[Cryptography] GOTO Considered Harmful

Owen Shepherd owen.shepherd at e43.eu
Fri Feb 28 22:13:57 EST 2014 

On 1 March 2014 01:19, Jerry Leichter <leichter at lrw.com> wrote:

> Two things:
>
> On Feb 28, 2014, at 5:22 PM, Patrick Chkoreff <patrick at rayservers.net>
> wrote:
> >> This was a very unusual error, and the fact there was a 'goto' in the
> >> code was incidental.
> >
> > That is true, and this may be more of a case study in the benefit of
> > *proper indentation*.
> Actually, the *original code was indented correctly*!  The *buggy* code
> was not.
>
> I fault the code review process:  The funny indentation should have caught
> the eye of a reviewer.  Once you're drawn to the break in the proper
> indentation, you really can't miss that there are two goto's in a row.
>  This bothers me; it suggests that Apple's code review process is just not
> up to snuff.
>
> (It's been suggested that this smells like a git merge problem.  Most of
> us have probably become pretty cavalier about merges - if the SCCS doesn't
> complain, and the code compiles, we figure it's fine.  If this really was a
> merge error, it suggests that merges need to be carefully code reviewed,
> too.  I don't know of anyone who does that.
>

Good coding conventions and style guides can act as defense in depth
against this:

   - Requiring that all if bodies be either on the same line or braced
   avoids the indentation issue
   - If you're using Allman or similar indentation styles, the result of
   this is that the double goto triples in side:
   {
       goto fail;
   }
   {
       goto fail;
   }
   - If you're using K&R style, my preference, a double goto resulting from
   a merge probably doesn't compile:
   if (err = DoSomeOperation(...)) {
       goto fail;
   }
       goto fail;
   }
   - The label name "fail" is inappropriate. "cleanup" would be better and
   highlight the purpose. In particular, it would make it more obvious to
   someone who spotted the double goto but was puzzled by it that it was wrong
   ("Two fails can't cause spurious success results" vs "Why is it jumping
   past this code to cleanup?")
   - Testing, testing, tetsing. "Full functional" testing (i.e. connecting
   the TLS stack to various working and broken servers) is ideal but tricky
   (Note Chrome uses a whole second, somewhat hacky TLS stack to verify
   various behaviors, but unit testing is entirely feasible.
   - Use of C++ RAII, Rust styled scoped deterministic lifetimes, and other
   languages with integral resource management functionality is ideal
      - An adage of mine: The C developer is scared of the code they
*can't*see. The C++ developer is scared of the code they
      *can*. In this kind of code, the stuff that C++ "hides" is the
      boilerplate code to do with resource management, removing it as "noise"
      from the surrounding actually important code. Plus, once I've seen the
      implementation of std::unique_ptr (or some smart pointer or your own
      creation) once I can be confident of its behavior anywhere (Modulo
      misunderstandings of the depressingly large specification. Yay Rust, for
      swapping the tradeoffs C++ made away from C compatibility and in the
      direction of safety), letting me "ignore" it and focus in on the critical
      security code.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140301/9b853bc9/attachment.html>

More information about the cryptography mailing list