W
websnarf
jacob navia a écrit :
None of the answers addresses any of the problems that this software
tries to fix.
Just the usual:
"We are the greatest" "It will be slower", "I dislike Microsoft"
and similar.
Christopher Layne says:
"The new libraries will be slower".
He doesn't explain what measurements he did to arrive at this
conclusion.
Every per-character inner loop now checks for both a '\0' terminator
and a length count down. Because of the extra code size, many of
these library functions will fail heuristics for inlining (or
otherwise increase L1 I-Cache pressure if it inlines aggressively.)
This shows pure design incompetence on Microsoft's part. It is ok to
sacrifice inlinability if you accomplish far more functionality (such
as Bstrlib does) so that ultimately fewer calls are made and your
inner loops that need to be called into are doing more work per
cycle. Instead MS chose to make exact analogues to the ridiculously
poorly designed std library functions. So on the performance issue
they do nothing but incurr extra overhead that is unrecoverable.
Ben Becaisse says:
But the oddest part of all is that none of the things suggested (in
the part I read, at least) is at all hard to do in standard C.
Obvious. But precisely, it is the first time somebody takes the
time to make a proposal for a STANDARD set of those functions, so
users do not have to reinvent the wheel.
Except that this misrepresents the real issue from the user's point of
view. Whether you are using TR 24731 or just the standard functions,
the programmer is in exactly the same boat -- they can do extra work
for each string operation to ensure the buffer lengths are correct
(and do this calculation potentially incorrectly) and write code
accordingly or they can just be lazy and do some default thing that
works (like stuffing RSIZE_MAX as the parameter for the length in TR
24731.) Actually, quite ironically, you could actually argue that the
library would be safer if only RSIZE_MAX was *NOT* defined.
I am not for this proposal, even if lcc-win32 has implemented
Microsoft's proposal. The solution is to get rid of zero terminated
strings, but it is surely a step in the right direction.
Hmmm ... so long as they mischaracterize the real problem, it just
looks like a misdirected effort. And its going to make people sour to
the whole thing. I mean people are going to be decieved into thinking
TR 24731 is useful for reducing security problems, so they waste time
porting to it, and of course, will see absolutely no change in the
frequency of security problems (which doesn't matter to MS, who will
claim victory by the process of PR no matter what) and will conclude
that C has to be tossed because "the best effort" did not save the
poor C language.
Remember, my big issue, is that these functions do not actually do
anything to promote safety. This is further revealed by the fact that
they put "restrict" all over the parameters indicating that they don't
give a rats ass about the aliasing problem. When users use
"restrict", they are expecting performance, but when a *LIBRARY
VENDOR* uses "restrict" they are just absolving themselves of blame.
But for a general library pretending to be secure? You solve the
aliasing problem, otherwise you don't call yourself a security
solution. Its just continuing to propogate the problem.
The C standard committee has demonstrated that its just plain too
stupid to see any of this. I can only hope that the C++ committee is
smarter and simply rejects the whole proposal out of hand. Someone
has to slap the faces of these idiots.