Secure, Efficient and Easy C programming

cras writes "Feeling a bit of masochist today.. First in the morning I wrote Secure, Efficient and Easy C Programming Mini-HOWTO. And since I already spent a few hours with it, I figured I might just as well see what Slashdot people would think about it."

not a fp!

WARNING: this is not a fp

Move along.

That's easy!

[Goalie_Ca]

I think we already know how to do that. Don't use WinApi.

Re:That's easy!

Even though you it down doesn't mean that WinAPI isn't hard and insecure.

Re:That's easy!

Heh, meant mod it down. This place needs an edit option.

Re:That's easy!

How the fuck is this offtopic!? Its my opinion on the security and ease of the WINAPI! Obviously the mods are damn MS sympathizers.

Secure, Efficient and Easy

Pick any two.

Re:Secure, Efficient and Easy

[shazbotus]

Yeah, you are really correct. It doesnt seem like you could get all three, but any two does seem to fit well. Heh, nice idea. :)

Re:Secure, Efficient and Easy

Not his idea

It's the old engineering axiom rewritten.

Good, fast, cheap. Pick any two.

Re:Secure, Efficient and Easy

[John+Sullivan]

Pick any two.

No, pick any one. Security is hardly ever easy, and for a project of any size efficiency will take some thought too, and at least a small hit if you're trying to be secure. And if the one you pick is Secure, then you *will* make mistakes in that, so you might have to settle for none of the above.

(But that doesn't mean you shouldn't try.)

yay!

first post! :D

Re:yay!

Far from it, dumbass

You mean 4th....

[Ronin+Jonin]

:) Nice try though.

Nice power trip

how much do these slashvertisements cost?

future plans?

[napoleonin]

"First in the morning I wrote Secure, Efficient and Easy C Programming Mini-HOWTO..."

Damn. What are your plans for the rest of the day?

Re:future plans?

[roseblood]

1) write Secure, Efficient and Easy C Programming Mini-HOWTO [done]
2) ???
3) Profit!

Re:future plans?

Ugh... 1) Post another "??? Profit" comment on Slashdot 2) ??? 3) Profit

Re:future plans?

[Reality+Master+101]

Maybe make it a HOWTO rather than a Mini-HOWTO? Hell, I could write a mini-HOWTO right here...

SECURE

1) Don't use strcpy.

2) Don't assume data coming in from the world is within valid limits

EFFICIENT

1) Avoid moving/copying large amounts of data whenever possible. Work in place.

EASY

1) Don't redefine the language using macros (e.g., define BEGIN {, #define END })

2) Comment your source

3) Use The One True Brace Style. All others are heretical crap.

Damn, now what do I do with the rest of my day?

Re:future plans?

[OverlordQ]

1) Write HOWTO
2) Sell HOWTO
3) ????
4) Profit??

Re:future plans?

Actually yours is better.

Re:future plans?

[InsaneCreator]

Damn. What are your plans for the rest of the day?

Bring peace to the Middle East before tea-time, I guess...

Re:future plans?

[owenb]

SECURE

1) Don't use strcpy.

2) Don't assume data coming in from the world is within valid limits

3) Don't use gets. Ever.

4) Watch out for scanf. It's hard to use safely.

Re:future plans?

[vsprintf]

Use The One True Brace Style. All others are heretical crap.

As long at that's my brace style (K&R), you are correct.

Re:future plans?

All good points, though I'd modify your number 4 to read "Don't use scanf. Ever". Ritchie really dropped the ball on that one, especially by comparison to the relatively well-designed printf.

Repeat after me, boys and girls: "scanf is broken and evil".

Re:future plans?

[gmack]

"1) Don't use strcpy."

Don't use strncpy with the third var of strlen(sourcevar) either.

Seriously .. I've seen it done.

Re:future plans?

[CaseyB]

The One True Brace Style is K&R, by definition.

Re:future plans?

[Andrewkov]

I thought you said "Bring peace to Middle Earth" for a second.. LOTR on the brain, I guess!

Re:future plans?

[vsprintf]

The humor was lost on you? Sorry.

Re:future plans?

[MAXOMENOS]

Note on ESR's article: one notable place where the GNU style is found is in Sedgewick's second edition of Algorithms in C++.

Re:future plans?

[0x0d0a]

"First in the morning I wrote Secure, Efficient and Easy C Programming Mini-HOWTO..."

Damn. What are your plans for the rest of the day?

"If you've done six impossible things this morning, why not round it off with breakfast at Milliways, the Restauraunt at the End of the Universe?"

-- Douglas Adams

Re:future plans?

[Decimal]

Couldn't all of these petty arguments be solved if the command was not if (...) {...}, but instead {if (...) ...} or if {(...) ...}?

Re:future plans?

[iangoldby]

NO!!

Re:future plans?

[Decimal]

Er... Why not? "NO!!" isn't very descriptive. :)

Re:future plans?

[iangoldby]

It's not supposed to be. This is a 'holy war'. 8-)

IN SOVIET RUSSIA

Perl is Secure, Efficient and Easy.

Hmm.. Question

[Loki_1929]

"First in the morning I wrote"

So did you wake up early this morning, or are you still up from the night before, like me?

Re:Hmm.. Question

[cras]

Read the article ;) 27h uptime or so now. I woke up around 6pm though.

very good!

[borgdows]

you talk about "memory pools" without saying the word "heap"!

Re:very good!

If memory servers, I took a heap in the city pool, last time I was there. Does that help?

mirror

Secure, Efficient and Easy C programming Secure, Efficient and Easy C programming

NOTE: This is a temporary location for this document, selected with slashdot people specifically in mind.

Copyright (C) 2002 Timo Sirainen <tss@iki.fi>

Index

• Introduction
• Memory Allocations
  • The Old Ways
  • Data Stack
  • Memory Pools
  • Memory Pool API
• String Handling
  • The Old Ways
  • String API
  • String API with Memory Pool API Support
• Buffer Handling
• Real World Usage

Introduction

Everyone knows about buffer overflows nowadays. Everyone knows some ways to prevent them. But most people still do it in a way that requires them to be unnecessarily careful while coding - even a single carelessly written part of code can be a security disaster.

None of these ideas I've written about is new, but most of them are very rarely used with C programs. I think it's mostly because many people don't know about them or just haven't realized how they could be easily used. Sure, there are also people who will never change their way of coding. And there's also the problem that using non-libc functions make the program bigger, which is pretty annoying with otherwise very small programs.

Besides not only making your code more resistant to buffer overflows, I think many of these features will actually make writing C-code a lot easier and more fun.

I'm not a writer and I'm not too good at english, so sorry about all the spelling and grammar errors :) All of this stuff was written at sunday morning, tired after being awake the whole night and not being able to do anything useful..

Memory Allocations The Old Ways:

• Use static buffers - fast, but lack the ability to grow when needed.
• malloc() - slighly slower than static buffers, possible memory fragmentation, and most importantly it requires the memory to be freed, which can be sometimes very annoying. It's easy to forget to free the memory and cause memory leaks. free()ing already freed memory may also be an exploitable a security flaw.
• Garbage collector - this would be the best way to manage memory. For example OCaml's garbage collector is quite smart by treating long-living allocations differently than temporary allocations. However with C it's not really possible - you can't go moving the allocated memory elsewhere unless you write your program in special way. So there's a few simple non-portable garbage collector implementations for C, but they're not much more different from malloc()ing other than that you don't need to free() memory. They're not fool proof either.

Data Stack

What I haven't yet seen used anywhere outside my own software and some programming languages internals (eg. calling Perl code from C), is using data stack for temporary memory allocations. It has the most important advantage of garbage collectors; allocate memory without worrying about freeing it. It also has a few gotchas, but I'd say it's advantages are well worth it.

The way it works is simply letting the programmer define the stack frames. All memory allocated within the frame are freed at once when the frame ends. This works best with programs running in some event loop so you don't have to worry about the stack frames too much. Here's an example program:

/* asprintf()-like functon, but allocates the memory from data stack */ const char *t_printf(const char *fmt, ...) __attribute__((format (printf, 1, 2))); void client_input(struct client *client) { const char *cmd; int i; cmd = read_command(client); if (cmd == NULL) return; if (strcasecmp(cmd, "status") == 0) { time_t now = time(NULL); client_send(client, t_printf("Time: %s", ctime(&now))); client_send(client, t_printf("Clients: %u", clients_count)); for (i = 0; i < 10000; i++) { /* without an extra stack frame here, we'd allocate the t_printf() 10000 times before freeing them all. That's probably not be very good. */ t_push(); client_send(client, t_printf("%d: %u", stuff[i])); t_pop(); } } else { client_send(client, t_printf("Unknown command: %s", cmd)); } } void main_loop(void) { unsigned int i, id; fd_set rfds; if (select(max_fd, &rfds, NULL, NUL, NULL) <= 0) return; for (i = 0; i < clients_count; i++) { if (FD_ISSET(clients[i].fd, &rds)) { id = t_push(); client_input(&clients[i]); if (t_pop() != id) { /* we could simply call the missing t_pop()s, but this usually indicates a problem which we want to know. for example we might have leaked it inside a for loop which caused unnecessarily large memory usage. */ panic("missing t_pop()"); } } } }

Advantages over control stack:

• Functions can return a value allocated from data stack.
• We can portably specify how much data we want to allocate at runtime, and in some cases we can grow it without copying data.

Advantages over malloc():

• FAST, most of the time allocating memory means only updating a couple of pointers and integers. Freeing the memory all at once also is a fast operation.
• No need to free() each allocation. This has a huge impact on code simplicity. For example: fprintf(f, "'%s'\n", escape_string(input)); vs. char *str = escape_string(input); fprintf(f, "'%s'\n", str); free(str);
• No memory leaks.
• No memory fragmentation.

Disadvantages:

• Allocating memory inside loops can accidentally allocate a lot of memory if the loops are long and you forgot to place stack frame there.
• The memory could accidentally be saved somewhere and accessed after the end of stack frame.
• Debugging for buffer overflows can be difficult, since the regular bound checkers don't work. To kludge around this, I've made an compile time option to allocate all memory using malloc(), but this of course hurts the performance and grows memory usage. Of course, by coding good code you should never need this :)

The second disadvantage is the most problematic one. It's actually two problems; first it shouldn't be mixed with permanent data, and second it shouldn't be temporarily stored to location where it could be accessed outside the stack frame.

The first one is easier to handle. The ideal solution would be to have some tags in C language that would give warning if being lost, for example temporary char *str = t_strdup("str"); char *str2 = str; where the str2 assignment would give a compiler warning about the missing temporary tag. But since this isn't possible we can do almost as well using const keyword, which has exactly that behaviour but restricts us from modifying the memory. Luckily that's not usually needed.

The second one is much more difficult, I haven't found any good way to handle it other than by a) don't even try it, b) fill the freed memory when freeing stack frame so the corrupted value is easily noticed at runtime.

And why ever even do that? Because it's simpler in some situations. For example I have this message header parser, which calls a callback function for each header line. Suppose I only want to find the message's Content-Type, so save it with context->content_type = t_strdup(content_type); Then later I just read it without need to worry about freeing it. Now, the only problem with this is that it relies on the parser not to create a stack frame around the callback which would invalidate our saved return value. While writing the callback it's easy to check if it's possible, but what if the parser was later modified without remembering the special needs of the one callback..

Memory Pools

Alloc-only pools can be quite useful for storing larger amount of return values from some function, especially when data stack can't be used (the second problem case above). They still provide relatively easy memory management since you only need to free the pool once.

Alloc-free pools could be useful with some applications to prevent memory fragmentation and memory leaks by grouping related data together into single malloc() block. They could also make the program run faster due to (possibly) better CPU cache utilization. Besides performance reasons, they could also be useful for statistics to find out where exactly the allocated memory goes. They'd however need their own internal malloc() implementation so they're not very simple.

Memory Pool API

When you have a function that could return a large return value, it's not very efficient to first store it into data stack and then copy it somewhere else. The traditional way would be to just give a (void *result, size_t size) as parameters. This again has the problem that we might not know at all what buffer size is large enough.

So, one way to deal with this is to give the function a memory pool object which can be used by the function to allocate the correct amount of data. Besides the dynamically created alloc-only and alloc-free pools there could be global pools as well: data_stack_pool and system_malloc_pool. Here's an example:

extern Pool data_stack_pool, system_malloc_pool; /* generic dynamically growing array */ struct array *array_create(Pool pool, size_t initial_size) { struct array *arr; arr = p_malloc(pool, sizeof(struct array)); arr->pool = pool; arr->size = initial_size; arr->data = p_malloc(pool, arr->size); return arr; } void array_destroy(struct array *arr) { p_free(arr->pool, arr->data); p_free(arr->pool, arr); } void array_grow(struct array *arr, size_t size) { if (size > arr->size) arr->data = p_realloc(arr->pool, arr->data, size); } void func(void) { struct array *arr; t_push(); array_create(data_stack_pool, 1024); /* ... */ array_destroy(arr); /* not really needed, t_pop() frees it anyway */ t_pop(); } String Handling

This is where most of the buffer overflows have happened. Nowadays people are more aware of the problem, but many still they do it in unnecessarily hard way.

The Old Ways:

• strncpy(), strncat(), snprintf() - only snprintf() of these is easy to use safely but it's still somewhat unportable (Windows). strncpy() doesn't necessarily NUL-terminate and many people misunderstand how strncat() works (ie. in very stupid and difficult to use way).
• strlcpy(), strlcat() - much better replacements to above by OpenBSD. Very unportable, but you can easily create your own ones. But these can still be used unsafely if the buffer size parameter is wrong or if the programmer goes playing around with the buffer indirectly, by eg. appending single characters and missing size checks (yes, I've seen this in software that contained "secure" in it's name).
• Dynamically allocating the amount of wanted memory and then using strcpy(), strcat(), sprintf() and direct accessing. This requires you to be very careful with the string size calculations. I don't understand why so many people think that's not a problem, they have this "If you can't calculate the sizes correctly, you're stupid and you shouldn't be coding at all" attitude. Why bother wasting time with that at all when you could be doing more important things?
• Dynamically growing buffers, used by for example GLIB, vsftpd, qmail, djbdns and Postfix. This is definitely the right way; string manipulation is done through API which discourages - or even disallows - direct buffer manipulation.

String API

There's several slight variations how to implement the dynamically growing buffers. Most work by allocating a new string object, using it and then freeing it. qmail and djbdns uses statically created buffers which are reused and never freed - that's pretty dangerous unless you can be sure the buffer isn't in use anymore. It's actually pretty much the same as having static char bigbuf[8192] which is used by several functions.

There's two ways how to manage a buffer - first being the explicit way done by eg. djb:

struct stralloc str = {0}; stralloc_copys(&str, "string"); stralloc_cats(&str, str_variable); stralloc_catulong0(&str, int_variable);

GLIB supports doing this much more easily:

/* portable asprintf() */ char *str = g_strdup_printf("string%s%d", str_variable, int_variable);

Or if you wanted a modifyable buffer:

GString *str = g_string_new(NULL); g_string_append(str, "string"); g_string_append(str, str_variable); g_string_sprintfa(str, "%d", int_variable); /* no g_string_append_int() */

Some people don't seem to like the printf-style or believe it's unsafe. GCC however gives very good warnings about parameters with incorrect type so I don't think there's any need to worry about.

String API with Memory Pool API Support

Nothing fancy here really. Just by being able to specify the used memory pool we can easily allocate strings from data stack. I've made several wrapper functions so that instead of p_strdup_printf(data_stack_pool,...) I can just use t_strdup_printf(). Here's a list of few useful functions:

const char *t_strdup(const char *str); char *t_strdup_noconst(const char *str); const char *t_strdup_empty(const char *str); /* return NULL if str = "" */ const char *t_strdup_until(const char *start, const char *end); /* *end isn't included */ const char *t_strndup(const char *str, size_t max_chars); const char *t_strdup_printf(const char *format, ...); const char *t_strconcat(const char *str1, ...); /* NULL terminated */

t_strdup_noconst is there mostly to avoid casting const away in those few situations where it's needed. Because it returns char * it could be more easily mixed with permanent data so it's usage should be kept minimal.

t_strconcat() is one function that I also copied from GLIB. It's a bit dangerous though, the terminating NULL is too easy to forget. I've been thinking about removing it entirely, but it's much more efficient than t_strdup_printf() so I haven't yet had the heart :)

Buffer Handling

Many people concentrate only on string related buffer overflows. Yes, they've been the most common ones but they're quite known now and there's more to buffer overflows than just them. The most obvious one is just another type of buffer handling. All the other data that couldn't be called strings. Often people just hack away separate memory allocations and/or size checks for them. The problems are exactly the same as with strings.

If we create a buffer API and write to buffers only through it, we would prevent almost all buffer overflows, even integer related ones, simply because the buffer API implementation is the only part of code that directly writes to memory, and that of course should be well audited not to overflow in any situation.

Buffer API would be somewhat similar to string API, ideally the string API should be created using the buffer API, or they could even be the same. My buffer API currently looks like this:

/* Create a static sized buffer. Writes past this size will simply not succeed. */ Buffer *buffer_create_static(Pool pool, size_t size); /* Create a static sized buffer. Writes past this size will kill the program. */ Buffer *buffer_create_static_hard(Pool pool, size_t size); /* Create a modifyable buffer from given data. For example: { char buf[1024]; buf = buffer_create_data(pool, buf, sizeof(buf)); } */ Buffer *buffer_create_data(Pool pool, void *data, size_t size); /* Create a non-modifyable buffer from given data. */ Buffer *buffer_create_const_data(Pool pool, const void *data, size_t size); /* Creates a dynamically growing buffer. Whenever write would exceed the current size it's grown. */ Buffer *buffer_create_dynamic(Pool pool, size_t init_size, size_t max_size);

Then there are several write, append and truncate functions and a few functions to temporarily limit the accessible buffer range. An example:

int fill_buffer(Buffer *buf, struct data *data) { struct bufdata *bufdata; /* these return value checks aren't really needed, since they fail only if the buffer gets full. and since we're using dynamically growing buffer with no limits, malloc() failure will kill the program long before reaching the high limit. */ if (buffer_append(buf, "data\n", 5) != 5) return -1; /* returns a pointer to just appended space */ bufdata = buffer_append_space(buf, sizeof(*bufdata)); if (bufdata == NULL) return -1; bufdata->field1 = htonl(data->field1); bufdata->field2 = htonl(data->field2); return 1; } int write_data(int fd, struct data *data) { Buffer *buf; size_t size; int ret; t_push(); buf = buffer_create_dynamic(data_stack_pool, 256, (size_t)-1); if ((ret = fill_buffer(buf, data)) > 0) { if (write(fd, buffer_get_data(buf, &size), size) != size) ret = -1; } t_pop(); return ret; }

There is of course also the possibility of buffer overflows while reading data. That's a bit more difficult to prevent except by careful coding, but usually it's not such a big deal anyway. It might crash the program, or at worst could expose some private information to attacker. If the later is a real problem, you should use multiple processes and IPC to hide the private data.

Real World Usage

I've written a fully featured IMAP server using pretty much these techniques. The code still needs some cleanups and there's probably a couple of bugs left, but mostly I think it's not too bad :) The library functions in it are MIT licenced, so go ahead and rip them to your own programs. I could try to create some minimal library out of them if there's enough interest.

vsftpd uses it's own string API for pretty much everything. In only few of the files it's even possible to create a buffer overflow with the used coding style.

a little short??

[AmigaAvenger]

I think this might be a little bit too soon to have it posted on slashdot, you only have a few pages covering memory and string handling, and nothing ground breaking at that.

It does look like a good start, add a few more chapters and you will be halfway there...

Re:a little short??

It is a mini-howto, and it covers the most important holes.

Re:a little short??

[cras]

It does look like a good start, add a few more chapters and you will be halfway there...

Sorry, but I think this is about all I have to say. Secure Programming HOWTO should take care of the rest.

Re:a little short??

[crimsun]

I agree that it's a good start. I would also add in links to vsftpd's design & implementation documentation; see here, here, and here. For what it's worth, Maradns's string library is worth examining as well.

Re:a little short??

[inode_buddha]

Decent -- this is the sort of info I can use. I'm trying to teach myself C without having to un-learn bad habits, so it helps to see the kind of things I should look out for. Where do you plan to post it when you consider it done? The LDP? I'll go grab a copy, thanks!

BTW the "s" in Sunday should be capitalized (the part where you mentioned "Sunday morning".

Sorry about that (former English major)

Re:a little short??

[larry+bagina]

It is a mini-howto, and it covers the most important holes.

does it cover this hole?

Re:a little short??

[Unordained]

I'm trying to teach myself C without having to un-learn bad habits, so it helps to see the kind of things I should look out for.

so ... you're my worst nightmare? which bad habits do you have that you want to keep? were they learnt from another (dreaded) language like basic?

as to caps -- how 'bout just junking the whole idea. i've had enough problems at work with users not understanding that if we don't use just one case (uppercase) in the database, they'll go putting random case in there, especially lots of all-uppercase data. which really doesn't fit well on reports. and isn't correct. but they're -sure- we need to let them uppercase/lowercase to their heart's desire. (yes, we wrote algorithms specific to the english language to re-capitalize ... works most of the time, has trouble catching proper nouns and acronyms unless 'dotted') ...

Re:a little short??

[TheAncientHacker]

Impossible. C, itself, is a bad habit.

Re:a little short??

I think it is a little worse. It is misleading. The example of Data Stacks, for example, does not include the code relavent to the example (t_printf).

The author speaks of using a data stack for data manipulation. That idea falls apart when you have dynamically sized data structures. It can be very inefficient to require the maximum size allocation when most items are small. It can be worse when the programmer imposes a maximum artificially when none should exist. This case introduces a buffer overflow which the author is trying to avoid. Additionally, no mention is made about multi-trheaded programming and the corruption that could ensure when using the technique.

Re:a little short??

[PissingInTheWind]

Impossible. C, itself, is a bad habit.

Damn true, using C for other thing than low-level stuff really is a bad habit.

Re:a little short??

[dmelomed]

Also see www.untroubled.org for twoftpd. Another FTP server with similar goals as vsftpd. Haven't had an overflow AFAIK. Also, could you point me to the sqwebmail buffer overflow please. Thanks.

Re:a little short??

[TheAncientHacker]

Yep. It's not a bad, somewhat portable, structured assembler but is just as dangerous as assembler and shouldn't be used where you wouldn't use assembler.

Re:a little short??

Sure, but you should be using assembler everywhere.

Re:a little short??

[TheAncientHacker]

Well, sure, programmers as good as you and I and a tiny number of others are should but do we trust everyone to use assembler for everything?

Re:a little short??

[vsprintf]

Damn true, using C for other thing than low-level stuff really is a bad habit.

Oh, God, another Visual Basic user who writes code with a mouse. Spare me.

Re:a little short??

[PissingInTheWind]

What about: I write Lisp compilers for a living?

Poor soul.

Re:a little short??

[vsprintf]

Lisp! I'm not gonna do all my Lisp jokes about parens here. I've sworn off. Really!

Re:a little short??

[E_elven]

Impossible. C, itself, is a bad habit.

Damn true, using C for other thing than low-level stuff really is a bad habit.

And MUDs :)

Re:a little short??

[dvdeug]

Damn true, using C for other thing than low-level stuff really is a bad habit.

Oh, God, another Visual Basic user who writes code with a mouse. Spare me.

Yes, because it's better to spend weeks and months carefully constructing a GUI by hand then to put it together in a couple days with a mouse. Especially if it's going to be used by three or four people; by God, it's more than worth it to the company for me to spend two or three months on the project (@ $60,000 a year) so those people can get their results back in a couple seconds rather than a couple minutes.

It's also better to spend weeks and months writing an efficent text processing program in C and worrying about buffer overflows and memory leaks, rather then writting it in a couple days in Perl or Snobol. Who cares that the results will inevitably be piped to less and studied for a few minutes; the fact that we shaved off 40% of 2 seconds (and added an obscure error case) is more than worth it!

Actually: Oh, God, another C programmer that will make me suffer through anonymous core dumps because his programming language is so much more macho, and so much more efficent (really wish he understand how to use Big-O notation and switch algorithms, but he spent so much time programming this one and dubugging it that he can't afford to switch. Too bad he doesn't use a language with efficent control structures predebugged and optimized.)

Re:a little short??

[PissingInTheWind]

Did I sense irony? :-)

But my infinite loops runs *so* fast!

And what would I do without my precious core dumps?

I can't trust the computer to manage his memory!

Who cares about algorithms if the language is fast?

I could not live without '\0' delimited strings!

Strong typing sucks. Dynamic typing sucks. I like my types to have no purpose other than sizing the fields in memory.

Error control and safety are for wimps.

Macros should be dumb text substitution tools.

Re:a little short??

[vsprintf]

Too bad he doesn't use a language with efficent control structures predebugged and optimized.

If you're talking about Visual Basic, then that's hilarious, especially since the the buffer exploits are generally MS-specific. Someone mod that up +FUNNY. Get a real machine. Get a real language. Get real. BTW, how are wages these days at MS?

Re:a little short??

[vsprintf]

I can't trust the computer to manage his memory!

Hmm. Not sure about your sexism with regards to computers, but computers don't do memory management. You have to trust the language to do GC if you're so inclined, which is slow and error-prone. Real programmers can manage memory and do it well. Others use sissy languanges like VB. Yeah, it's flamebait, but it's true, so what?

Re:a little short??

[dvdeug]

If you're talking about Visual Basic, then that's hilarious,

What's your obsession with Visual Basic? High level languages go vastly beyond one implemenation from a company that doesn't rate correctness as a very important attribute.

Re:a little short??

[dvdeug]

You have to trust the language to do GC if you're so inclined, which is slow and error-prone.

Error-prone? Any decent GC is not in the least error-prone. True, most of them aren't precise, but the memory leaks that cause problems are the ones that leak and continue to leak, and every decent GC catches those.

Real programmers can manage memory and do it well.

I invite you to run valgrind on some random binaries. I've found that valgrind finds leaks with many programs that in all other ways are good programs. Maybe there are 'real' programmers out there who don't ever make memory leaks in C, but most programs are done by programmers who aren't perfect.

Re:a little short??

[vsprintf]

You didn't read the original posts?

Re:a little short??

hippy! go climb back in your tree.

Re:a little short??

[lazarius]

Damn true, using C for other thing than low-level stuff really is a bad habit
And MUDs :)

I'm actually (re-)implementing a MUD in C++ ... mostly to get rid of junk like if (!str_cmp(...)) ...

... and it may or may not be Open Sourced ... I'm not the owner ... I just code ...

MIKE

Re:a little short??

[axxackall]

C, itself, is a bad habit.

Changing the value of the variable is not less bad habit. It's like goto (changing the address pointer) is bad.

Use Functional Programming instead.

Re:a little short??

[fullpunk]

I think he was saying not learning bad habit from the beginning, so, later, he does not have to un-learn them.

Re:a little short??

Oh, God, another Factory Worker who makes cars with robots. Spare me.

Yes, because it's better to spend weeks and months carefully constructing a Car by hand then to have robots put it together on a production line. Especially if it's going to be used by only three or four hundred people; by God, it's more than worth it to the company for me to spend two or three years on the project (@ $600,000 a year) so those people can drive to another location in a couple of minutes rather than a couple of hours.

It's also better to spend months and years creating a powerful engine and worrying about efficiency and economy, rather then getting a Standard Toyota Engine for the production line. Who cares that the car will be used by some rich brat who will not appreciate the quality; the fact that we shaved off 15 seconds for the quarter mile (and added obscure blinkenlights) is more than worth it!

Actually: Oh, God, another "mechanical engineer" will make me suffer through obscure engine configurations because his Car is so much more macho, and so much more efficent (really wish he understand how to create comfortable rear seats, but he spent so much time on the engine and looks that he can't afford to . Too bad he doesn't use a an efficient production line like we here at Toyota, which has heaps of leg room!)

Dan ...

Re:a little short??

[Bush+Pig]

He _might_ be talking about Ada.

Re:a little short??

[fredrik70]

very true, also, when a program get to a sufficient size. You can run into the uncomfotable position of not *daring* to delete some of your memory allocation since you cannot be sure it's not used elsewhere. shitty design - yes, but I bet you there are many commercial apps out there with this problem.

Re:a little short??

[johnnyb]

Actually, Visual Basic's GUI builder isn't near as nice as Borland's. The choice of language also has nothing to do with whether or not a GUI-builder comes with it. personally, I will use a GUI builder only under the following circumstances:

* I can load the GUI with whatever language it is I'm using on the rest of the project

* The GUI builder DOES NOT WRITE CODE. I will use GLADE only in libglade mode - writing property files is good, writing code is bad.

* The GUI builder actually is faster than writing it by hand

Re:a little short??

Why do the VB apologists always like to use the argument that if you program in C that you have to write everything from scratch? There are nice GUI tools available for C, and lots of language bindings to pick up the other things you might need. And you can run your programs on more platforms than just Windows!

There is nothing worse than the app that was written in VB because it was "quick and easy" (and easier to learn than VC++) that then gets added to and added to until it grows into a god-awful, inefficient code bloat.

If your company takes a longer view, they'll find that it makes far better economical sense to program in a language that will have a future than to go with VB just because the initial learning curve was so short. You'll eventually have to learn a more sophisticated programming language when MS lets VB die on the vine (but VC++ will still be around).

Re:a little short??

[dvdeug]

Why do the VB apologists always like to use the argument that if you program in C that you have to write everything from scratch?

What makes you think I'm a VB apologist?

There are nice GUI tools available for C

That would writing code with a mouse, now wouldn't it? And how many of them honestly integrate with the programming language as smoothly as VB?

And you can run your programs on more platforms than just Windows!

Not likely. Most likely, you plugged Windows GUI code into Windows database code; either way, you're looking at a lot of rewriting. Anyway, for many purposes, who cares? There is a lot of mono-system code out there, including GNOME and KDE, both written in C/C++.

There is nothing worse than the app that was written in VB because it was "quick and easy" (and easier to learn than VC++) that then gets added to and added to until it grows into a god-awful, inefficient code bloat.

No language can prevent you from writing quick and dirty code and it growing into an unholy mess. C's actually good at that; custom memory mangement, poor type checking, random pointers pointing everywhere can all make figuring out what's going on and how to fix it without breaking something else a pain.

You'll eventually have to learn a more sophisticated programming language when MS lets VB die on the vine

Look at how fast ALGOL 60 defeated the primitive FORTRAN. Nope, ALGOL 68 - PL/I? - C? - Ada - C++ - Java? I guess Fortran's still in the running. How about Jovial - it's been twenty years since the DoD replaced Jovial with Ada, and there's still an Air Force office to handle Jovial. Languages don't die until the last programmer and the last program die, and for something like Visual Basic, that's going to be a long time. Microsoft isn't getting rid of Visual Basic until they absolutely have to.

IN THE NATION FORMERLY KNOWN AS THE CCCP

Secure, Efficient and Easy C programs YOU!

Nice little remark, there, michael

"From the oxymorons dept."

Why does Secure, Efficient, and Easy have to be oxymoronic? That they can't exist together? Seems this guy has done just those things...

Seriously, sometimes the snide little remarks from the editors are worse than the trolls and flamebaits.

Re:Nice little remark, there, michael

[jyasskin]

An oxymoron doesn't have to be false. It's just something that sounds contradictory at first, which exactly describes "Secure, Efficient and Easy."

Re:Nice little remark, there, michael

[cubal]

no, no, no, that's a paradox... an oxymoron is two words or ideas juxtaposed that _imply_ contradiction, or that wouldn't normally fit together ("...pretty ugly","Microsoft Works","Military Intelligence")

"Secure, efficient and easy" would at first seem to be impossible, but on closer inspection is not so... that makes it a paradox.

(admittedly, it has oxymoron-like properties, but I think the fact that there are three parts to it rather than two negates that)

Re:Nice little remark, there, michael

[E_elven]

No. Oxymoron is something that contradicts itself ("The empty hallway was bustling with students").

Mirror of HOW-TO in case it gets slashdotted

[CableModemSniper]

1) Use python with C bindings

Re:Mirror of HOW-TO in case it gets slashdotted

[Malc]

Modded insightful! WTF? Perhaps marginally funny, but that isn't a moderation option. What is it with these Python zealots? Do they feel insecure about something? The right tools for the right job, which in many cases means C not Python!

Re:Mirror of HOW-TO in case it gets slashdotted

[CableModemSniper]

I was going for marginally funny. *shrug*

Re:Mirror of HOW-TO in case it gets slashdotted

[Malc]

I wasn't having a go at you, just the moderators. ;)

Re:Mirror of HOW-TO in case it gets slashdotted

No, no it's:

#include <unistd.h>
int main(int argc, char **argv)
{
return system("perl myscript.pl");
}

Re:Mirror of HOW-TO in case it gets slashdotted

Some people couldn't care less about moderation. Most of us are reading at -1. So take that karma and shove it.

Re:Mirror of HOW-TO in case it gets slashdotted

[Mr.+Mikey]

What about doing the same thing with Perl? How does it compare to python when it comes to writing parts of your code in C? Do the advantages of Python outweigh the utility of CPAN?

Voluntary slashdotting

[tuxlove]

It's kind of funny how this guy voluntarily slashdotted himself by submitting an article with a link to his own site, crashing it instantly. :)

Re:Voluntary slashdotting

[rob-fu]

NOTE: This is a temporary location for this document, selected with slashdot people specifically in mind.

I think he already planned for it. Seems to be holding up.

Re:Voluntary slashdotting

[cras]

Well, I didn't link it to original site, but from the look of this so called slashdot effect I think I just as well might have. Come on, I don't see any kind of load at all!

[cras@foo] ~$ ps ax|grep apache|wc -l
60

[cras@foo] ~$ uptime
20:32:54 up 127 days, 10:58, 56 users, load average: 0.23, 0.41, 0.37

Those loads were pretty much the same before slashdotting.

Re:Voluntary slashdotting

I think Slashdotting only really happens to sites with dynamic content or to sites with a topic more people care about. Oh yeah, and also sites that run on a calculator powered by a potato.

Re:Voluntary slashdotting

Blockquoth cras:

20:32:54 up 127 days, 10:58, 56 users, load average: 0.23, 0.41, 0.37

56 users and a load of 0.23? Go trolling elsewhere, asshole!

cras

Re:Voluntary slashdotting

[vsprintf]

The subject will keep most slashbots away. If you had written a howto on securing IE, then you'd get a slashdotting. :)

Re:Voluntary slashdotting

[tuxlove]

Those loads were pretty much the same before slashdotting.

I couldn't even connect 5 minutes after the slashdotting... The system load isn't necessarily related to the bandwidth consumption of your pipe. If the page is static, your pipe is likely to saturate long before the CPU or disk utilization maxes out.

Re:Voluntary slashdotting

I was going to say "Imagine a beowolf cluster of potatoes..."; then I realized it just didn't make any sense.

Unportable?

I found strlcat and strlcpy easily ported - simply toss them in the same .c file and dump it into the makefile!

On a more serious note, why in Bob's name don't these two functions exist, standard, in Linux? IMO, they should be added, and gcc should give deprecation warnings about the use of non-safe buffer handling functions - sprintf, strcat, strcpy, etc. No offense to purists, but screw the standard. I'll sacrifice some portability of software and such for security.

Oh, and on a side note, you may take my malloc() when you pry it from my cold dead fingers. ;) Eh, I suppose we all have a certain way of doing things that we don't wish to part with. (*points at the unsafe buffer people*)

Re:Unportable?

Go back to suckin yo mamas teats and leave programming to the grown-ups.

Re:Unportable?

Un-fucking-belivable. How fuckin' dumb can you (and the assholes who moderated you) get? Let me guess, you have never written any real-world apps.

Re:Unportable?

Let me guess, you have never written any real-world apps.

Why? Because he thinks "sprintf, strcat, strcpy, etc" should be avoided?

Re:Unportable?

[Arandir]

STRLCPY(3) FreeBSD Library Functions Manual STRLCPY(3)

NAME
strlcpy, strlcat - size-bounded string copying and concatenation

LIBRARY
Standard C Library (libc, -lc)

SYNOPSIS
#include <string.h>

size_t
strlcpy(char *dst, const char *src, size_t size);

size_t
strlcat(char *dst, const char *src, size_t size);

Re:Unportable?

Er, it's strncpy() and strncat().

Those have been around for ages and ARE standard on most systems... No porting need... The "l" version is just the same 'ole thing.

Re:Unportable?

[sandman_eh]

linux hasn't got strlcpy. but it has got strncpy,and so have windows and Irix being two other OS's I can check easily.

Unfortunately a quick google for strlcpy() gave me this

Which shows it to better in a number of instances than strncpy() To be portable almost all my apps have this anyway which solves similiar issues to strlcpy.

void my_strncpy(char *s, const char *t, int n){ while((*s++ = *t++) && --n) ; *s = '\0'; }

Re:Unportable?

Wow, if microsoft did that it would be 'evil'. It's ok if linux implements non-standard C.

Re:Unportable?

No no no...
strncpy and strncat do not guarantee to produce a null-terminated string. Instead of overflowing at the strn* call, they return an unterminated string, likely to cause trouble when it next gets used.

The "l" versions guarantee they return null-terminated string.

Re:Unportable?

[thogard]

char buf0[4]="Ok?";
char buf1[4];
char buf2[4]="Hi!";

strncpy(buf1,"Bonk",4);

printf(buf1);

You will usually get either "BonkOk?" or "BonkHi!"

With strlcpy you will get "Bon"

strlcpy will put the null in the last position, strncpy won't if the last spot has a value it in.

That can result in bad code later with:
char other_buf[4];
strcpy(other_buf,buf1); // strcpy is safe because buf is only 4 :-)

Or even:
strncpy(other_buf,buf1,strlen(buf1)); //buf1 is only 4 char

Strncpy isn't much safer than strcpy and gets and scanf are right out for the same reasons.

Re:Unportable?

[e-Motion]

void my_strncpy(char *s, const char *t, int n){ while((*s++ = *t++) && --n) ; *s = '\0'; }

If written

void my_strncpy(char *s, const char *t, int n){ while(n-- && (*s++ = *t++)) ; *s = '\0'; }

Then it will work when n==0, and continue to have the same behavior for all n > 0 as well. I like strlcpy()'s interface better, though, because the "number" parameter is the number of elements in the destination array, whereas my_strncpy takes one less than the number of elements in that array.

Re:Unportable?

Errr... Last time I checked the ANSI standard for C, strncat() guarantees a NUL terminated string. strncpy(), on the other hand, does not. Maybe I'm misunderstanding you, but strcat and strncat have always NUL terminated the string. If a library is not NUL terminating a string from a strcat or strncat call, then they are writing the function incorrectly... so says the ANSI standard.

Maybe I am mistaken as to what you're saying here...

Re:Unportable?

[spitzak]

strncat() does produce a null-terminated string. The problem is that for normal use into a buffer of N characters you have to do strncat(buffer, N-strlen(buffer)-1). People often get this wrong, just passing N or forgetting the -1.

Re:Unportable?

[fredrik70]

do what I do then; always do a:
memset(szbuf, 0, sizeof(szbuf));
before using the string.
then when you use strncpy make sure you always use the length sizeof(szbuf) - 1
guarantees that there always will be a trailing null char in the end

Re:Unportable?

No offense to purists, but screw the standard. I'll sacrifice some portability of software and such for security.

A famous founding father of C reputedly said:

[Those] that can give up portability to obtain a little temporary security deserve neither portable code nor secure code.

Definitely useful

[ttfkam]

in that folks who use C can avoid common pitfalls. But so much of this seems like it has been tackled by C++. Only C++ did it cleaner. C++ is complex though. So this only leaves (horrors) a higher level language that removes all of these implementation details that lead to insecure programs.

Do it in a higher-level language first. Make sure your algorithms are clean and efficient. If and only if you see a performance or resource problem do you rework portions(!!!) in C. As a bonus, the higher level language acts as a code template for faster C development.

Once you are at that point, this Mini-HOWTO will definitely be a great resource to use.

Re:Definitely useful

[oliverthered]

Or, write/find a good C++ framework and don't use C, which kinda makes sense seeing as most C projects are written C++ style

myfunction(mystruct* this,params.....)

Re:Definitely useful

[Kragg]

Wow. This is one of the few genuinely insightful comments I've come across.

Prototyping in a higher-level language (c# is easy, java everyone knows) is a superb idea, provided you
- can release the final product as interpreted, with slow execution speed
- can afford the time to port all to C, in which case DO, this is an excellent way to make a watertight C program
- are happy to learn how to make managed code/vm code call to native and vice-versa (this is far from a trivial problem)

There are apps that fit into all 3 categories, and if your end-result should be a watertight C program, it may even be faster to prototype.

Fight the conventional wisdom! make good code by doing it right, not by being a genius who can hold 4000 variables in his mind over a month-long project (because you aren't one anyway).

Re:Definitely useful

[nzhavok]

I've worked on large projects and this approach has worked just fine. The basic idea is not to write the entire program in the higher level language but rather to use this language as the glue for calls to functions in lower level languages.

As a RL example a project I worked on used TCL as the glue for C TUXEDO services and Oracle. So to adress your points above WRT this project:

1)There were no performance issues in the delivered product, if a part of the code is under performing in the glue language you rewrite it in C and bind to it instead.
2)We did not need to port all the code to C, identify the small portions of code which benefit greatly from a port and port only them. The time saved here is enormous compared to implementing the entire project in C.
3)calling to native code in TCL was trivial, if it's "far from trivial" for you perhaps you chose the wrong language for the glue. A popular language for doing this today is Python, in which it is also straightforward to create bindings for.

Re:Definitely useful

[zome]

-can release the final product as interpreted, with slow execution speed

If you can't, but deadline is near, release the prototype anyway :-)

Re:Definitely useful

[HiThere]

You are just picking the wrong higher level languages. There are much better choices, though which is best depends on your problem.

If you are dealing with highly dynamic data, lots of strings, etc. Start in Python. Then locate bottlenecks and convert those sections to C.

If you are dealing with a large application, that you need to control precisely, start with Ada. You probably won't need C at all, but be prepared for a lot of work. If you need to call libraries written in C, you can do so realtively directly.

If you are dealing with a relatively complex application that needs garbage collection, Eiffel is a good choice. Links to C are easy, once you master them, but links back are... dubious.

If you are dealing with something simple, or if everyone else is using C, then your best choice may be to just use C. (Eiffel can generate C code, but don't expect to be able to read it.)

I don't like C for anything that isn't REALLY simple. But it's a lot better than the language I've ended up using most of the time recently (Visual Basic). (Currently I think I may have managed an escape from MSAccess into Java. [Wouldn't you know it! I need to learn a new language to escape from one of the worst environments on the planet. But Java is the only choice that mgmt. will accept.])

Re:Definitely useful

[Kragg]

I have no experience with Python - I'm withholding judgement till the cheerleaders quiet down a bit and i can find a sensible description of it's strengths and weaknesses (links anyone?).

However, as for GC etc using Eiffel - you say links to C are easy once you master them - same with every other language, including c# and java.

Especially if you're trying to get away from VB, why not use .NET? It may be the beast's but it is still easy and (almost) portable code. And there are a million guides out there on porting VB6 -> VB.NET. Tell mgmt they're wrong.

Re:Definitely useful

[Kragg]

glue != prototype. (in fact, it's E210: invalid type comparison, cannot compare apples and oranges.

Yes, glue languages are designed to interoperate easily, but I defy you to create a full-blown app prototype in TCL.

Go on, let's see it.

Re:Definitely useful

[hobuddy]

ttfkam wrote:
Do it in a higher-level language first. Make sure your algorithms are clean and efficient. If and only if you see a performance or resource problem do you rework portions(!!!) in C. As a bonus, the higher level language acts as a code template for faster C development.

Amen.

Kragg wrote (in his reply to ttfkam):
Prototyping in a higher-level language (c# is easy, java everyone knows) is a superb idea, provided you
- can release the final product as interpreted, with slow execution speed

Most programs spend 90% of their CPU time executing 10% of their code. If that 10% is optimized in a low-level language such as C, a large-scale interpreted program can boast performance that's virtually indistinguishable from an equivalent program written entirely in a low-level langauge. However, there's likely to be a huge difference in programmer productivity.

As a reference, see this Dr. Dobbs article, which states:
""" ... 90 percent of the software's running time occurs in only 10 percent of the code. This is the whole basis for virtual memory: Potentially, a program can run at full speed with only 10 percent of itself--or whatever the working set is--loaded into memory at any given time. Unlike that nasty segment stuff, the programmer does not specify any of this in advance. The operating system "discovers" a program's working set on-the-fly, through page faults.
"""

- can afford the time to port all to C, in which case DO, this is an excellent way to make a watertight C program

Why port 90% of the application's code to a low-level and less productive programming language, when that 90% will inevitably evolve and require maintenance as the program is utilized in unforeseen ways? I've never written a large program that didn't end up having features added incrementally over a long period of time after the initial release.

- are happy to learn how to make managed code/vm code call to native and vice-versa (this is far from a trivial problem)

If it's "far from a trivial problem", you're using the wrong tool.

Take Python, for example: it's simple to interface between Python and C using Python's C API. Recently, a tool named Pyrex has appeared that makes it almost trivial. Pyrex is amazing.

Kragg suggested prototyping in C# or Java, but Python surpasses both of those as a prototyping tool. Python is higher-level than C# or Java (and thus better suited to prototyping and/or malleable fusion with C) because it features:
- dynamic typing ("dynamic", not "weak" like Perl)
- no obession with a particular programming paradigm; use procedural, functional, or OO as appropriate
- high-level data structures built into the language
- more convenient dynamic code loading
- interactive development at a "Python prompt" (the value of this cannot be overestimated)
- no separate compilation step in the edit-test-debug cycle
- more concise syntax
- excellent interface capabilities to C (or C++ via Boost.Python, or Java via Jython)

I suggest that the fusion of a truly high-level (higher than Java-level) language with C is far more broadly applicable than Kragg claims.

Re:Definitely useful

[Dan-DAFC]

- are happy to learn how to make managed code/vm code call to native and vice-versa (this is far from a trivial problem)

Fairly straightforward, spent some time doing just that this week, a couple of little gotchas but fairly painless overall (though personally I'd have rewritten the native part in Java, given the problem at hand).

Re:Definitely useful

[MisterFancypants]

are happy to learn how to make managed code/vm code call to native and vice-versa (this is far from a trivial problem)

I'd have to disagree and say that making managed code interact with native code and vice-versa is VERY easy with .Net, using PInvoke, COM and/or Managed C++ API wrappers. With Java/JNI, things are a little bit less trivial, but still not the major undertaking you imply.

Re:Definitely useful

C++ is complex though.

Yes, it is. So complex in fact that until recently there were no compilers for it.

Fortunately though, there's no law that you have to use the entire language, so it's a non-issue.

Re:Definitely useful

[kfg]

"Fight the conventional wisdom! make good code by doing it right, not by being a genius who can hold 4000 variables in his mind over a month-long project (because you aren't one anyway)."

The hell I'm not! ( Not as good as my father though, who had a true photographic memeory, scan a book and read it back from the "image" in his mind at a later date. Very annoying to mere mortals)

But this is irrellevant ( and how a relevant got into my pajamas I'll never know). The point is that anyone *else* who is ever going to look at your code can't be expected to spend weeks just figuring the bloody mess out. Write tight code and comment well and comment often.

*Assume* that someone else will be responsible for maintaining your work and treat them decently.

KFG

Re:Definitely useful

[nzhavok]

TCL was originally designed to have a minimal syntax which was to be extended with custom bindings for a program. It is by it's nature a "glue" language, and I don't see how means the language can't be used for prototyping. In the way we used it it had bindings only for Oracle exec/selects and TUXEDO RPCs/FML buffers, nothing else. The rest of the app was built entirely in TCL and it works well as, is as fast as, and has much fewer defects than existing similar services written in C despite being developed by a more junior team with no experience in the project area.

Your examples of prototyping languages were c# and java however my idea of prototyping languages are TCL or Python. I worked with java for years and you can develop some stuff quickly, but it's not a protyping language IMO. Python on the other hand seems quite good for prototyping, for instance you can write a threaded/forked/multiplexed chat server in about 10 lines of code, and it is suitable for building full apps without binding C code (although you may want to do this for speed reasons).

I should qualify this by saying I am a C programmer profesionally, and don't have a problem doing it if thats what I'm payed for, I love C and every programmer should know it. If I have a choice I will program in Python because it's easily about 5 times quicker to develop in than C and I don't like to waste my time. I also like Java but don't see much use for it beyond EJB systems. I think the only advantage Java has is that it can be used for clients, servers, servlets, JSPs and EJBs. Management like it because they wrongly think (and the hype promotes the image) of their Java programmers as a pool resource who can be moved between these areas seemlessly.

Re:Definitely useful

I just killed the last Python project here. Can't find coders and things had to be rewritten a few times to keep up with the curren system. Plus we have to restart Zope everytime its admin goes on vacation. I'm used to things running for years without intervention. Its a computer, its suppoed to just work.

Re:Definitely useful

Prototyping in C++ is only valid in cases where C++ is allowed. For embedded systems, the most common language is still C and assembly rather than C++. Also, many embedded systems use static arrays rather than malloc.

FYI, when I refer to embedded systems, I mean 512 Kbytes, NOT 32 Megabytes of memory.

Re:Definitely useful

[The+Madpostal+Worker]

glue != prototype. (in fact, it's E210: invalid type comparison, cannot compare apples and oranges.

I'm tired of this constant discrimination against the citrus fuits. One of these days the people will get up and say "I'm tired of people thinking that oranges aren't good enough for comparison." They'll say "I can compare apples and oranges". They'll run to the windows and say "This orange is much yellower than this apple". People will be running through the streets screaming "This apple is much more smooth than this orange."

And then my group(The People for the Ethical treatment of Cirtrus (PETC)) will be happy.

Re:Definitely useful

[hobuddy]

Don't confuse Zope with Python. That's like condemning C because Windows 3.0 is written in it. Zope is a bloated monstrosity that happens to be written in Python; Python itself is an elegant gem.

Re:Definitely useful

[speedplane]

>This is the whole basis for virtual memory It is a very good use of virtual memory but probably one of its most important is to deny programs access to operating system, device and physical memory. If there was no virtual memory than any program can access all of the RAM and cause some real problems. This is all pointless however because I'm sure you can do this even with virtual memory.

Re:Definitely useful

[Hezaurus]

Kragg wrote: - can release the final product as interpreted, with slow execution speed

Hmmm... goto the http://www.bagley.org/~doug/shootout/bench/heapsor t/ - you'll see that the gcc version is about 8 times faster. Now, get the sources and compile them yourself. Run three to five times to let the system stabilize then write the timings down. This is what you get:

gcc with O6 (heavy optimizations) is almost 20% faster than the equivalent java code! Yet the author of those pages reports that the difference is more like 800%?! BTW: I tried that with three different VM's the best was IBM's 1.4.0, second one JRockit's 1.4 beta and the last Sun's 1.4.1 (each about 5% slower than the previous) the java code was run with '-server' the platform (linux/windows) didn't have any significant effect on the results.

You are free to draw your own conclusions.

Re:Definitely useful

[johnnyb]

I love Python, and have recently started using it a bit. Here are my thoughts:

weaknesses:

*third-party libraries not as mature as, say, Perl's (I LOVE CPAN!)

*regular expressions not a language feature, but a library. Also, regexps differ dramatically from Python version to Python version

*scoping rules a bit awkward at first

strengths:
*Supports objects directly

*late-bound, and therefore do not need to specifically define interface classes (although they are still useful for documentation)

*supports lexical closures (how does anyone in the world code sensibly without them?) - very useful for GUI callbacks. This takes away a huge chunk of work

*Very simple

*XML libraries are very nice indeed

*excellent COM integration on Microsoft platforms (you can manipulate COM objects interactively in a Python session - very useful!)

*on Microsoft platforms, py2exe will build whole application and runtime environment into an executable and a few DLLs.

*Supports the "Generator" concept (new in Python 2.1)

*Supports bound methods (this can be done on any language supporting closures, it's just easier with direct bound-method support)

Basically, Python takes many of the excellent ideas in several languages - Lisp, Smalltalk, and Perl, and combines them into a simple, easy-to-remember language. The only difficulty I've had with python are remember it's scoping rules and dealing with regex compatibility between versions.

Re:Definitely useful

[HiThere]

.NET? I've heard some interesting things about it in the last week. Seems to me that it isn't ready to be serious yet. Irrelevant, however. I switched to Java because that was what mgmt. would accept. They wouldn't accept anything else.

Java seems "not that bad", especially if I compare it to C++. OTOH, it's not any more efficient than Python, but it does have a large library of portable gui classes. That's a definite plus. It means that sometime in the future I might be able to really break free of windows. (Actually, I'm doing the development on Linux, but the target environment currently has to be windows.)

Re:Definitely useful

[suitti]

Most programs spend 90% of their CPU time executing 10% of their code.

I've gotten a chance to rewrite several Perl programs in C, and compared performance. On real CGI programs, the C version has outperformed Perl by a factor of 20 or 30. For longer running programs and CPU benchmarks, I'm seeing factors between 300 and 1,000. Perl is not that good for computational tasks.

One of the apps I rewrote was originally written in Perl to take advantage of Perl's hashes. The C code was 300 times faster.

So, some math. If you rewrite 10% of the app and 90% the time it takes dissappears, you are still left with the 10%. You've gained 10x of perhaps 1000x possible. There may still be 100x to go.

Taking a 1000x hit brings modern CPU performance down to 1980's Vax 11/780 performance. That level of performance was all we had, but it was mostly acceptable. It still is. My strategy has generally been to (re)write those things that need it, rather than just parts of those things. Multiple language maintenance is generally harder than any one single language maintenance.

The above may sound like Perl bashing. But, most of my code these days is written in Perl. It's most often the tool for the job.

data stacks

[larry+bagina]

What I haven't yet seen used anywhere outside my own software and some programming languages internals (eg. calling Perl code from C), is using data stack for temporary memory allocations. It has the most important advantage of garbage collectors; allocate memory without worrying about freeing it. It also has a few gotchas, but I'd say it's advantages are well worth it.

The way it works is simply letting the programmer define the stack frames. All memory allocated within the frame are freed at once when the frame ends. This works best with programs running in some event loop so you don't have to worry about the stack frames too much. Here's an example program:

That sounds a little like the NSAutoReleasePool in Cocoa/OpenStep. Objects use reference counting, when the count reaches 0, they deallocate themselves. When an object is created, it can get added to the most recent pool. When the pool is deleted, it decrements the reference count of all the objects within it, causing deallocation unless it needs to be kept around longer.

Re:data stacks

[Handyman]

I've seen an especially nice version of these dynamic stack frames in Cyclone. For those of you who don't know it, Cyclone is kind of a type-safe, pointer-safe version of C, mixed with some good features found in languages like ML. It takes only simple transformations to compile C code as Cyclone (mostly having to do with minor pointer syntax differences).

Cyclone has region-based memory protection, which means that you can't do stuff like return pointers to local variables etc. because it statically checks the pointer lifetime using region tags that are part of the pointer type. Example: you can have a pointer-to-memory-belonging-to-region-foo, where foo is a function or some other static scope, (written sometype * `foo, although the default region tag is usually correct, then it's just sometype *) which can point to heap memory because that's garbage-collected and guaranteed to live at least as long as function foo's memory, but you can't have a pointer-to-memory-belonging-to-region-Heap pointing to a variable on the local stack: if you have a local variable x and take the address, the type of that is pointer-to-memory-in-region-foo, and that type is not allowed to be cast to pointer-to-memory-in-region-Heap because foo's memory doesn't necessarily live as long as Heap does.

They combined this region-based mechanism with dynamic "stack frames": You can open a dynamic region to open up a new "stack frame" or separate heap of memory bound to a scope in the program, so when an exception is thrown or when you exit the scope the memory is automatically deallocated. The good thing is, you can't go wrong, because the region-based pointer lifetime checking will prohibit you from casting a pointer into that specific region to a pointer into a region with a longer lifetime, so you will never have dangling pointers into such a dynamic region: you will get a compile-time error when you attempt to do this.

Re:data stacks

[Luminous+Coward]

What I haven't yet seen used anywhere outside my own software and some programming languages internals (e.g. calling Perl code from C), is using data stack for temporary memory allocations. It has the most important advantage of garbage collectors: allocate memory without worrying about freeing it. It also has a few gotchas, but I'd say its advantages are well worth it.

Isn't that what alloca(3) was designed for?

Dump Stacks...

when it just won't flush. Just don't get me started about overflow.

--this post has caused an invalid page fault--

Hey Eric Krout

FUCK YOU

My name is Bond, Troll Bond.

Slashdot [slashdot.org]

What do I think?

Dunno, like any other good Slashdotter I reply before reading anything.

It's a Sunday morning; So don't criticize.

[dagg]

I'm not a writer and I'm not too good at english, so sorry about all the spelling and grammar errors :) All of this stuff was written at sunday morning, tired after being awake the whole night and not being able to do anything useful...

I'm going to start putting that at the end of everything I write so that people can't criticize anything I do. As a matter of fact... I think I'll only write on Sunday mornings after not sleeping the night before. It seems like it's always Sunday morning anyways.

--
Your sex on a Sunday Morning

Re:It's a Sunday morning; So don't criticize.

I hope it replaces your bitch-ass signature.

Re:It's a Sunday morning; So don't criticize.

May I suggest the following?

I'm not funny and I'm not insightful, so sorry about all the spamming and karma whores :) All of my posts were written to sell ads, tired after writing fake sigs the whole night and not being able to say anything useful...

cras, why you choose C ?

cras, why did you choose to write the IMAP server in C ? You mentioned OCaml in passing in the article; would that have worked ?

Re:cras, why you choose C ?

The problem with OCaml was performance. C code is faster than its OCaml equivalent by a factor of 4.

cras

Re:cras, why you choose C ?

[cras]

I actually like C. And a lot of people want to use only C code. Writing IMAP server with any other language would quite likely have gotten only a couple of users. But that wasn't really the reason. C is currently pretty much the only language I'm quite good at. My OCaml studies are only beginning.

Re:cras, why you choose C ?

Who are you?

cras

Re:cras, why you choose C ?

That seems reasonable. I'm assuming you are the cras that wrote the article and not the anonymous cras. The comment that "C code is faster than its OCaml equivalent by a factor of 4" (by the anonymous cras) was pretty inane.

Re:cras, why you choose C ?

[dead_penguin]

And a lot of people want to use only C code. Writing IMAP server with any other language would quite likely have gotten only a couple of users.

Sorry, but I don't understand how this can really be true, unless you really meant developers instead of users.

When looking for a piece of software, I'd really only consider questions such as "Does it run on my target platform?", "Does it have the set of features I need?", "Is it stable?", and "How much will it cost me (in time and money)?". Performance is, of course, another issue I'd be interested in (I'd probably group this in with features).

While the choice of language can influence all of these in one way or another, I seriously doubt most users are interested in *how* their criteria are met as long as they are.

Re:cras, why you choose C ?

[ttfkam]

Don't forget "secure." C allows no protection from buffer overflows and other sundry security holes. Is it possible to code safely in C? Sure, but 99% of all existing C coders cannot.

An IMAP server is an example of a widely available network service. Even if the IMAP server is slower because it was written in Python, you have a dramatically lower chance of opening up a remote root exploit.

It all falls on where your priorities lie. I'd say that programmers these days should err on the side of safety for the sake of their users and not on squeezing the last bit of speed out of an implementation detail (choice of language).

It's a start...

[LucidityZero]

I gave it a quick read, and it's a good start. Most important thing is to keep working on it. There are already so many problems with people that never take the time to learn how to code securely, you don't want people stopping by, reading only what you have, and thinking they can now pump out error-proof code. And that is exactly what will happen if you leave just that part up.
Not attacking you, I really do think it's great work so far. Make sure you do the world justice, however, and continue to work on the project.

Maybe being in the business world

[PaddyM]

But I can't follow this HOWTO very well. Does he have a global variable stored in the file with t_push and t_pop so that t_sprintf can use that variable? But if he has a global variable, than all he's really doing is allocating the maximum amount of memory his program will ever need at the beginning, and managing his memory.

Perhaps working until 4 in the morning on C code has drained my ability to understand.

Re:Maybe being in the business world

[cras]

Think about stack and how that works. t_push() and t_pop() basically create and destroy a stack frame, just like your control stack does at the beginning and end of function. So sure it needs to use some global memory for it (not in global variable though), just like control stack does. t_sprintf() simply returns a pointer inside the stack frame.

Re:Maybe being in the business world

>Think about stack and how that works

Exactly. And what do you do in the case of a stack overflow? :) Try "allocating" about 16 megs and tell us what your program does...

Mr. Bond

I expect you to die.

masochist

[mike77]

Feeling a bit of masochist today...

You must be to ask slashdot's opinion of your toils!

Is this news?

[mthed]

Some guy spent a couple of hours writing a first draft of a Howto. Thanks Slashdot, I'm sure glad you didn't let this one slip through the cracks! Besides, who cares about these kludgy ways of handling memory. If you don't wan't to worry about memory allocation use C# or java or something. Otherwise, stop eating quiche and write solid code.

Re:Is this news?

[onemorehour]

No, it's not news, but it seems to have sparked an insightful discussion of different aspects of coding in C.

I think less than half of the value of the average Slashdot article is the content of the article itself...

stack allocation??

[hanwen]

(yawn)

it starts off with denouncing GC as oldfashioned, and then proceeds to tout stack-based allocation, which has been available for ages as the alloca() function (which also has portability problems.)

imho, you should use the Boehm Garbage collector, unless you have code that must be guaranteed to be free of space leaks.

Re:stack allocation??

[cras]

it starts off with denouncing GC as oldfashioned, and then proceeds to tout stack-based allocation, which has been available for ages as the alloca() function (which also has portability problems.)

It does? I wonder what you've been reading then. To me it looks very much like I'm saying that the GC would be the best way to manage memory, except if it wasn't so crappy to use with C. Boehm GC can't do much with C. For example OCaml's GC does a lot better and that's simply not possible to do with C unless you wrote your whole program in very special way.

Re:stack allocation??

[p3d0]

Boehm GC can't do much with C.

What does this mean? Have you used the Boehm GC? You may be interested to look into so-called conservative garbage collection, a technique that works quite well with C.

No offence intended, but you definitely need to have some knowledge of conservative GC before you write a C memory management HOWTO.

Re:stack allocation??

[hanwen]

To me it looks very much like I'm saying that the GC would be the best way to manage memory, except if it wasn't so crappy to use with C. Boehm GC can't do much with C.

BGC recollects non-live objects in memory. It does so very efficiently: it's efficiency is comparable with malloc(). To top that, you can add finalization procedures to objects (more or less analogous to C++ destructors) that are called when an object is cleaned up.

Reclaiming dead objects is what GC is for. If you claim BGC can't do much with C, then you have a different definition of GC than I have. Please be more specific: where is BGC lacking, eg. as opposed to stack based memory allocation?

Re:stack allocation??

[PissingInTheWind]

Boehm GC can't do much with C.

I find it somewhat ironic that you make claims like that, and that you write a memory management HOWTO at the same time.

But eh, keep hacking at that square wheel.

Re:stack allocation??

[cras]

BGC recollects non-live objects in memory. It does so very efficiently: it's efficiency is comparable with malloc().

Exactly. Which is not good enough.

Reclaiming dead objects is what GC is for. If you claim BGC can't do much with C, then you have a different definition of GC than I have. Please be more specific: where is BGC lacking, eg. as opposed to stack based memory allocation?

It leaves the memory scattered all around. Yes, malloc()+free() does exactly the same. Stack based doesn't. Sure, that may not be such a big deal and malloc() implementations have gotten better these days but it still doesn't beat data stack in speed and produces some fragmentation vs none with data stack. Those may not matter to you of course, but it's still a point to data stack.

OCaml's GC can move data around, packing long-living data together to reduce fragmentation. That's how a good GC implementation would work. But that's not happening with C since moving data around has too many side effects to handle.

Re:stack allocation??

[hanwen]

it's efficiency is comparable with malloc().

Exactly. Which is not good enough.

Not good enough? That is a blanket statement. Unless you have specific needs, and have actually measured that heap fragmentation is a significant cost, your home-brew non-thread-safe memory allocation mechanism will cost you more, since it restricts your programming style, and leaves you responsible for maintaining the memory allocation code.

But that's not happening with C since moving data around has too many side effects to handle.

Again, a blanket statement. There actually exists a conservative generational copying GC (Bartlett's mostly copying GC) algorithm that could be used for GC-ing C data. You would have to tell the GC the layout of your data structures. That is quite restrictive, but then again, the stack operations that you introduce are also restrictive, and only work for specific allocation patterns.

Anyway, if you have repeated stack-based allocation patterns that must really be efficient, I would suggest to move the allocation outside the loop, so it only has to be done once.

Re:stack allocation??

[cras]

Well, I'm getting a bit tired of arguing. Even it the speed didn't matter at all, there's still the point that you can't create easily usable GC with C portably. And I don't feel restricted at all with the data stack. Yes, it's a bit more restrictive when comparing to fully automatic GC, but still much less PITA than having to free() the memory which everyone else are doing.

I don't care about speed that much. Portability is one however which I really do care about and I'd hate to depend on requiring an implementation of GC for some specific platform I intend to use.

Telling GC about all your structures sounds much more difficult and error-prone to me than my simple data stack.

Re:stack allocation??

[dvdeug]

you should use the Boehm Garbage collector

I once ran a program over my mp3 collection; it was using 400 MB of memory by the time I killed it. I poked around in the code; turns out there was absolutely no attempt to deallocate the memory. I tried two things - first, plugging in the Boehm-Weiser GC, and then switching malloc to alloc (since it looked like the memory usage was function local.) The latter ran four times faster.

You Forgot:

[asv108]

You forgot to add the obligatory "in XX days" or "XX hours" to your title. So a better title for this story would be:

"Secure, Efficient and Easy C programming in 24hrs"

Re:You Forgot:

[webprogrammer]

Amazing!

Doing so would allow him to achieve the holy-grail of stable-writing: an omega ratio greater than 1!

For those not in the know: the omega ratio is the ratio between the time it takes a reader to read it and the time it took you to write it. Normal values are .01, .001, etc. Assuming it took him 3 hours to write this "first in the morning", anything with 'Secure, Efficient and Easy C programming in {R > 3}' will result in an omega value greater than 1!

Astounding!

2 Out of 3?

[Eros]

Secure, Efficient and Easy C Programming Mini-HOWTO

Was anybody else thinking the next line was going to say . . .

Pick any two.

Re:2 Out of 3?

I certainly was... When I wrote that comment NEARLY AN HOUR BEFORE YOURS!!

strncat/strncpy are *NOT* intuitive

[Alejo]

Did you really read the strncpy and strncat manpages?
To both zero-terminate and check for truncation is arcane, that's why the OpenBSD ppl made strlcat and strlcpy in the first place.
There are already other secure programming faqs, though AFAIR, they suck too. If I were you, I'd put a HUGE disclaimer to take this page as work-in-progress.
(before flaming, write down the correct code to check for truncation for both funcs)

Re:strncat/strncpy are *NOT* intuitive

[cras]

Sorry, your comment makes absolutely no sense. You saying exactly the same as I did.

I read the FAQ, but

[notlameness]

I read the FAQ but can not program any better than before. is something wrong with me or is I just dumn ?

Re:I read the FAQ, but

[napoleonin]

"or is I just dumn"

We've seen your spelling, so I'm gonna go with the second option on this one...

Re:I read the FAQ, but

[notlameness]

As opposed to your delusions of grandeur or status as a long dead French short man.

Re:I read the FAQ, but

Or your own as (apparently) something not of the "lameness" persuasion. "You just dumn. The trusting us."

OMFG.. Imagine?

[Zone-MR]

No "Imagine a beawolf cluster of these C minifaq" obligatory 'jokes' yet?

Im dissapointed...

Re:OMFG.. Imagine?

Imagine a Beowulf cluster of idiots and kiddies. Oh yeah, they call it slashdot.

Devils' Advocate

[windex]

Okay, let's preface. This guy has a good idea in the memory allocation department.

Problem 1:

It's not easy, nor fast to write. Errors are severe if present and undetected. Code required to be reliable might not be a good place to test this allocation method.

Problem 2:

I'm not entirely sure these concepts are very portible outside of GCC. May not be a big deal to most, but uh, multiplatform code is required in some enviroments.

Problem 3:

Any speed increase without massive resource wasting is pure dumb luck during heavy usage, unless used in an application that takes little user input or has limits on the ammount of input.

Just my $0.02.

Re:Devils' Advocate

[cras]

It's not easy, nor fast to write. Errors are severe if present and undetected. Code required to be reliable might not be a good place to test this allocation method.

It probably isn't good idea to replace existing code with any of this. But new code is much easier to write using those ideas. And there's already free MIT licenced and tested implementations which you can download.

I'm not entirely sure these concepts are very portible outside of GCC. May not be a big deal to most, but uh, multiplatform code is required in some enviroments.

All concepts are fully ANSI-C compatible.

Any speed increase without massive resource wasting is pure dumb luck during heavy usage, unless used in an application that takes little user input or has limits on the ammount of input.

I don't really get this. Speed increasing requires massive resource wasting? Isn't that exactly the opposite of what should happen? With large user input you have to store the data somewhere in any case, it doesn't matter where and using what way. My "performance" point was mostly against malloc()+free().

Re:Devils' Advocate

[spitzak]

You may be thinking like I did at first that he was advocating some trick with the stack pointers. That is wrong, he is advocating quite portable code that allocates a *different* "stack" in a block of memory and then uses normal pointers to allocate portions of that. It is not GCC specific.

+1 Insightful

[SweetAndSourJesus]

It's that way everywhere else, too.

I still have yet to write a single useful C program that I couldn't have done in Perl.

Re:+1 Insightful

I guess you have never written a sngle useful program ever then. Perl is for idiots who think regexps can solve all problems. And Larry Wall is a fuckin' idiot.

Re:+1 Insightful

I have yet to write a single useful Perl program I couldn't do in C. I have yet to write a C application I couldn't do in Java. I have yet to write a Perl program I couldn't do in 68K assembler. So what?

Re:+1 Insightful

[Twirlip+of+the+Mists]

Perl is for idiots who think regexps can solve all problems.

s/idiots/wise souls/
s/think/know/

Problem solved.

Re:+1 Insightful

Twirlip, you are a fucking twit. I find your posts nothing but aggravating, misinformed and naive. I would recommend you do us all a favour and jump off a bridge or tall structure.

Re:+1 Insightful

do us all a favour

favour? favour? what are you, the fucking queen or something? god save this, you crusty old bitch.

Re:+1 Insightful

[Twirlip+of+the+Mists]

Since when do personal attacks get moderated "insightful?" Somebody throw this guy a "-1, flamebait" please.

Re:+1 Insightful

Really. Get back to me when you've written a realtime raytracing program in Perl.

Re:+1 Insightful

[Twirlip+of+the+Mists]

Since when do personal attacks get moderated "insightful?" Somebody throw this guy a "-1,
flamebait" please.

(time passes...)

Moderation Totals: Flamebait=1, Insightful=1, Total=2.

Thank you. ;-)

Re:+1 Insightful

[vsprintf]

I still have yet to write a single useful C program that I couldn't have done in Perl.

Well, yeah, you can do the same thing as C code in Perl more slowly and less efficiently. Conversely, Perl is my language of choice for some tasks. The right tool for the right job. You obviously don't do any systems programming.

Re:+1 Insightful

[zm]

Write me a TCP/IP stack in perl, make it run as fast and as reliable as the C based one, and I'll convert to perl.

zm

Re:+1 Insightful

[vsprintf]

LOL. Normally, I wouldn't respond to an AC post, but I thought it was FUNNY, not flamebait. Well, okay, maybe both.

Re:+1 Insightful

And what is the perl interpreter written in again?

well...

These are common tricks

[pclminion]

It's a good start at a HOWTO, but needs some serious fleshing out. These are common tricks that most serious, experienced C programmers have in their bag.

Some of my personal favorites include:

• Exceptions in C. You can get quite natural-looking exception handling in C, with some convoluted macros. I'm sure most hardcore C coders have come up with their own implementations. Many security bugs happen in parts of the code that handle errors, precisely because errors are rare, and those parts of the code don't get tested well. Using a unified, exception-driven approach to error handling can cut down the risks. IF you do it right.
• The alloca() function. This allocates memory directly off the stack, which is freed when the function returns. Very useful for cases where you want a stack buffer but aren't sure how big it needs to be. Like any other stack buffer, you need to take care not to overflow it. There are portability concerns with this function, but it can still be useful.
• Variable-sized block-chained allocators, which pull chunks of memory out of preallocated segments. The segments are chained together in a linked list. Very effective when you need to make a lot of variable-sized allocations, and do it fast, dammit. It also makes freeing the allocated memory blazingly fast, although it's a "free all or none" approach.
• "Hardened" allocators, which allocate blocks in multiples of the page size, and set memory protections in such a way that buffer overruns cause crashes. This is the easiest way to prevent ANY kind of buffer overrun vulnerability, but wastes memory. See Electric Fence.

Look people.. It takes a keen eye and major discipline to write secure C code. It is not impossible. You have to get in the habit of subconsciously checking yourself at EVERY turn. "Am I accessing a stack variable? Am I doing it CORRECTLY?"

DISCIPLINE, DISCPLINE, DISCIPLINE. I fully expect to see the usual barrage of comments to the tune of: "C is outdated, insecure, brittle, yadda yadda..." No. Some PROGRAMMERS are "outdated, insecure, and brittle."

The C language doesn't write bugs. Programmers write bugs. If the programmer can't handle C, then take it away from him. But don't try to take it away from ME.

Re:These are common tricks

[cras]

The alloca() function. This allocates memory directly off the stack, which is freed when the function returns. Very useful for cases where you want a stack buffer but aren't sure how big it needs to be. Like any other stack buffer, you need to take care not to overflow it. There are portability concerns with this function, but it can still be useful.

This is what my "data stack" is trying to fix and do it fully portably. And alloca() still can't be used to allocate return values from it, which I think is the most useful feature gained by using data stack. I don't know about you, but I use a lot of functions that need to return dynamically allocated memory.

Look people.. It takes a keen eye and major discipline to write secure C code. It is not impossible. You have to get in the habit of subconsciously checking yourself at EVERY turn. "Am I accessing a stack variable? Am I doing it CORRECTLY?"

Yeah. That's how most people do that (and most fail). I prefer to use functions that I know are safe to use without excessive thinking.

Re:These are common tricks

[pclminion]

This is what my "data stack" is trying to fix and do it fully portably. And alloca() still can't be used to allocate return values from it, which I think is the most useful feature gained by using data stack. I don't know about you, but I use a lot of functions that need to return dynamically allocated memory.

I'm not seeing the difference between your data stack and a memory pool, except that you can divide it into frames which you can collectively pop off, and free entire contexts at once. But by making the data stack independent of the call stack, you introduce the possibility of the two getting out of sync. A context frame should probably always map to a single function invocation. Or to put it another way, a data frame pushed in a particular function call should always be popped by that same function call. And that kind of defeats the purpose of being able to return stack-allocated data UP the call stack.

In contrast alloca() is a simple manipulation of the hardware stack pointer, which will be automatically undone by the hardware itself at the end of the call frame (on any sane architecture, that is). There's no possiblity for abuse.

Any strlcat(), strlcpy(), etc. don't solve the underlying problem in all string operations, which is making sure you always have enough room. They prevent overflows, but they can still truncate data without you realizing it's happened. Unless you check first. See my other comment.

Re:These are common tricks

[cras]

I'm not seeing the difference between your data stack and a memory pool,

You could think of it that way if you wanted. I actually called them "temporary memory pools" before learning it had an existing name.

A context frame should probably always map to a single function invocation. Or to put it another way, a data frame pushed in a particular function call should always be popped by that same function call. And that kind of defeats the purpose of being able to return stack-allocated data UP the call stack.

Yes, but there's no need to create a new frame for each function call. You may not need to create more than one frame in the entire program if you know you're not allocating too much memory out of it. That's what makes it better than alloca(). You can do for example:

t_push(); ret = alloc_some_data_from_stack(); /* do stuff with ret */ t_pop();

All very simple. Sure there's still possibility breakages but they're not very common, and you know when you're doing it wrong. Simply forgetting a t_pop() call will be noticed at the bottom level t_pop() which would kill the program then - nothing got overflown but it might have allocated memory excessively.

In contrast alloca() is a simple manipulation of the hardware stack pointer, which will be automatically undone by the hardware itself at the end of the call frame (on any sane architecture, that is). There's no possiblity for abuse.

alloca() simply doesn't do what I want. I want to return dynamically allocated memory from functions without worrying about freeing it. Data stack and GC are the only possibilities for that.

Any strlcat(), strlcpy(), etc. don't solve the underlying problem in all string operations, which is making sure you always have enough room.

I'm not propsing strlcpy() either. I only mentioned them as being much better than strncpy/strncat which they definitely are. I've never used them though.

Re:These are common tricks

[hawkestein]

DISCIPLINE, DISCPLINE, DISCIPLINE. I fully expect to see the usual barrage of comments to the tune of: "C is outdated, insecure, brittle, yadda yadda..." No. Some PROGRAMMERS are "outdated, insecure, and brittle."

The moral is to always use the right tool for the right job. You wouldn't use a chainsaw to do heart surgery and you wouldn't fly a 747 to travel 30 miles.

C is really good at certain things, but writing secure code isn't really one of them: meaning that you have to go through some extra effort to ensure your C code is secure. If you can solve your problem in another language with less effort and that language meets all your requirements (speed, memory use, portability, whatever else), then why pick C in that case? Not every application requires maximum speed or easy bit twiddling.

The C language doesn't write bugs. Programmers write bugs. If the programmer can't handle C, then take it away from him. But don't try to take it away from ME.

Nobody's advocating take C away. But you shouldn't be slavishly devoted to it as the One True Language. You should choose the language that will allow you to solve your problem with the minimum amount of effort, taking into account whatever constraints are relevant.

Re:These are common tricks

[Tim+Browse]

Variable-sized block-chained allocators, which pull chunks of memory out of preallocated segments. The segments are chained together in a linked list. Very effective when you need to make a lot of variable-sized allocations, and do it fast, dammit. It also makes freeing the allocated memory blazingly fast, although it's a "free all or none" approach.

Not necessarily - depends how you implement it. For example, the SmartHeap library would use fixed size allocators for common small block sizes that worked in pretty much O(1) time (they just popped an item off the head of a list). This was used as a GP replacement for normal malloc/free libs. When you free a block, it just gets put on the head of the list.

Tim

Re:These are common tricks

[dvdeug]

Programmers write bugs. If the programmer can't handle C, then take it away from him. But don't try to take it away from ME.

And the best and the worst write security bugs in C. How many times has an innocent program, written by very good programmers, had a string buffer overflow? Way too many.

Re:These are common tricks

[loconet]

"The C language doesn't write bugs. Programmers write bugs. If the programmer can't handle C, then take it away from him. But don't try to take it away from ME."

Simply beautiful ..

Bad implementation of a heap...

[lkaos]

See HeapAlloc and friends in Win32 for proper implementation.

At any rate, there are better ways to make sure one never leaks memory problems:

1) always set a freed pointer to 0. Most architectures have a predictable behavior in dereferencing a 0 (throws an exceptions).

2) Limit all malloc/free pairs to the same function. If a function just has to allocate and return some buffer, give it a meaningful name to that effect and all a corresponding free version. Then, you can follow the above rule.

3) assert()s are your friend. Use them religiously. They can always be shut off.

4) Use memory tracking software (purify) before ship.

Yes, it's easier to shoot yourself in the foot with C, but you'll gain a huge performance increase. It's all about using the right tool for the right job.

Re:Bad implementation of a heap...

[muleboy]

Is purify available for Linux?
Use Valgrind

Re:Bad implementation of a heap...

[spectecjr]

Is purify available for Linux?

Probably not, but I'm sure the open source community can come up with their own version given a few years and a copy of the original.

Simon

(Oh, I'm sorry... was that bitter and cynical? My mistake)

Re:Bad implementation of a heap...

oh yea? well your favourite OS sucks.

Re:Bad implementation of a heap...

[LizardKing]

Is purify available for Linux?

Probably not, but I'm sure the open source community can come up with their own version given a few years and a copy of the original.

Check out valgrind. It gives far more useful information than purify and doesn't cost an arm and a leg. It also took far less than a few years to write.

Chris

Re:Bad implementation of a heap...

[lkaos]

http://www.rational.com/products/pqc/pplus_lx.jsp

I would happy

If someone wrote a compiler to compile this shit

/* Shit.c, If this compiles, then thanks for writting a shitty compiler */
#include <stdio.h>
#define shitty code
int(main)
{printf("shitty code")}

visual basic

why not just use visual basic?

say what you want about it, you don't have to use stupid hacks to avoid buffer overflows.

Re:visual basic

Well, VB isn't portable, although those stupid Lunix whiners could always just use it under Wine seeing as the portions of the API used by VB6 are so static.

Re:visual basic

[Goalie_Ca]

because visual basic, is slow, weak, and only for windows. It is easy to code for though.

Re:visual basic

Visual basic is far far better day to day than C and you're far less likely to make a mistake and end up with a bug (unless you do zero testing). It has a reputation for being slow and producing apps that look like crap because it's so easy to use, meaning anyone can (and does) use it. However if you know what you are doing then you can produce some nice stuff with it.

Re:visual basic

Slower program over emulation? Don't see the problem with that?

As a lib and/or in general programming tutorials

[Mas3]

This looks like a good idea for a lib (or more) that covers those issues. It might be already exists, but it's not very well known. (To beginners)

The other problem is that security issues usually aren't mentioned in general programming tutorials (and books).
If beginners would be pointed to techniques like this (with explanations why) lots of typical mistakes would not happens.

--
Stefan

Looking for Developers, new project members, testers or help? Want to provide your abilities ?
DevCounter ( http://devcounter.berlios.de/ )
An open, free & independent developer pool.

Because

He thinks standards should be thrown out.

C++ can do this, and it'll look cleaner

[ademko]

First off, C++ objects can force the use of all data access through assert()-filled methods, then in optimized mode can be inlined and thus reduced to their C equivalents.

Second, destructors in C++ guarantee clean up of objects, regardless of how you leave scope (natural, return, exception, etc).

Finally, you couple destructors and reference counting auto-pointers, and you have yourself a very nice allocation API that's as easy as Java, but without the performance or unnatural destruction logistics.

IN SOVIET RUSSIA

pools take heaps in you.

WARNING: GOATSE LINK!!! DO NOT CLICK!!!

You heard me.

And C said

[racerx509]

Bite me!

Imagine ...

[wadetemp]

... a beowulf cluster of these "why didn't anyone post an imagine-a-beowulf-cluster-of-these post" posts!

Re:Imagine ...

Damnit. It's time for Slashdot to add "imagine a beowulf cluster" to the lameness filter. The "expression" is just old and pathetic now.

Re:Imagine ...

Imagine a petrified Natalie Portman cluster...

aggressive use of glib

[chtephan]

In my last project, I used glib from the ground up. I wrote several thousand lines of code before testing it. I made some very aggressive use of glib and gobject. After the code compiled and did not give any runtime warnings anymore it did not contain a single memory leak (verified using valgrind).

glib containts a lot of useful things: lists, trees, hash tables, memory pools, string handling functions and a lot more, everything thread safe.

gobject contains tools on top of glib like "classes" and "objects". It's not the same as in C++ or java, but also very useful. Runtime classes oder data types, generic object properties, reference counting, signal callback, runtime type checking, etc...

The code ist now full of g_... and it took longer than usual because I had to read the documentation, but I think these libraries are very great, and provide a solution for nearly everything that has to do with abstract data types and dynamic memory allocation.

And it's very lightweight, fast and efficient.

Re:aggressive use of glib

And it's very lightweight, fast and efficient.

But portable??? I'm serious, does it currently run on BSD, OS X, Windows, and Linux? And if so, then how much bloat does it add?

See, that's the problem.

Re:aggressive use of glib

[chtephan]

> But portable??? I'm serious, does it currently run on BSD, OS X, Windows, and Linux? And if so, then how much bloat does it add?

Sure. The libraries are basically standard C. The optional thread library has implementations for pthreads and win32 CriticalSections. And there are even some additional compatibility wrappers to make some things more portable (e.g. listing directories).

They are just utility libraries or foundation libraries to build more functionality on top of it. Especially the gobject library is great as a foundation to do modular programs.

Re:aggressive use of glib

[LizardKing]

I'll second the recommendation to use glib. It is not only a useful, portable library, but a great resource for code snippets when you don't want to force a dependency on the whole thing. In short, it's the really useful bits that a C++ programmer would expect to find in the standard C library, but without C++ obfuscation (operator overloading, generics and multiple inheritance - yuck). The only complaint I've got is that I can't find decent examples of how to create my own gobjects.

Chris

Re:As a lib and/or in general programming tutorial

I remember seeing you in a raging homosexual porn movie! You were taking a seven inches cock down your throat!

NO string copy function is intuitive

[pclminion]

Truncating string copies are always wrong, no matter whether you use them correctly.

What if the result would be bigger than the output buffer? strncat() does the "right" thing, and doesn't overflow the buffer. But your string just got truncated! That's probably bad. So, suppose you check for this problem, by examining the string lengths beforehand. You verify that the result will fit, and not be truncated.

But now that you've gone to that trouble, and you know that the result will fit, why bother with the strncat()? Since you already know there is no overflow, you can go ahead and use the (faster) function strcat().

Now, in order to avoid these problems, you might write your own string concatenation function, that first computes the total size needed for the result, allocates it, and then copies the strings into this new buffer. Now, the issue of buffer ownership comes up, and you introduce a new class of possible bugs: memory leaks.

The fact is, in any non-garbage-collected language like C, string handling is a pain in the ass. The problem runs deep, and can't be solved by any quick hack like strlcat().

Re:NO string copy function is intuitive

[thogard]

trunkcating strings isn't alwasy wrong. When your accpeting input from a user and the valid inputs are always less than X bytes, truncating a larger string isn't a problem and easier than than the memory managment required to protect the grabage.

strncat has a problem that if you give it a string thats too big it doens't trucncate, it can concatinate with the next thing in memory. Remember it won't put the null at the end if the source string exceeds the size of the buffer.

Re:NO string copy function is intuitive

[spitzak]

If 99.999% of the time the string is shorter than the buffer, using strlcat is a huge win in speed.

strlcat returns the length of buffer that is needed. It's design actually agrees with what you are saying, if it overflows the buffer it "wastes time" counting the rest of the characters, rather than just quitting with the buffer truncated. This is because it knows that the proper response is to allocate a new buffer.

strlcat is much faster than calling strlen before every call, which for many programmers is extremely important.

Re:As a lib and/or in general programming tutorial

You watch homosexual porn movies?

Re:As a lib and/or in general programming tutorial

Yes, that was me, but it wasn't a homosexual movie. I'm a girl. And yes, I can take a seven inch cock down my throat. I love giving head. If you can find somebody with a seven inch cock, bring him over and I'll demonstrate for you.

Since every male who posts to slashdot is a stunted teenager with an itty bitty penis who feels funny in his bathing suit area whenever he sneaks a look at the brassiere section of the Montgomery Ward's catalog, I'm not really worried about your showing up at my door any time soon.

Overly simplistic

The gist of this article seems to be just about preventing buffer overruns. Granted, buffer overflows are the source of a great number of security issues, but with the right arsenal of helper functions (see the StrSafe API, these functions are all guaranteed to always null-terminate, from their name you can determine if they take byte counts or character counts, etc.) you can easily prevent 99% of all buffer overruns. The remaining are all the weird edge conditions (I've seen buffer overruns that only came about when there was race condition between two threads, for example.) At this point of time, I complain loudly about any code I review that uses strcpy, sprintf, gets, or any other function that can writes to a memory buffer but doesn't take a bound. If you write code that is susceptible to these easily preventable bugs, you deserve all the wrath you will incur.

What about all the other aspects of writing secure code? They don't even get mentioned. What about canonicalization errors, trusting input that comes from external sources, or failing to a non-secure state? Sticking to just memory, what about double frees, which was the cause of a security hole in a common library about a year ago?

Even within buffer overflows, what if you pass the wrong buffer size to your safe memory handling function? This may seem like an easy enough bug, but when people are quickly writing code, they may use the correct function but pass sizeof(str) when str is a char *, and is four bytes on most systems, or the wcslen of a unicode string, which returns characters, not bytes, to functions that require a byte length.

This may be going a bit off an article which the poster admits was written briefly, but what people have to realize is there is no magic bullet to system security. Using some set of functions instead of another will not prevent all security issues, it will only prevent certain security issues. There will always be some new bug or class of attack you will have to guard against. Pretty soon, you're going to find someone is deleting tables from your database because you have a format string like: "select * from foo where name=%s". You may have guaranteed that the user cannot pass an extremely large string to you that will overflow your buffer, but you've just made easy for them to inject arbitrary SQL into your query. And when you start fixing those problems, you're going to see that attackers are getting around your URL filtering by passing you URL's in alternate formats. There will always be new types of attacks, and new types of coding bugs you have to watch out for.

So what do I suggest?

First, keep up to date on attacks and guard your code against them.

Your applications should be secure by default. Don't allow insecure defaults and don't run with features enabled that don't have to be. Every new feature in your program is an area that can be attacked. There was one site I heard of that had a DB server running with a blank admin password. Users would interact with the DB through a web page. However, attacks just bypassed the web page and connected to the database server directly. If the database didn't open up an internet port by default and didn't allow blank passwords by default, the attackers would have had a harder time.

Presume your security measures will fail, because eventually, they will. Don't presume that the attacker can't get through certain boundaries you've set up. Just because the attackers breached your firewall, that doesn't mean they should be able to access your database.

Run everything with the lowest privilege that is required. The above SQL format string can have statements injected into it to delete records or drop tables. What if the app connected to the database with a read-only account, or with a read-only connection? The statement would just fail.

And always remember, you are never finished, because there is no such thing as a secure system. You can unplug your server, drop it into a concrete bunker and have it guarded by men with guns, and it is still not 100% secure.

Re:Overly simplistic

[cras]

Granted, buffer overflows are the source of a great number of security issues, but with the right arsenal of helper functions (see the StrSafe API..

That sounds like a yet another solution for safe string handling. Like I said, I think they're too highly advertised as being the only way to overflow buffers.

The remaining are all the weird edge conditions (I've seen buffer overruns that only came about when there was race condition between two threads, for example.)

Threads? Yeah .. I wouldn't really even bother thinking about security with threads.

What about all the other aspects of writing secure code? They don't even get mentioned.

There's now a link to Secure Programming HOWTO which talks about most of the other things just fine. Maybe I could write about a few other things that aren't too well discussed in that HOWTO, like integer overflows (although it's next version will contain several of my examples about them).

Presume your security measures will fail, because eventually, they will.

Not necessarily. Or are you talking about complete systems here instead of individual applications? If your application doesn't have external dependencies other than libc and you write it fully up to ANSI-C specs (that's a bit difficult actually) and in general you're careful enough, it's theoretically possible your program is secure now and forever. libc, kernel, user, etc. bugs are different things then, although you could try to prevent some of them as well (don't give dangerously parameters, don't use dangerous functions).

What C can do that Perl can't

[yerricde]

I still have yet to write a single useful C program that I couldn't have done in Perl.

Can you write a video driver with acceptable performance in Perl? Can you write programs that do things other than text manipulation, such as (say) a 3D engine and make them faster in Perl than in C? Remember that in the real world, time is money because a shorter execution time means lower system requirements and thus a larger market for mass-market desktop applications.

Re:What C can do that Perl can't

The claim was not "can", it was "have". Have you written a video driver? Have you written a 3D engine?

Neither have I. Neither have most programmers. If you don't work for a company that makes graphics hardware or operating systems, I suspect you probably never will -- at least, not a "real world" one where performance really matters.

For the majority of programs, there are more appropriate languages. Some programs may require C, but only a small percentage.

why not a new language? i heard that someone

[zymano]

was creating a new c compiler that was built from top to bottom for security. How about creating a new language built just for security? C is very low level and devs have difficulty creating software thats secure.

Re:data stacks (NSAutoReleasePool vs. NSZone)

[Jimithing+DMB]

Well, not quite. An NSAutoReleasePool does not allocate a large region of memory and suballocate objects out of that. What an NSAutoReleasePool does is make it possible to avoid explicitly sending the release message for temporary objects.

For example, from Foo() I allocate an NSObject with [[NSObject alloc] init] and pass that as an argument to Bar() which takes ownership of it. However, I must then ensure that I release the object because Bar() is following good coding practices and retains it, so thus with alloc+retain it's reference count is now 2. So instead what I do is Bar([[[NSObject alloc] init] autorelease]) which allocates NSOjbect (with ref count one) initializes it, marks it for autorelease, and passes sends it to Bar() which retains it (ref count 2) and keeps a pointer to it (presumably it is a method of a class). Coming out of bar the ref count is now 2, and perhaps Foo() proceeds to do some other things. Presumably at some point higher up the call stack (or perhaps at the beginning of Foo()) an NSAutoReleasePool was allocated. At the corresponding exit point (either at the end of Foo() or the end of whatever higher up function) [whateverpool release] will be called. When the pool is released, it will call release on any objects it has been asked to take ownership of. At this point one of two things it true. Either the class that Bar() belongs to has already released the object and thus its reference count went back down to one, and now is going to zero (so bye-bye), or the class that Bar() belongs to has not released the object and doing this release merely brings the refcount back to one such that when the other owner releases the object, its refconut will be zero and it will be freed.

Sorry if that was confusing, but in reality it's really not. It also really helps out when you are coding functions that allocate ObjectA, then allocate ObjectB, then ObjectC, and then find out something is wrong and need to "roll back" to the begining. If you allocate an NSAutoReleasePool at the beginning, and autorelease everything you alloc then if you error out you can free the release pool and everything gets released. If you don't you can simply retain what you need and then free the autorelease pool.

Anyway.. what this guy is REALLY talking about is NSZone. NSZone allocates a chunk of memory which other objects will be allocated from. The caveat being that while the memory will be freed, the objects will not be properly destroyed. Now this guy was talking about holding C strings and the like, so this is not a problem. However, had he been holding some C++ or objective-C objects this would be a problem as none of the destructors/deallocators would ever be called.

I think what it all boils down to is that programmers need to read more code than they write and that we should really be getting Masters of Fine Arts in Programming. I completely agreed with what Dr. Gabriel said. Programming is about as much like building a bridge as writing poetry is. That is to say.. not much.

Going along with that thought, I think it should be pointed out that /EVERYONE/ here who programs in any language (but specifically C programmers, and ESPECIALLY C++ coders) needs to learn Cocoa and Objective-C. I imagine some of the C++ whiny bitches are going to continue to whine about how much easier and better C++ is, but for those of us who actually prefer to wrangle pointers, Objective-C is where it's at. It's like C with JUST enough object orientation, but not overdone in some committee like C++. Also, one should note that I do like C++ quite a bit, but sometimes there's too many provided ways to do things. With Objective-C, the provided ways are almost all good. In addition, like C or C++ you are not limited to doing it that way, it's just that Objective-C only makes it easy to do good things.

Think for example of wxWindows vs. Microsoft MFC. wxWindows is suprisingly similar to Cocoa (although wxWindows does not do ref counting so making sure that one and only one class ever owns an object can be problematic at times). MFC, on the other hand, is rather a bear to work with as Microsoft has written it such that an MFC programmer /can/ do things multiple ways, none of which work very well. Obviously this is a generalization, but I think the average MFC programmer will understand where I'm coming from here. That is, again, except for the whiny C++ and MFC bitches who can't figure pointers out. Go home!

Or Otherwise Known as

How to program in an amazing unthread safe manner!

Re:Or Otherwise Known as

[cras]

How to program in an amazing unthread safe manner!

But then again, threads are useless for most applicatios, especially the ones I've written so far. Besides, it's easy to make it thread safe with per-thread data stacks and adding locks to other stuff.

Obstacks

[p3d0]

The "data stacks" described in the article sound like a slightly less-evolved version of GNU obstacks. The main difference seems to be that the article uses a single global data stack.

I think the HOWTO should have a reference to obstacks, rather than claiming data stacks are a new invention. (Hint: data stacks have been used many, many times in many, many projects. GNU obstacks are the only one for which I can find a URL at the moment.)

Re:Obstacks

[cras]

I think the HOWTO should have a reference to obstacks, rather than claiming data stacks are a new invention.

Quoting the howto:

None of these ideas I've written about is new, but most of them are very rarely used with C programs.

Thanks for the obstacks reference though, I hadn't heard of it before.

Re:Obstacks

[p3d0]

Fair enough. My appologies.

I was referring to your statement regarding "what I haven't yet seen used anywhere outside my own software and some programming languages internals...". I think this is more indicative of your lack of exposure, rather than the novelty of the idea. :-) It probably doesn't belong in the final HOWTO.

C needs to die.

We would have been better off with assembly for the stuff that needs speed and higher languages for anything else. C is an abomination. K&R were smoked up when they came up with C. I guess that's why I can't stand Unix or Unix like operating systems.
Assembly,
Cobol,
Java,
VB,
C#,
Eiff el,
Lisp

Get rid of C, it's insecure and hung on too long.

Re:C needs to die.

Nice troll, or attempt at one.

More Secure, Mostly Efficient and Fairly Easy

[Zenithal]

Use C++, Auto pointers and STL.

Seriously though, why are most developers sticking with C at all? I know there are some portability issues with complicated templates and namespace mangling in C++, but I've never run into any problems from them porting code from Linux->Unix->Win32->Mac. What is the allure to sticking with C over C++?

I suppose most people think of C++ and they immediately think that everything has to be purist OOP development, but if you can forget that C++ is basically exactly what its title says, C plus extra flexability.

Besides, classes are effectively the same thing as having a pointer to a struct and passing it into procedures to do something with. A really common style in C programs. Except the passing around of the structure, and the new and delete's on them are all hidden in de/constructors and the 'this' pointer.

Re:More Secure, Mostly Efficient and Fairly Easy

> Except the passing around of the structure, and the new and delete's on them are all hidden in de/constructors and the 'this' pointer

Ack, its not a good idea to do stuff that can fail (such as allocate memory) in a constructor because there is no way to return a failure.

Re:More Secure, Mostly Efficient and Fairly Easy

If you've been programming C++ for a long time then you become so accustomed to the C++ way of doing things that it might be hard to see why people still prefer C.

First, C is more portable, period. You say you have never run into any problems porting C++ code, but I believe you've just become unaware of the porting problems. I believe you've determined the right compiler version on all platforms, and I think your coding standards have evolved to ignore everything that might be non-portable. To you that might seem reasonable and I'm sure it comes natural to you, but for somebody starting out with C++, it's a lot of hassle.

Second, C has fewer linkage/interoperability issues. It takes rather more work to get bison/flex to work in a C++ environment than in a C environment, for example.

Third, C++ has too many ways of doing things, and is too implicit about them. C++ is not one language; it is really several dozen languages. You have to worry about pointers vs. references, copy constructors, exceptions (in constructors?!), and other funky stuff. Over time you develop coding standards to help you navigate safe passage through the mess, but until that time it's confusing as hell. Granted, every language is confusing when you start to learn it. The problem with C++ is that since everybody has their own style and uses different language features, getting accustomed to a new piece of C++ code means that with C++ you have to keep going through hell again and again.

Finally, C is a little bit faster, and (being more explicit) often easier to optimize.

That is why people might prefer C over C++.

Re:More Secure, Mostly Efficient and Fairly Easy

> Ack, its not a good idea to do stuff that can
> fail (such as allocate memory) in a
> constructor because there is no way to return
> a failure.

Ahhh ... but there is: throw an exception.

reference counting

[ttfkam]

The main problems with it versus broader garbage collection schemes are circular references and overhead.

If two (or more) objects have a reference to one another, the count can never reach zero even if nothing in the main logic points to those objects anymore.

Also, every time an object gains or loses a reference, a check for a count of zero is made. In fuller garbage collection setups, periodic checks are made to all of the objects in a low-priority thread. In some cases, memory usage can be higher, but performance is also higher sometimes and it can handle circular references.

Both are better than repeated use of malloc/free and new/delete though.

--

C also muddies this concept because there are no objects in C.

You just reinvented alloca()

[lamontg]

From the FreeBSD manpage:

ALLOCA(3) FreeBSD Library Functions Manual ALLOCA(3)

NAME
alloca - memory allocator

LIBRARY
Standard C Library (libc, -lc)

SYNOPSIS
#include <stdlib.h>

void *
alloca(size_t size);

DESCRIPTION
The alloca() function allocates size bytes of space in the stack frame of
the caller. This temporary space is automatically freed on return.

RETURN VALUES
The alloca() function returns a pointer to the beginning of the allocated
space. If the allocation failed, a NULL pointer is returned.

SEE ALSO
brk(2), calloc(3), getpagesize(3), malloc(3), realloc(3)

BUGS
The alloca() function is machine dependent; its use is discouraged.

FreeBSD 5.0 June 4, 1993 FreeBSD 5.0

Re:You just reinvented alloca()

[cras]

No I didn't. alloca() belongs to same part as "control stack". OK, let's paste it here again with alloca() added to it - thanks for the update.

Advantages over control stack:

• Functions can return a value allocated from data stack.
• We can portably specify how much data we want to allocate at runtime, and in some cases we can grow it without copying data.
• alloca() function should be mentioned here as a way of nonportably allocating memory from control stack. So it does none of the above.

Re:You just reinvented alloca()

[thogard]

you can do...

char *fn() {
char *ret=alloc(1234);
strcpy(ret,"Junk");
return ret
}

main() {
printf("%s",fn());
}

If you try it, you will find it works quite well
however if you get an interrupt on a system that uses a user process stack, you could get your data overwritten. Some OS's do this to save context swaps on some system calls (maybe solaris on its 'get the time quickly' syscal and just about ever lightweight embedded os)

Re:You just reinvented alloca()

[cras]

That's completely unportable and relies on undefined behaviour and that printf() doesn't use stack at all. I tried it, it didn't work in my Linux/glibc 2.3.1, it didn't print anything.

What's the gain?

[theSilentOne]

You should more clearly mark, what gain can be expected by which measure. Allocating on the stack (with alloca() or something similiar) gains you speed, some convenience, but no security (buffer overflows are more readily exploited to inject harmful code, if the buffer is allocated on the stack).

You failed to describe what's wrong with strncat(), strncpy() etc. IMHO people who can't comprehend the man pages for those functions probably should avoid C altogether, but definitively must be hindered to write security relevant software (as should sleep-deprived coders who try to do it on a Sunday morning ;-} .

Said that, I can only appreciate your attempt to raise this issue (once more, maybe for a new generation of C coder).

Re:What's the gain?

[cras]

You should more clearly mark, what gain can be expected by which measure. Allocating on the stack (with alloca() or something similiar) gains you speed, some convenience, but no security (buffer overflows are more readily exploited to inject harmful code, if the buffer is allocated on the stack).

Well, I'm mostly talking about allocating memory from heap and data stack, which itself is allocated from heap. But in any case, the code should be written so that buffer overflows don't happen anywhere making it irrelevant where the memory is actually stored. That's what I'm aiming for.

You failed to describe what's wrong with strncat(), strncpy() etc. IMHO people who can't comprehend the man pages for those functions probably should avoid C altogether, but definitively must be hindered to write security relevant software (as should sleep-deprived coders who try to do it on a Sunday morning ;-}

Oh. I felt disadvantages of them were self obvious. With strncpy() you must always make sure you add the extra NUL character. strncat() was very likely never even meant to prevent buffer overflows, in which task it's difficult to use properly. Or would you call this easy to use: strncat(buf, "foo", sizeof(buf)-strlen(buf)-1); Hmm. I guess I should add that to the HOWTO :)

Welcome to...

spellcheck.slashdot.org!

Re:As a lib and/or in general programming tutorial

Montgomery Ward has been out of business for about 5 years now. Where have you been?

Not complete?

[mnmn]

Seems a bit on the "strings" side, so I assume the text is not complete.

What I wanted to read on was how to create modular programs with C, as in function pointer arrays and how to generally modularize the application. My attempts at building larger apps have resulted in instability, and I do not want to get into C++. Maybe some details on howto allocate mem less frequently in larger chunks would be also useful.. ..just my rusty 2c.

scanf and friends

[usrerco]

No such document should be without mention of scanf(3) misuse, and gets(3) use at all.

Regarding scanf(3), many people don't realize this is Bad:

• char cmd[80], arg[80];
  scanf("%s %s", cmd, arg); // BAD
  

This is Good:

• char cmd[80], arg[80];
  scanf("%79s %79s", cmd, arg); // GOOD
  

This prevents a buffer overrun if a word contains 80 or more consecutive non-white characters.

Ditto for sscanf(3) and fscanf(3). Never forget the N+1 when declaring the arrays (eg. char s[80] vs %79s) to leave room for the NULL.

Here's a good command to run on all your .c files to find such problems:

• egrep 'scanf(.*%s' *.c

..any lines that match are a potential problem.

And in a document like this, *definitely* point out the whole gets(3) problem; the granddaddy of them all. Never use gets(3), period. Use fgets(3) instead.

The gets(3) interface is inherently insecure; a problem waiting to happen by its mere existence. Any code that uses it is broken.

There are probably some others (someone mentioned strcpy) I'll try to post more if I think of them.

Re:scanf and friends

[dvdeug]

This is Good: [chopping off input at 80 characters]

Silently truncating code at 80 letters is good? It's a quick security hack; it prevents a buffer overflow, at the cost of losing information and seriously annoying users if they had data that was more than 80 letters long.

Re:scanf and friends

[thogard]

That may not be a problem. Assume your getting a string passed in from a URL and we all know that URL strings are a great place for overflows. You have some other system that limits the valid strings to 30 characters so you can use a %31s and if someone is feeding you junk, your going to ignore it anyway later so trunkcating the junk is ok. You have to be careful you don't make assumptions about where your good data and the junk data is. Playing with perl's tainting can help with that concept.

Re:scanf and friends

[usrerco]

Silently truncating code at 80 letters is good? It's a quick security hack; it prevents a buffer overflow, at the cost of losing information and seriously annoying users if they had data that was more than 80 letters long.

Sigh; can't we leave that as an exercise for the reader? ;)

Certainly you can test for truncated conditions if need be; just add a strlen(3) test on 'cmd' and 'arg' after the scanf, eg:

• scanf("%79s %79s", cmd, arg); // GOOD
  if ( strlen(cmd) >= 79 || strlen(arg) >= 79 ) { print error.. }

(I like to use the >= as a subtle reminder that input lines longer than 79 trigger this code, even if the string is never actually longer than 79 chars.)

In general I don't actually use plain old scanf much; I prefer to use a combo of fgets(3) and sscanf(3). This is a great way to implement very useful ascii file parsers without having to write a lot of complicated char-by-char parsing code. An fgets/sscanf technique can keep track of line numbers for error msgs (something scanf alone is not so good at), and can detect string truncation, line length issues, properly handle horizontal and vertical white space, braces '{' and '}'), multi and single line comments, word-by-word parsing vs. entire line parsing, etc. To give an idea:

char s[1024], cmd[80];
while ( fgets ( s, sizeof(s)-1, fp ) )
{

• ++line; // keep track of lines
  
  if ( sscanf(s, "%79s", cmd) == 0 ) continue; // ignore empty lines
  if ( strlen(cmd) >= 79 ) { truncation error }
  if ( cmd[0] == '#' ) continue; // ignore comments
  if ( strcmp(cmd, "quit") == 0 ) exit(0); // parse commands..
  ..parse other commands..
  fprintf(stderr, "%s: Line %d: unknown command '%s'\n%s", filename, line, cmd, s);
  exit(1);
  

}

Secure, Easy, Efficient C? Dont they call that...

[razmaspaz]

Java!!

Re:Secure, Easy, Efficient C? Dont they call that.

[geekinexile]

Java??

Vector class

[Funkitup]

I had a quick peruse at the web site. I must admit the vector class in the C++ STL is well worth learning. It's not as quick as the usual error checking you get with arrays, but it is very secure. And once you know that you can move onto lists and maps.

But hey, it's not C. Ohhhh for a program that is so power hungry I have to write it in pure C. ;o)

Re:Vector class

std::vector's operator[] does no bounds checking. If it's inlined, then it becomes no slower than using a regular array (assuming std::vector is implemented as an array which is usually the case).

Re:Vector class

[Funkitup]

I looked into this and you're right! I always assumed it just did anyway. Or you could turn it on and off with compile options. I believe with some implementations you can do this.

If you use the 'at' function then it bounds checks.

How tedious! I'm just going to have to write my own template library.

Or are there any really good ones out there?

Re:Vector class

[Funkitup]

And there's nothing to stop you editing the vector file (it's called 'vector') and putting a #if statement in for yourself to do some bounds checking on debug compiles.

A bit of a cludge, but you can fix it so if the vector file is updated your code will notice...

in vector put a #define (say MY_VECTOR_BOUNDS_CHECKING 1) at the top.
and put a #if in your source file which will create an error (#error isn't it?) if MY_VECTOR_BOUNDS_CHECKING isn't 1.

Hopefully the next time vector is overwritten, the new compiler release will have optional bounds checking :o)

uh

[TummyX]

strncpy(), strncat(), snprintf() - only snprintf() of these is easy to use safely but it's still somewhat unportable (Windows).


What? You're saying windows doesn't have those functions?! What a load.

Re:uh

[JKR]

He's trying to claim Windows doesn't have snprintf() - he is, of course, talking crap. Since it wasn't an ANSI C function, it's implemented as _snprintf in Windows.

Jon.

A few suggestions

1. learn to write
   
2. learn to write in English
   
3. what do you want to say?
   
4. how do you want to say it?
   
5. who are you targeting?
   
6. see if someone else has already said it all
   
7. find a descriptive topic for the text
8. write a draft, a second draft and maybe a third
   
9. sleep on it
   
10. write a proper version
    
11. make sure you said everything you should say about the topic, in length. if not, change the topic or write more, but don't blabber
12. sleep on it
    
13. proof-read it and allow others to do so too
    
14. listen to comments
    
15. fix incorrect stuff according to comments, or include them and prove them wrong
    

After that you might want to consider publishing something. This kind of 'howto' is of no use to anyone but the writer, as a reminder. No excuses about "this was done in only X hours" or "it's sunday morning and I'm bored". If you need to include those, think think THINK whether you really have anything to say to anyone.

I've seen too many documents and pieces of software that are done with the sole idea of making yourself visible. Sometimes it is fruitful to release unpolished software or documents, but usually it isn't. As you and so many others seem to think, it's always easier to rewrite everything over and over again rather than do it right the first time. I don't think so.

You go on and on about secure software and all you have to say on a topic as broad as this is a couple of lines of stuff every half-decent programmer should know and any decent programmer knows how to avoid. And then you just mention another document that discusses these things in depth. Why write anything then? Just to get your superior memory management (that's been done for decades now) some publicity?

Also your prejudice against all other languages (like C++) is quite hilarious. Of course no-one would use an IMAP server that was done in C++. The first thing people think is the language it was programmed in. Sure. If you'd said only "this is the only language I know" or "it was not written in language X because...", it would be a bit different.

Sorry if this seems too judgemental or personal, but we all see too much of this kind of stuff floating everywhere and not enough of real documents about important topics.

Re:A few suggestions

[cras]

Well, one point was to get more publicity to the superior memory management, which although might have been done for decades, I've never ever seen a single software actually doing it. Publicity can be good for giving more attention to old but less know things. Another point was the buffer API, which is also rarely used.

I'll try to fix the document at least some, but if I had done it like you suggest, I had never got out any kind of version of it. Maybe it'd be better for some people who felt they just wasted their time on this, but there's also those others who actually understood it, even if my explanations weren't that good. I guess that's how I usually try to teach, give people a few ideas and pointers and let them figure out the rest instead of trying to brainwash them with lots of explanations and reasonings why it's so much more better. I know it's not perfect, I know it's not useful for everything, but I do think it would be very useful for a lot of projects.

I haven't said anything about C++. C++ is almost as widely accepted as C and I'm sure people would use IMAP server written with C++. But OCaml? Haskell? Ruby? Much less chance for those. And I said later that it wasn't the real point, just a smaller subpoint while the real one being that I still prefer to use C.

Re:As a lib and/or in general programming tutorial

Montgomery Ward has been out of business for about 5 years now. Where have you been?

So... amidst the accusations of small penises and furtive masturbation, this is what you choose to argue about?

:-)

The key word is "prototyping"

[mindstrm]

Whether the final product can be interpreted or not isn't really releveant, nor is whether you need the vm code to make native calls...

It's prototyping. That means it's not the real thing.

I'll believe this when I see...

[SensitiveMale]

a Secure, Efficient, and Easy to use Windows OS.

Re:I'll believe this when I see...

a Secure, Efficient, and Easy to use Windows OS.

How am I not surprised that this kind of brain farts immediately get a positive score here...

pools

[Richard+W.M.+Jones]

For safe and efficient pools and Perl-like datatypes in C, use c2lib. </ad>

Rich.

Just another C string library

[Nevyn]

Some of the idea's aren't bad (and those have been done before), but mostly it's just another simple dynamic string library in C.

As for efficency...

t_strconcat() is one function that I also copied from GLIB. It's a bit dangerous though, the terminating NULL is too easy to forget. I've been thinking about removing it entirely, but it's much more efficient than t_strdup_printf() so I haven't yet had the heart :)

...this pretty much speaks for itself. Why Is strconcat() so efficient compared to just doing strcat() multiple times? Because you've got a model for representing the data that has ZERO metadata, and a model for storing the data that requires you to reallocate bits of memory all the time.

Assuming you can just disacount all this overhead by using memory pools, is a simplistic outlook (for instance even if you waste gobs of memory so you don't have to call malloc that much you'll still need to do copies all the time)

There are more than a few much better string libraries out there for C. Probably the best for an IMAP server is probably Vstr as that was deigned to work well in an I/O context (For instance it doesn't need strconcat() like calls in the API because doing repeat adds is just as fast).

Postfix source code

[andawyr]

Postfix (IBM Secure Mailer, written by Wietse Venema) is a very good example of how secure, modular, and elegant programming can be acomplished with C.

It's probably some of the best written C code I've every seen.

NO!

[YOU+FAIL+IT!]

This is not a "nice try". It is a FAILURE. There are no shades of gray with first posts, only FIRST and FAILURE, and he has FAILED.

Apache Prtable Runtime

Nothing new here, APR has been doing all this for quite a while now.

OT, but...

[mehfu]

Actually it's a rewrite of the theodice problem (spelling anyone?) or The Problem of Evil, or at least that's my interpretation of it.

Re:OT, but...

[E_elven]

Reference to an examination of the logical fallacies of the thesis of (the) God existing.

Omnipotent
Omniscient
Omnibenevolent

Pick two.

Re:OT, but...

[Nexx]

Doesn't Omnipotent imply Omiscient? Just a thought.

Re:OT, but...

No. For example, Q on Star Trek was omnipotent without being omniscient.

Re:OT, but...

No. For example, Q on Star Trek was omnipotent without being omniscient.

Shocker, an example of poor logic on the part of Star Trek writers... well, there was bound to be one, eh?

Omnipotent == all-powerful, i.e. being able to do anything. If Q had all abilities, he should have had the ability to know anything/everything.

Henry Spencer said it all ...

[Alain+Williams]

about 15 years ago IIRC, see http://herd.plethora.net/~seebs/c/10com.html Still very good advice.

Never forget that C is just a machine independent assembler, you need to have a good understanding of how machines really work to be able to write good C programs.

Also: plan the code and code the plan. C is a language that bites you if you are sploppy.

This is bollocks

[Old+Wolf]

Why is this bollocks?

To summarise the articles: a bunch of small libraries providing object-based memory allocation and string handling.

Kudos to the poster for enabling himself to write code in a way that's good for him. But that doesn't mean it's good for anyone else.

For example, I'm not going to go and learn 20 more function names and have more library dependencies and I wouldn't recommend anyone else does either.

Finally, suppose one wants a better string library or memory library. There are already plenty of good, with-much-work-done-on-them, open source libraries out there. Tried and tested. Not to mention the C++ STL.

Pick one that means many other people will also be able to read your code and be familiar with the libraries you use! There's nothing I'd hate more than working on a project written by someone using these libraries. Not only do I have to analyze the code, I have to analyze these libraries, and also manage to keep them and their quirks in my head while I am reading the program. Yuck.

and my Next book will be

Hacking away using C

Bjarne says "Use C++" :)

[wray]

Of course Bjarne Stroustrup would say this, but he has some nice examples backing his statements up, too. See his FAQ and his paper on "Learning Standard c++ as a New Language".

Stroustrup explains some nice details on especially this issue of memory constructs. He makes a convincing argument for why C++ is easier for C-style programming... Especially for those of you (One I saw below) who "Don't want to get into c++", realize that you can edge into it pretty easily, and accomplish your tasks more easily and quickly -- give it a try!

I send you this post to have your advice

[denshi]

Prototyping in a higher-level language (c# is easy, java everyone knows) is a superb idea, provided you
- can release the final product as interpreted, with slow execution speed
- can afford the time to port all to C, in which case DO, this is an excellent way to make a watertight C program

Sir! I wish to introduce to you to the strange new-fangled notion of compiled high-level languages! Yes, languages with higher-than-C-level abstractions have been sneakily producing native machine code for some time now. Some of the most popular are listed below:

• O'Caml is a marvel of strongly typed object orientation, but you'd hardly know it from using it -- there are almost no C-style type declarations; as a ML child, O'Caml uses type inferencing to prove powerful assertions about program validity and improve programmer convenience. It's compiled! And if you watch the ICFP's, you might note that it consistently beats C compilers for speed of execution. '92, if I recall.
• I never really bought OO, so S/ML is fine by me. Still compiled, since 1984.
• And they both descend from ML, started in 1973.
• Lisp was compiled in 59 or 62 (mccarthy or 1.5, chose your valid date). But then, I suppose it'd have to be compiled, since the notion of interpreted code hadn't been concieved of yet!
• Erlang is the last, best, word in concurrent programming. If you want to write a high throughput, reliable threaded application, you shouldn't even think of the word 'C'. This broke out of its lab in '87, first compiler in '91.
• Scheme is often thought of as a testbed for interpreted language concepts, but even it can be compiled, and with concepts such as continuations that can actually make a C programmer's head explode! Since 1982, commercial grade compilers have been available.
• Even haskell is compiled, but as monadic programming is less than 10 years old, no one knows how to always write really fast code in it yet. Leave your number, we'll call you in 2034, right before you gear up to deal with your year 2038 rollover crisis.

Welcome to the late 1970's! We look forward to your eventual arrival in the 80's and early 90's. Please enjoy your stay!

ps. As modern coding is more about the manipulation of very complex structures, rather than how to say, walk a linked list; a higher level language, with native support for more complex constructs, has the potential for creating much faster applications than something on the level of C. The reason being is that the h/l compiler can reason about, and thus optimize over, larger components than the C compiler.

Re:I send you this post to have your advice

[Kragg]

The reason being is that the h/l compiler can reason about, and thus optimize over, larger components than the C compiler.

Links man, come on! This is Slashdot, you can't just make wild assertions without backing them up with facts. Or at least a random opionion off the web... there must be one out there somewhere.

I'd love to see evidence of a functional (or any other) program that can outperform the naive C equivalent.

As for bypassing the proto- stage and going straight to completed app using ML, if it's such a good idea, why doesn't this happen? Is it just because nobody ever released "MFC4ML"? Or are half the binaries I buy actually compiled Lisp? I doubt it...

Re:I send you this post to have your advice

[Pseudonym]

Links man, come on! This is Slashdot, you can't just make wild assertions without backing them up with facts.

You're new around here, aren't you?

Since you asked, though, the first thing to realise that you may well have written a program in a high-level language which can way outperform the naive C equivalent yourself. Ever used yacc (or bison)? It's a high-level language compiled to C, after all. I defy you to write a naive (the "naive" part is important) LALR(1) parser in C yourself which outperforms those generated by yacc and related tools.

Slightly less facetious examples:

• C++ beats C
• The functional language Sisal beats High Performance Fortran on numerical simulations. (Note: This is an older paper; Sisal has changed a bit since then.)

Still, this is not the real benefit of high-level languages. The point is that in many situations, you gain a lot without paying too much. There's always C and assembly language below a high-level language if you find you really need it. If you don't, or for those part of an application where you don't, you get rapid development, higher robustness and better maintainability, and that's where you win.

Re:I send you this post to have your advice

[Panaflex]

Even Bjorn's paper says..

"Comparisons of languages, libraries, and programming styles are notoriously tricky, so please do not draw sweeping conclusions from these simple tests."...

Pan

Re:I send you this post to have your advice

A friend of mine once pointed out that in the product-driven programming world, there are two data structures that matter: hash tables and linked lists. Everything else is considered "academic". Take it for what it's worth.

Re:I send you this post to have your advice

[axxackall]

Once we list here well designed, easy to use, rapid to program, fast to run, possible to compile FP languages, then don't forget about Oz/Mozart programming language and system.

The preformance of the FPL programmers working with very extremely complex requirements will always outrun the performance of C programmers. And that is more important than the runtime performance (remember Javaistic argumets about cheap and fast hardware resources?). There are many cases when run-time performance of FP programs will be better than C one, as most of low level details are already optimized and hidden in libraries and interpreters, while C programmers are still moving through lots of errors and mistakes in their reinventing the wheel projects.

The only problem is that all stupid managers, after reading commercials, don't want anythng else, but only C, Java and VB. I heard about projects where people use XML syntax for interpreted Lisp or Scheme code because they can tell the boss: "look, boss, it's not Lisp, it's just XML". Managers today just love XML and usually buy the trick. No wonder there is an official project of "flat" and XML notations for Curry, the language with Haskell and Prolog ideas.

Re:I send you this post to have your advice

[Pseudonym]

While that's true, recall what the challenge was:

I'd love to see evidence of a functional (or any other) program that can out perform the naive C equivalent.

This is a C++ program which out-performs the naive C equivalent, at least on one platform. I don't draw any conclusions from this other than that there is evidence.

Intuitively, though, languages which support compile-time specialisation of polymorphic code is always going to beat the naive C equivalent (probably based on callbacks) ll other things being equal. In the case of the comparison between C and C++, they almost certainly are equal, as most C compilers are really C++ compilers run (or compiled) with C++ turned off. Similarly, chances are good that your C library and your C++ library were written by the same people.

Re:I send you this post to have your advice

[jcupitt65]

"as monadic programming is less than 10 years old,"

15 I think :) I had monads in my phd thesis in 1989.

Re:I send you this post to have your advice

[denshi]

The reason being is that the h/l compiler can reason about, and thus optimize over, larger components than the C compiler.

Links man, come on! This is Slashdot, you can't just make wild assertions without backing them up with facts. Or at least a random opionion off the web... there must be one out there somewhere.

How is that a wild assertion? A higher level compiler can make more global optimizations than a lower-level one. Welcome to introductory CS... For example, C has the concept of structs; assembly doesn't; a C compiler can optimize a struct for packing, alignment, access speed, etc; the assembler can't make those kinds of decisions intelligently. This pattern is repeated all over computing...What are some things (affecting execution speed, let's ignore all the other cool things) that a high-level language can reason about that a C-level lang can't? Try memory management, real numbers, exception handling, real types (no casting), tail recursion stack elimination, co-recursion, lambda expressions, a large base of first class types, etc....

I'd love to see evidence of a functional (or any other) program that can outperform the naive C equivalent.

Why is that difficult? Dammit, Jim, almost anything done carefully can outperform the naive C equivalent -- C is only fast and effective when it is done as carefully as assembly usually warrants. C can be faster, if you can hold all the myriad low-level details in your mind and optimize all of it correctly; h/l/ls can reason about much of that themselves, assuring good mean optimization and leaving you to focus on fewer components. In practice, this dichotomy is noticed in that in a large random sample of programs written in a variety of languages, low level langs like C have a very large standard deviation - the lower point of the curve are very, very, fast programs, but the curve is so broad, you'll find C programs way out in O(n^3) land; the h/l/ls are a bit above the bottom, but their s.d. is much smaller - so they are more predictably fast than a product full of reinvented wheels.

As for bypassing the proto- stage and going straight to completed app using ML, if it's such a good idea, why doesn't this happen? Is it just because nobody ever released "MFC4ML"? Or are half the binaries I buy actually compiled Lisp? I doubt it...

It happens, but not that often. There are the issues of available coders ("how do I find people") which is usually a red herring; language bigotry from VCs, middle managers, & press ("you use what??") - example: since the AI Winter of the mid 80's, Lisp has been a dirty word; delivery method (desktop guis have a very strong impetus to write apps in the OS language, aka, C/C++); and a few others. There are successful companies developing software in advanced languages, and they tend to have a few things in common: they work with very small teams, they don't tell anyone what they dev with, and they write server apps or desktop apps for niche markets. Suffice it to say that popularity != quality. And how often, where you work, have you been able to choose tools regardless of the marketing-informed opinions of the suits? Programming is a wierd field where the actual craftsmen are often unable to control the choice of their tools.

Anyway, would the /. kiddies please read a little history of computing? C is not the beginning and end of languages....

Not to belabor the point

[xant]

You can write C code to extend Python. It's a very common technique. The advantage of C, and it is a big advantage, is speed... but most programs don't need that speed advantage everywhere, only in a few intense and heavily-used operations. (Optimize the innermost loop...)

The advantages of Python for almost every other operation are really too numerous to list.

Your point about "right tool for the right job" is well taken. _Good_ Python programmers learn the C extension API, and use it when appropriate. Guido van Rossum, the creator of Python, even states in one of his papers "If you feel the need for speed, go for built-in functions - you can't beat a loop written in C."

Boehm Garbage Collector for C and C++

[alienmole]

Why do you say the Boehm GC can't do much with C? Have you actually tried it? Operation with C is one of its major strengths, and reasons for existence. It automatically collects allocated data that's no longer referenced. For memory management, what more do you need? Sizing buffer allocations is a separate issue, which can be dealt with separately.

The one problem Boehm GC can have is if data on the stack or in the heap happens to look like it contains pointers to allocated data, but doesn't actually, which can lead to space leakage. In practice, in most applications, this isn't a problem. If it is, in many cases, there are ways it can be dealt with.

Efficient how?

The author doesn't address efficiency at all.

Re:Efficient how?

[jeremyp]

He doesn't realy address all security either unless you say security equals avoiding buffer overflows and memory leaks.

misses the pouint

The author misses a crucial point: overflows and underflows are caused by false assumptions about the INTEGRITY OF THE CONTENTS OF THE INPUT to the program, either from files, sockets, arguments, etc.

For example, if a web server sends a false HTTP "Content-length" header, then my browser had better not trust this information. It has nothing todo with miscalculating array sizes. It's not really a bug in the browser either, since the browser code ADHERES TO THE HTTP SPECIFICATION and assumes that the server does, too.

The problem is in the assumption about the integrity of the data passed to the program. Get it?

Those documents are obsoletes

Why use C when you can use Java/C# and other evoluated languages?

I mean, is C more "eleet"? If so, why don't you write ASM then?? Stop wasting your time with all those old shit, go forward!

Re:Secure, Easy, Efficient C? Dont they call that.

Secure, Easy, Efficient C? Dont they call that...

Close but sadly lacking the last adjective

Re:As a lib and/or in general programming tutorial

A girl named Stefan? Watch out fellow ACs, this is one of them evil NAMBLA freaks lurking in a 'chat room' like we keep hearing about...

Exceptions in C?

[Pseudonym]

As a matter of interest, how do you combine cleanup and exceptions in C? I mean if you throw an exception, you want this memory deallocated and this file closed and this lock released and so on.

I can think of a few ways to do it, but none of them are anywhere near "natural-looking".

Do you have any references?

(No, this is not a pro-C++ troll. I'm genuinely curious.)

Re:Exceptions in C?

[pclminion]

You use a hybrid stack. You push two kinds of objects onto this stack: environment frames and cleanup frames. When you use the TRY macro to open a new exception frame, you push an environment frame onto the stack. This frame includes a jmp_buf struct which is filled in by a call to setjmp(). If an exception is thrown, control will transfer back via longjmp(), using this jmp_buf.

Then, as you allocate memory, open files, lock mutexes, or whatever, you register cleanup functions with another macro. This pushes a cleanup frame onto the stack indicating a function to call along with a single argument.

Then, if an exception is thrown, you just pop cleanup frames off the stack and execute them, until you hit an environment frame. At that point you call longjmp() to transfer control to the user-code exception handler, inside the CATCH macro block. That user code can choose to do cleanup or error recovery, or it can THROW again and continue propagating the exception up the stack.

Figuring out how to implement the TRY, CATCH, ENDCATCH, and THROW macros is fun, so I won't give away exactly how to do it. It's simple, and involves a creative use of a do-while statement.

K&R designed for paper, not for monitors

[0x0d0a]

The point of K&R was to jam programs onto paper books. Using K&R is to a computer what QWERTY is. It's utterly stupid to use K&R for actual programs on a computer -- BSD style is clearly the way to go. :-)

Re:K&R designed for paper, not for monitors

[thogard]

why, books and screens have the same problem... limited space. The more readable code I can see on a page, the less likly I am to miss something importaint. Since most bugs are because a coder missed something, it seems to me that the most readable compact style makes sense.

Re:K&R designed for paper, not for monitors

Books use K&R style to limit the size of code because it costs more money to print more pages. It has nothing to do with being able to see more code.

I can fit over 120 lines on my screen. If your routine is bigger than that, then in 99% of the cases you had better rethink your code. In the other 1%, chances are that you're in some big switch statement or cascading if/else. Each of those better be able to fit on a screen.

Bottom line: if understanding your code requires being able to see a lot of it at a time, then your design is shite.

Re:K&R designed for paper, not for monitors

[Hrothgar+The+Great]

But, what if I just like looking at K&R? Are Slashdot people going to keep griping about it? Yeesh - I never even knew that bracketing styles had their own fucking terminology before. I guess I just haven't been around long enough.

I'll just keep doing what I've been doing. It seems readable enough to me.

Re:K&R designed for paper, not for monitors

[pyrrho]

C and C++ are not one of these formatting based languages that associates or differentiates based on indenting, do as thy will and put everything on a single line.

Re:K&R designed for paper, not for monitors

[psamuels]

Yeesh - I never even knew that bracketing styles had their own fucking terminology before.

So what do you type when M-x c-set-style asks you to pick a style? (:

Your choices, btw, are: "bsd", "cc-mode", "ellemtel", "gnu", "java", "k&r", "linux", "python", "stroustrup", "user", and "whitesmith". Many of these are only subtly different from each other - frex, "linux" is basically "k&r" with an 8-space basic offset.

That's why these styles need actual names - you can just blame it all on Emacs. (:

glib rules

[0x0d0a]

If you use glib (that blessed library that makes C programming pleasant instead of miserable, not to be confused with glibc), you get a couple of extremely handy functions:

g_strconcat() (mallocs a new string that's just large enough, concatenates all passed in strings to it)

g_strdup_printf() (mallocs a new string that holds the result of a sprintf()).

Most people's exposure to glib is usually through gtk+, which uses it heavily.

Uh, huh

[0x0d0a]

Wee bit of a functional bias, eh?

You're right that C limits large-scale optimization too much, though...

use C++, but use it almost like C

[g4dget]

Secure, efficient, and easy C programming is no problem--if you use C++ but program it in a C style.

Many C++ programs and class libraries suffer from Smalltalk-envy. They want to be completely general frameworks, solving any possible future problem you might ever encounter. You find madness, bloat, and slipped deadlines if you go down that path.

But if you stick to the standard C library (which is part of C++) and approach C++ like you would C, you can write programs that work with C-like efficiency yet are considerably easier to make safe and secure.

For example, instead of the bloated and hard to debug STL, just define a 15 line template array class that does array bounds checking and deallocates its pointer when it's done.

Re:use C++, but use it almost like C

[HuguesT]

You are missing the point of the STL. Well implemented it is incredibly efficient, versatile *and* standard. The STL is the very best part of C++.

You will be forced to re-implement your 15-line class in every new project that you deal with because it won't do something that you hadn't foreseen before. You will introduce bugs.

How many times have you re-implemented the classic linked list? a stack?

At some point having written some software you will notice that it would run better with a list rather than an array: your project description has changed and now you need to be able to insert elements in the middle of your data.

With your 15 line array implementation you are completely screwed. With an STL vector you just change to list and you recompile. Problem solved.

If this has never happened to you you are not working in the real IT world of constantly changing requirements.

Jeez, just learn C++ already

[Moses+Lawn]

OK, so that subject's a little inflammatory. But my god, I don't see why anybody is still writing new code in C in this day and age. C++ has been a fast, stable, standardized language for what - 10 years now? All the problems with buffer overflows that require hokey, kludgey workarounds in C are cleanly solved with any well-written string library (like, say, the one in the STL). Memory pools can be nicely wrapped with a class that pushes in the ctor and pops in the dtor, so you don't have to remember to call them in the right order everywhere (just declare an object at the top on the block).

The arguments I've seen against C++ seem to fall into the following categories:

* It adds bloat and it's slow
No, not since optimizing compilers were perfected in the 90s. You can add a lot of overhead to your app by abusing the STL, but for non-trivial applications, you'll never notice it. GCC (at least for the pre-3.0 series) has a really unoptimized template implementation, where "Hello, world" using cout would make a multi-megabyte executable (and be forever compiling it), but more modern compilers, like VC++ and Intel's compiler, do a lot better. Either way, for a real-world app, any size increase will be unnoticable. As for speed, with an optimizing compiler and judicious use of inlining, a C++ program will run just as fast as one written in C.

These complaints may have been true in the days of the Cfront preprocessor, but not today. I don't know about you, but I no longer write code for a 386 with 4 meg of memory.

* I don't like/need/want to learn OOP
You don't need OOP to use C++, but it helps. A class is just a struct where everything's private by default. If you know C, it takes about a day to learn the basics of constructors and destructors, references, and exceptions. Templates and STL will take a bit longer. One great about C++ is that you can just use small bits here and there if you don't want a full-blown OO program.

* It's not as good as Perl/Python/Ocaml/Eiffel/Java/whatever
That's not the point. It's not supposed to be. It's supposed to be as good or better than C. If you want a standalone-executable without linking in a complete interpreter and you don't need a lot of string parsing or regexps, you were using C anyway.

* It won't let me write libraries that work with other languages
Just declare all of your external APIs using 'extern C' and make sure they only use C types in their signatures. Done.

The main reason not to use C++ in new development seems to be "I don't want to learn it" or "I don't know anything about it". If you use either one, I don't ever want to work with you.

Re:Jeez, just learn C++ already

* It's not as good as Perl/Python/Ocaml/Eiffel/Java/whatever
That's not the point. It's not supposed to be. It's supposed to be as good or better than C. If you want a standalone-executable without linking in a complete interpreter and you don't need a lot of string parsing or regexps, you were using C anyway.

Why? I know Eiffel, Java, Ada, Common Lisp, and Scheme can produce compiled binaries without linking in anything that could be considered a complete interpreter. I know I moved from C++ to Ada because C++ didn't seem to fix any of the problems with C.

Re:Jeez, just learn C++ already

[Moses+Lawn]

I know Eiffel, Java, Ada, Common Lisp, and Scheme can produce compiled binaries without linking in anything that could be considered a complete interpreter.

If that's the case, then I apologize for misspeaking. I've only encountered these as interpreted languages (Except for Ada, which is another thing altogether. I didn't know anyone used it any more outside of the DOD.) I know Java can be compiled, but that's not really what people usually do.

btw, what's it like to use Ada on a daily basis? My only experience was in school, where it impressed me as the most anal-retentive language in existence. It made Pascal look like pre-ANSI C. I know it was designed to be bulletproof and usable for huge projects by huge teams. I also was under the impression that it was pretty much dropped, quietly, after a few years. What's the story?

Re:Jeez, just learn C++ already

[hankaholic]

Please ignore the junk at the beginning of this post. Shitdot won't just let me post because the characters/line ratio is "too low". If we need stupid filters like this, does that mean that moderation can't handle filtering out garbage?

Slashdot tells me this post has too few characters per line. It also complains a lot about a lameness filter. Isn't this all what moderation was supposed to be for? Talk about a productivity hit. Because of stupid useless restrictions which SHOULD be unnecessary because of the "wonderful" moderation system, I'm forced to add this crap so I can fucking post. AAAAAAAAAAAAAAARRRRRRRRRRGGGHHHHH! THIS IS ABSOLUTELY RETARDED! Slashdot tells me this post has too few characters per line. It also complains a lot about a lameness filter. Isn't this all what moderation was supposed to be for? Talk about a productivity hit. Because of stupid useless restrictions which SHOULD be unnecessary because of the "wonderful" moderation system, I'm forced to add this crap so I can fucking post. AAAAAAAAAAAAAAARRRRRRRRRRGGGHHHHH! THIS IS ABSOLUTELY RETARDED! Slashdot tells me this post has too few characters per line. It also complains a lot about a lameness filter. Isn't this all what moderation was supposed to be for? Talk about a productivity hit. Because of stupid useless restrictions which SHOULD be unnecessary because of the "wonderful" moderation system, I'm forced to add this crap so I can fucking post. AAAAAAAAAAAAAAARRRRRRRRRRGGGHHHHH! THIS IS ABSOLUTELY RETARDED! Slashdot tells me this post has too few characters per line. It also complains a lot about a lameness filter. Isn't this all what moderation was supposed to be for? Talk about a productivity hit. Because of stupid useless restrictions which SHOULD be unnecessary because of the "wonderful" moderation system, I'm forced to add this crap so I can fucking post. AAAAAAAAAAAAAAARRRRRRRRRRGGGHHHHH! THIS IS ABSOLUTELY RETARDED! Slashdot tells me this post has too few characters per line. It also complains a lot about a lameness filter. Isn't this all what moderation was supposed to be for? Talk about a productivity hit. Because of stupid useless restrictions which SHOULD be unnecessary because of the "wonderful" moderation system, I'm forced to add this crap so I can fucking post. AAAAAAAAAAAAAAARRRRRRRRRRGGGHHHHH! THIS IS ABSOLUTELY RETARDED! Slashdot tells me this post has too few characters per line. It also complains a lot about a lameness filter. Isn't this all what moderation was supposed to be for? Talk about a productivity hit. Because of stupid useless restrictions which SHOULD be unnecessary because of the "wonderful" moderation system, I'm forced to add this crap so I can fucking post. AAAAAAAAAAAAAAARRRRRRRRRRGGGHHHHH! THIS IS ABSOLUTELY RETARDED!

Every time I decide that a particular problem I'm facing might be solved by a spiffy C++ feature, I'm disappointed by something not working as I'd expect.

For example, in C:

file.h:

#ifndef __FILE_H
#define __FILE_H

void func();

#endif /* FILE_H */

file.c:

#include <stdio.h>
#include "file.h"

void func()
{
printf("I love C!\n");
}

main.c:

#include "file.h"

int main()
{
func();

return 0;
}

This presents no problems, and compiles as expected (assuming no typos, of course).

With templates, in C++:

chet@bunny:~/src/template_fuck$ cat templ_fuck.h
#ifndef __TEMPL_FUCK_H
#define __TEMPL_FUCK_H

#include <iostream>

template <class T>
T func(T param);

#endif /* TEMPL_FUCK_H */
chet@bunny:~/src/template_fuck$ cat templ_fuck.cc
#include "templ_fuck.h"

template<class T>
T func(T param)
{
cout << param << endl;
return param;
}
chet@bunny:~/src/template_fuck$ cat main.cc
#include "templ_fuck.h"

int main()
{
func(10);

return 0;
}
chet@bunny:~/src/template_fuck$ cat Makefile
CC=gcc-3.0

all: crap

crap: main.o templ_fuck.o
g++ -o crap main.o templ_fuck.o
chet@bunny:~/src/template_fuck$ make
g++ -c -o main.o main.cc
g++ -c -o templ_fuck.o templ_fuck.cc
g++ -o crap main.o templ_fuck.o
main.o(.text+0xc): In function `main':
: undefined reference to `int func<int>(int)'
collect2: ld returned 1 exit status
make: *** [crap] Error 1
chet@bunny:~/src/template_fuck$

Why doesn't this work? Because your "perfected" optimizing compiler can't handle link template code. Instead of putting the declaration in a header file, and the definition in a source file, many C++ compilers (VC++ included, as I understand it) force you to put the code itself in your header file.

I know admittedly little about the subject, but it is my understanding that this is NOT required according to the language definition, but is simply a language feature not properly implemented by compilers.

I keep trying to like C++, I really do, but sadly things like this keep cropping up. Now, instead of just learning to use a language feature and gaining productivity in the deal, I'm forced to determine whether the bug is my fault, or a language problem.

Sure, now that I know that templates are crippled, I can use them. However, it makes me wonder what the point of separate compilation units is. Why don't we just put all of the code in headers, and include them all from one main source file?

I learned Java. Then Sun immediately deprecated AWT and pushed Swing upon everyone. I gave up, because within weeks of learning Java, what I'd learned was already outdated. (A case of bad timing, sure, but discouraging nonetheless.)

I try using a commonly cited feature of C++, and find that the compiler can't properly handle it, even a few years later (where "properly" is definited by both working as one would expect, and working as the language definition describes).

C may be dirty, and C may be stupid, but C has been constant.

Re:Jeez, just learn C++ already

[Tiny+Elvis]

You may be ready for Common Lisp now.

Re:Jeez, just learn C++ already

[Moses+Lawn]

I doubt anyone will ever see this, but...

[Grumpy comments about templates needing to be in headers files and not source files to link successfully, and about Sun dicking with the Java spec in parent post]

Hey, I know what you're going through, and I agree, it sucks. I got bit by the templates-must-be-in-header-files thing the exact same way when I first started using them. Yeah, it sucks, and you're right, the spec doesn't require it. But that's the state of the technology right now. When I use templates, I just suck it up and put them in headers.

I'm sorry for your bad timing with Java, but unless all you ever do is GUI code, there's still a whole useful language to use. Besides, even if AWT *is* deprecated, it's not going to go away anytime soon - it's *deprecated*, not *removed*. You can still use it to your heart's content, and learn Swing over time.

The point is, you can't give up on a technology just because you had a bad experience with it. I'm sorry C++ is hard to learn, and I'm sorry Sun has chaotic roadmaps, but shit, man - you can't stop learning. Remember how hellish pointers and addresses were to learn in C? If you take that attitude, you'll be using BASIC the rest of your life.

Go ahead, try C++ again. Forget about templates until you actually need them. I think you'll find it to be a lot more productive, and pretty soon you'll wonder how you could ever go back to using C for everything.

Oh, and I got hosed by the "characters per line" nonsense just the other day. I completely agree, it's bullshit. Instead of telling me that it's currently 38.2, try telling me how many it should be. Or, perhaps, just let the moderators do their job.

Re:Jeez, just learn C++ already

Thanks for the response. It is an unexpected treat to see a coherent post in response to my drivel ;)

Remember how hellish pointers and addresses were to learn in C? If you take that attitude, you'll be using BASIC the rest of your life.

No way, man! I went from GW-BASIC to assembly. The fact that C _had_ pointers which weren't brain-dead was what initially turned me on to it.

Go ahead, try C++ again. Forget about templates until you actually need them. I think you'll find it to be a lot more productive, and pretty soon you'll wonder how you could ever go back to using C for everything.

Well, I've not written off C++. I don't like OOP for OOP's sake, but occasionally overloaded functions and their logical extensions (template classes) are useful. That's what turned me off -- the most attractive language feature (to me) was poorly supported by the compiler which I use.

Other than templates and function (and operator) overloading, I'm not sold on many of the C++ features I've seen. As you replied to my post in an abnormally coherent manner, I'd definitely appreciate further input on what features _you_ personally find useful on a regular basis.

Regarding AWT/Swing, I agree completely, but what pissed me off was that I just wanted to write a stupid applet, and I had a slight feel for AWT. It's dumb to write off a language after one bad experience, and I still do love some of what Java does (mmm... cross-platform bytecode...), but little annoyances are what can make a good language seem painful.

Again, thanks for the response.

Re:Jeez, just learn C++ already

[Moses+Lawn]

Thanks for the response. It is an unexpected treat to see a coherent post in response to my drivel ;)

Well thank you... I appreciate that someone reads these and thinks they're useful.

Other than templates and function (and operator) overloading, I'm not sold on many of the C++ features I've seen. As you replied to my post in an abnormally coherent manner, I'd definitely appreciate further input on what features _you_ personally find useful on a regular basis.

Okay, here goes. In no particular order:
* Function overloading: I can have 3 different versions of a function that take 3 different sets of arguments without having to write

foo1(int);
foo2(char *, int);
foo3();

* Default arguments: Got a function that takes 3 arguments, two of which are usually empty? Just do (in the prototype only!)

foo(int p1, int p2 = 0, int p3 = 0);

* Constructors and destructors: If you have a struct that needs to be initialized before you use it, or needs to clean up stuff before it goes away, these are for you. Constructors are just like any other function, so you can have as many of 'em as you want:

class yada
{
yada(); // default
yada(int i); // initialize with i
yada(blarf * b); // use a struct to init

// and so on...
};

One cool thing is to write a class that does nothing but grab a resource (critical section, open a file, etc.) in the ctor and release it in the dtor. Then just declare one at the top of the block that uses said resource, and hey presto - you never need to remember to grab/free again:

int foo()
{
cLockResource lr; // ctor locks whatever

// code to use whatever

} // on block exit, whatever is released by dtor

The really handy thing is that no matter how you exit the block, even via an exception, the freeing happens. Very handy.
* Comments // like this
* Being able to declare variables anywhere, not just at the top of a block. Declare them where you use them, not 50 lines before.
* Conversion operators: Use an object as if it was another type altogether. This is debatably useful if you have accessor functions, but it comes in handy:

class blah
{
int m_i;
// ....
operator int () { return m_i; } // pardon my syntax...
};

// elsewhere...
blah b;

// assume void func(int i);

func(b); // instead of func(b.get_i()) or func(b.m_i)

Again, not always necessary, but it keeps the caller from having to know any more about 'blah' than they have to. Besides, it just looks cleaner.

I know I've overlooked a lot. Try picking up one of Bruce Myers' books (Effective C++, More Effective C++) - he explains it all much better than I can. Beware, though. C++ is a really complicated language, and there are a lot of subtle things that can bite you in the ass. Don't try doing everything at once. Just explore a feature at a time. Consider the assbiting a learning experience. The Annotated C++ reference is a good book to look at. I think Stroustrup has one out.

Oh - and you can do amazing tricks with templates - a few years back, C/C++ Users Journal had a set of templates that converted strings of 1s and 0s ("110010") into integers *at compile time* - no more than 25 lines of code. Way way cool.

Anyway, I hope this was useful. Keep with it - you'll be glad you did.

Re:Jeez, just learn C++ already

I'm not the one you replied to, but I'd just like to thank you for your informative post.

-- An AC.

Re:+1 Insightful, PERL can do more!

When I was a production coder for a decade writing internal apps, I could always find things that I could do in PERL that were almost impossible in C.

My personal favorite was a typical "data pump" app that did some frontend work for a larger (15 GB+) data stream in order to massage it inline as it went from tape to an Oracle load (we didn't want to stage it on disk first).

The PERL apps could *ALWAYS* soak a CPU on our Sun box while transforming the data.

Try as I might, I could never get a C replacement program to do the same. At best, the C code posted percent utilizations in the low double digits.

Pity, I like C, but if we keep using it, we will never be able to force management to buy another twin-CPU module. PERL rocks!

How about some implementations?

The howto would be much more helpful to people reading if you had implentations illustrating the concepts instead of just showing code using the APIs

it should have a section comparing C to C++

[small_dick]

...and while doing so explain how to hide data, make friendly header files, properly expose data, in C.

Big deal

This is useless. Show us a way to 1) fix the bazillions of lines of crappy C code out there doing buffer overruns by the thousands as I type this, and 2) force programmers to write good code, and then you'll have something.

I don't mean to sound pissy about this, but I've been a professional programmer since 1979, and I've seen more sins committed with C than any other programming tool. I've written a few hundred thousand lines of C myself, and avoided the infamous memory and string problems, as have a lot of coders. But as long as people insist on using tools like C that require that level of diligence to create robust code, software will continue to suck.

Is it just me or does slashdot suck more and more?

[sgml4kids]

1. There are more ways to exploit C code than looking for buffer overflows. race conditions are a more prevalent and portably exploitable vulnerability of a large body of C code (eg. config file integrity). Following the author's guidelines barely improves the security of any program. If you want to make your code secure, spend a month reading the 1000s of articles online (or at the ACM or IEEE or CERT/CC) about how software is compromised. This is so much crap.

2. This is so not news for so many reasons. Slashdot is becoming so out of touch (yes, isn't it cool knowing some freak shoved a Pentium giga-twat up his ass and replaced his eyeballs with WiFi LCD projectors?) I sometimes get nauseated reading these stupid "news" items.

Slashdot: News for the Herd. Stuff that goes "Baaaaaa"

The practicality of this approach

is questionable. This is yet another example of something with more geek value than actual utility. Just because you like to use and old obsolete tools doesn't mean it's the most productive. It's the year 2002. This has been said before. Get Java, even C#. Of course the C fanatics will spew about the "Performance penalities" of Java. Get over it. Have you seen the latest benchmarks? JVM's have made a lot of progress. If you don't value your time, then by all means, stick with C. Heck, if you're really crazy about performance, use assembly! Otherwise, don't waste your time and use a modern language.

problem with standard C

[NynexNinja]

One serious problem I see with all modern C implementations and C in general is the lack of a robust next generation standard C library. The big reason languages like Perl and PHP became popular in the first place was their ease of implementation of common routine tasks. Things like regular expression pattern matching (a good extended regex split(), a good extended regex replace, things that dont exist anywhere in C), good hashing, etc. Things that perl excels at but C just lacks. No one cared enough to update the core standard reference. In my opinion its long due for an update. I love C because its compiled and you dont have to pass around the source code for everything you write, super fast and very portable. I just wish it had a good standard C library. The standard C reference library was written like 30 years ago and has not been updated since. Its just a damn shame that everyone out there is forced to re-invent the wheel with C every time they want to do the most simplest of tasks, because C doesnt have any good standard C library.

ISO C solves some of these probs

[Codijack]

Some of the memory allocation problems mentioned in the FAQ can be solved using standard ISO C features: variable size arrays and mixed code/declarations. The problem with this is that:

1. Very few C programmers have started looking at what's new in ISO C.
2. Compilers are only starting to implement the new features.

While compiler support is not complete, compilers (including GCC and ICC) provide a powerful subset of ISO C already.

Basically, now you can do things like:
size = compute_size();
char buffer[size];
use_buffer(buffer, sizeof buffer);

You can even do this in a loop, having the stack space reused (reallocated from the stack) in each iteration.

ISO C even allows passing these beasts as arguments to functions (with the sizeof operator working in the function):
void some_function(char buffer[*])
{ use_buffer(buffer, sizeof buffer); }
(Unfortunately, GCC does not support this yet.)

I recommend taking a look at ISO C!

regards, CJ

ALL UPPERCASE C LANGUAGE

[hayriye]

have you every tried to convert a C source code to all-caps? It is more secure this way and suitable for business programming.

On static strallocs in qmail and djbdns

qmail and djbdns uses statically created buffers which are reused and never freed - that's pretty dangerous unless you can be sure the buffer isn't in use anymore.

How is this a problem in single-threaded code?

It's actually pretty much the same as having static char bigbuf[8192] which is used by several functions.

Except, of course, that strallocs automatically grow, which is the whole point.

dillo file://usr/doc/glibc-doc ?

[Chexsum]

Its nice to see Im not the only person who has read glibc-doc. I was very interested in obstacks when I read about them last month but havent used them yet and this HOWTO is a nice read also.

I think glibc-doc needs more humour so more people read it. :P

My micro-howto

[Hard_Code]

Secure, Efficient and Easy C Programming

* Not possible. Stop using C for the love of god.

---

But seriously, am I the only one that thinks that circumventing C's lack of sophisticated memory management by using a hack involving surreptitiously using stack frame memory is BAD BAD BAD? Certainly not secure or easy?

How about the next howto:

"Shooting yourself in the foot, securely, efficiently and easily!"

Re:My micro-howto

[Codijack]

I don't think you can go completely without using a low level language like C. Most high level language runtime systems are written in... C, guess why!

The real answer is: ``Stop using C as a high level programming language.'' C is basically a partially platform independent macro assembler language. People should keep this in mind.

CJ

Exceptions in C - check out SIOD

[alispguru]

Exceptions in C. You can get quite natural-looking exception handling in C, with some convoluted macros. I'm sure most hardcore C coders have come up with their own implementations.

The best exceptions-in-C implementation I've ever used is buried in SIOD by George Carrette. Despite using setjmp/longjmp, it's portable as all hell.

Hey Spambots!

kamy@mbnet.fi
anttika@mail.suomi.net

Re: 90%/10%

" ... 90 percent of the software's running time occurs in only 10 percent of the code."

Everybody says this, but who has the data to back it up? What 10% are you talking about, the system code for fgets(), or your rendering algorithm?

Or is this another one of those fallacies that authors copy from each other's books (to paraphrase Wolfgang Langwieshe)?

Greenspun's tenth rule of programming

[jonis]

And yet agean we can witness this wonderful rule at work...

there already is one

[WhiteDragon]

it's called Net::TCP

*duck*