jacob navia said:
We have discussed often the proposition from Microsoft
for a safer C library.
A rationale document is published here by one of the members of
the design team at microsoft:
http://msdn.microsoft.com/msdnmag/issues/05/05/SafeCandC/default.aspx
This is one the most preposterous documents I've seen[1]. It would
make an interesting tutorial if it was as an essay from and
undergraduate, but as a serious proposal from a major software
company? Might it actually get in?
They start from the point of view that it is safer to pass the
destination size around than to subtract and use the "strn*"
functions. It may be one operation shorter (in some cases), but
safer? And so much safer that a whole new set of functions should be
added to standard C?
It references code fragments to show how much better this stuff is.
For example:
// Original
wchar_t dest[20];
wcscpy(dest, src); // compiler warning
wcscat(dest, L"..."); // compiler warning
can be improved with their shiny new _s functions. Duh! They could
show how some correct code can be made a little shorter, but it seems
disingenuous to start with such incorrect nonsense and "improve" it.
But the oddest part of all is that none of the things suggested (in
the part I read, at least) is at all hard to do in standard C.
I.e. any programmer who prefers that style will already have these
functions a library. For example, strnlen_s is a one-liner: testing
that is not passed NULL and then calling memchr. And, of course, if
you don't like that style it is perfectly possible to write safe code
without these extras.
I may have missed the real "meat" of the proposal, so I should say
that it is only the cited rationale that is daft. But if there is
meat to this, they miss a trick by not making it clear up front.