the difficulty of
making such a change, at least outside the context of a major revision
to the standard. For example, I think it would have been fairly
straightforward to fix it in C99, but harder, for political and other
reasons, to fix it in a DR or a TR.
Since the behavior for out-of-range arguments is undefined,
implementations are already free to do something sensible. Some have
suggested using snprintf(), so the result will be truncated (and if
so, the lack of a trailing new-line could cause some problems on
output, but that's better than UB). Others have suggested replacing
some fields with '*' characters. Both are sensible ideas, and both
have probably already been implemented. Another possibility is just
to make the static buffer big enough for any possible arguments (this
can be determined given the range of int). Mandating any of these
solutions would break existing implementations that already use a
different one. In my opinion it would be worth the cost, but others
might disagree.
Or the standard could just mandate that it will never overflow the
buffer, which I suppose would be an improvement over the current
situation, but it would still be impossible for programs to depend on
the result for out-of-range arguments.
Fixing asctime() is easy. Reaching agreement on a solution that must
be imposed on all implementations is less easy.
The last sentence of DR #217
<
http://www.open-std.org/jtc1/sc22/wg14/www/docs/dr_217.htm> is
There is no consensus to make the suggested change or any change
along this line.
It's conceivable that there was agreement that it should be changed,
but no consensus on how to do it. (I don't claim that that's a likely
interpretation.)
And even if the committee amended DR #217 tomorrow morning, and
incorporated it into TC4 and published it next week, how long would it
be before *all* implementations supported the new semantics? How long
would it be before C programmers could confidently assume that the
asctime() function for *all* implementations on which their code might
be executed conforms to the new requirements? It wouldn't be forever,
but it would be long enough that programmers would still be well
advised to check the arguments themselves first.
Nobody is forcing anybody to use asctime() in the first place.
Personally, I wouldn't even want to use it in new code. Its output
format is ugly and USA-specific, and the trailing new-line causes
problems. I'd much rather use strftime(), which is vastly more
flexible and avoids all of asctime()'s problems (at the expense of
being a bit more complex to use).
I'd be willing to bet that the vast majority of arguments to asctime()
use values that were derived from the result of the time() function,
either immediately before the call or some time in the past.
Have you ever seen an actual bug in an actual program caused by this
issue?
Yes, the UB in asctime() is a wart, and yes, I'd like to see it fixed.
But it's neither trivial, nor vitally important, nor worth a flame war
among people who can't do anything about it.
Just out of curiosity, how does lcc-win's asctime() behave?