[Cryptography] I don't get it.
Bear
bear at sonic.net
Thu Apr 17 14:22:18 EDT 2014
On Thu, 2014-04-17 at 13:10 +0100, Peter Fairbrother wrote:
> But, suppose you could go back in time, and adjust C and gcc, preferably
> without assassinations. What would you change?
>
Bounds checking should be part of array and string semantics.
ALL string semantics including strcopy, strcat, etc, should never
have had any bounds-unchecked versions in the first place.
Zero-terminated strings were a Bad Idea. Strings should have
had explicit lengths from the beginning.
Bounds checking should be part of stack semantics. Stack
scribbling should get a guaranteed halt with a frame error as
opposed to continuing until 'return' lands in a scribbled frame
or, even worse, follows a scribbled pointer to 'return' to an
entirely different location.
Bounds checking should be part of the semantics for all reads
and writes to dynamically-allocated memory.
'char' should never have been any kind of integer, and should never
have been assignable nor comparable to integers without a cast. It
could make sense for 'char' to have a value indistinguishable from
a length-1 string, but never to have a value indistinguishable from
a length-1 integer.
NULL, unless cast to some particular type, should never have been
a valid value for comparison or assignment. Documentation for
system calls that rely on NULL, in particular, should have to
tell you exactly what type of NULL they rely on.
Errors should have been a type. Routines that return 'success
or failure' should be returning (errortype)NULL for success or
an error value (not just setting 'errno' but returning a value)
for failure. Errors should not be comparable to nor assignable to
any other type without a cast.
There should have been a proper boolean type from the beginning.
Booleans should never have been assignable nor comparable to
another type without a cast.
> Malloc and free? Only in kernels and kexts, maybe drivers at a pinch.
>
Eh. I don't have a problem with them, although I'd want to see
users provided with *other* methods of doing dynamic memory that
make them less attractive; in particular, there should be library
calls for building and managing dynamically allocated data
structures that tuck the malloc/free stuff under the corners where
the user doesn't need to do it themselves.
Sometimes the user needs sharp tools; but if you can anticipate
the need, it's nicer to give him what he needs so he doesn't need
to use the sharp tools to carve it for himself.
> Another thing I'd like to see as a (mandatory) goal would be repeatable
> compilation, so if you used the same source, compiler and compiler
> settings then you got the same object code out.
This is already true, isn't it, with the caveat that you also have
to rely on it being the same set of system libraries?
Bear
More information about the cryptography
mailing list