Bounds checked string library

A function like strcpy takes now, two unbounded pointers.

Unbounded pointers, i.e. pointers where there is no
range information, have catastrophic failure modes
specially when *writing* to main memory.
Jacob
in this and your other post, I personally feel you're solving problems that
don't exist. A good compiler will have its own way to check them during
debugging, and careful programming will avoid them in production.

Plus frankly, I don't see this as a problem anyway. I'm passing an array
to a function and doing something with it - in your model I need to know
how big it is when I write the fn, which is a serious problem. Imagine I'm
reading in data from a file, and mallocing the memory for it, I don't know
at compile time how much memory ie how large an array I need.

I understand what you're trying to do but I do genuinely think that its a
problem thats already solvable by adequate quality programming.
A better string library would accept *bounded* pointers.
We would have then:
char *strcpyN(char *destination, size_t bound1,
char *src,size_t bound2);
strncpy does most of this already. The bit it doesn't do, checking the size
of the destination, is trivial to check yourself before calling it.
Their use could be made more generalized when the
functions in the C library would leave the obsession
with unbounded pointers and accept this type too.

On Sat, 14 Feb 2004 22:48:48 +0100, in comp.lang.c , "jacob navia"
<ja***@jacob.re mcomp.fr> wrote:

A function like strcpy takes now, two unbounded pointers.

Unbounded pointers, i.e. pointers where there is no
range information, have catastrophic failure modes
specially when *writing* to main memory.
Jacob
in this and your other post, I personally feel you're solving problems

that don't exist. A good compiler will have its own way to check them during
debugging, and careful programming will avoid them in production.

No. There is no way to write the strcpy function without
provoking a catastrophic failure with unbounded pointers.

Plus frankly, I don't see this as a problem anyway. I'm passing an array
to a function and doing something with it - in your model I need to know
how big it is when I write the fn, which is a serious problem.
This is precisely my point. This *is* a serious problem. You
*must* check the bounds of the array when writing to it.

Most C programmers do not do it because is incredible
tedious:

if (strlen(src) < sizeof(dst))
strcpy(src,dst) ;

You see a lot of code like that?

Imagine I'm
reading in data from a file, and mallocing the memory for it, I don't know
at compile time how much memory ie how large an array I need.

fread accepts bounded pointers, since the input buffer is bounded
by the size to read in!!!
I understand what you're trying to do but I do genuinely think that its a
problem thats already solvable by adequate quality programming.

Yes, but it is VERY TEDIOUS so most people (me included)
do not do it!!!

This is precisely the problem. The interface of those function
is plain wrong.

A better string library would accept *bounded* pointers.
We would have then:
char *strcpyN(char *destination, size_t bound1,
char *src,size_t bound2);

strncpy does most of this already. The bit it doesn't do, checking the

size of the destination, is trivial to check yourself before calling it.

Their use could be made more generalized when the
functions in the C library would leave the obsession
with unbounded pointers and accept this type too.

better to create a new type, say "string", which contains the size info
within the type. What does that remind me of... :-)

"Mark McIntyre" <ma**********@s pamcop.net> a écrit dans le message de
news:rj******* *************** **********@4ax. com...

On Sat, 14 Feb 2004 22:48:48 +0100, in comp.lang.c , "jacob navia"
<ja***@jacob.re mcomp.fr> wrote:

>A function like strcpy takes now, two unbounded pointers.
>
>Unbounded pointers, i.e. pointers where there is no
>range information, have catastrophic failure modes
>specially when *writing* to main memory.
Jacob
in this and your other post, I personally feel you're solving problems

that

don't exist. A good compiler will have its own way to check them during
debugging, and careful programming will avoid them in production.

No. There is no way to write the strcpy function without
provoking a catastrophic failure with unbounded pointers.

Thats not what I said. The compiler writer can implement bounds checking in
debug mode without changing the syntax of strcpy. And you, the user of
strcpy, can avoid buffer overflows by writing careful code.

Plus frankly, I don't see this as a problem anyway. I'm passing an array
to a function and doing something with it - in your model I need to know
how big it is when I write the fn, which is a serious problem.

This is precisely my point. This *is* a serious problem. You
*must* check the bounds of the array when writing to it.

Rubbish. When you read 4 bytes from a file into a 12-byte array, do you
need to check that the destination is big enough first? When you copy those
4 bytes into a 128 byte array, do you need to check again?

When you need to check you should check. Wen you don't you don't.
Most C programmers do not do it because is incredible
tedious:
if you do it like this, its tedious. However if your code requires such
checking, then you /should/ put it in.
if (strlen(src) < sizeof(dst))
strcpy(src,dst) ;
This is not how to do it though.
You see a lot of code like that?

Imagine I'm
reading in data from a file, and mallocing the memory for it, I don't know
at compile time how much memory ie how large an array I need.

fread accepts bounded pointers, since the input buffer is bounded
by the size to read in!!!

I understand what you're trying to do but I do genuinely think that its a
problem thats already solvable by adequate quality programming.

Yes, but it is VERY TEDIOUS so most people (me included)
do not do it!!!

>A better string library would accept *bounded* pointers.

strncpy does most of this already. The bit it doesn't do, checking the

size

of the destination, is trivial to check yourself before calling it.

At EACH CALL ???

>Their use could be made more generalized when the
>functions in the C library would leave the obsession
>with unbounded pointers and accept this type too.

better to create a new type, say "string", which contains the size info
within the type. What does that remind me of... :-)

Yes. The other solution is to overload the [] operator
and use bounded strings. This is much easier but
probably would provoke such an outcry that a smaller
but still useful solution is better.

"Mark McIntyre" <ma**********@s pamcop.net> a écrit dans le message de
news:rj******** *************** *********@4ax.c om...

On Sat, 14 Feb 2004 22:48:48 +0100, in comp.lang.c , "jacob navia"
<ja***@jacob. remcomp.fr> wrote:

A function like strcpy takes now, two unbounded pointers.

Unbounded pointers, i.e. pointers where there is no
range information, have catastrophic failure modes
specially when *writing* to main memory.
Jacob
in this and your other post, I personally feel you're solving problems

that

don't exist. A good compiler will have its own way to check them during
debugging, and careful programming will avoid them in production.

No. There is no way to write the strcpy function without
provoking a catastrophic failure with unbounded pointers.

Plus frankly, I don't see this as a problem anyway. I'm passing an array
to a function and doing something with it - in your model I need to know
how big it is when I write the fn, which is a serious problem.

This is precisely my point. This *is* a serious problem. You
*must* check the bounds of the array when writing to it.

Most C programmers do not do it because is incredible
tedious:

if (strlen(src) < sizeof(dst))
strcpy(src,dst) ;

You see a lot of code like that?

No, I don't, and that's because where I work we
consider the use of strcpy() to be bad practice
and use strncpy() instead. Unadorned strcat(),
strcpy(), gets(), sprintf(), etc. don't pass code inspections.
They are treated as historical curiosities
which should not, in general, be used in production
code. And yes, checking the size of the destination
is standard coding practice in our shop.

Imagine I'm
reading in data from a file, and mallocing the memory for it, I don't know
at compile time how much memory ie how large an array I need.


fread accepts bounded pointers, since the input buffer is bounded
by the size to read in!!!

I understand what you're trying to do but I do genuinely think that itsa
problem thats already solvable by adequate quality programming.

Yes, but it is VERY TEDIOUS so most people (me included)
do not do it!!!

This is precisely the problem. The interface of those function
is plain wrong.

strcat(), et. al., were the first of the "strxxx" functions
to be issued and put into the library. After the problems
were identified, the "strnxxx" functions were issued.
(This was before ANY standard, I believe.) I would have loved
to see the former retired from the libraries, but that did
not happen, probably because too much existing code would break.
Yes, the functions have an interface which is dangerous when
used without discipline, but that, IMO, is not a reason
to change (or augment) the language specification.

Patient: "Doctor, it hurts when I do this."
Doctor: "Then don't do it."

A better string library would accept *bounded* pointers.
We would have then:
char *strcpyN(char *destination, size_t bound1,
char *src,size_t bound2);
strncpy does most of this already. The bit it doesn't do, checking the

size

of the destination, is trivial to check yourself before calling it.

At EACH CALL ???

This is of course possible but it is BAD DESIGN!

Why is it bad design? Please explain.

You are doing what a machine could do much faster.
What's the use of computers if we are going to waste
time and effort doing their job?

Their use could be made more generalized when the
functions in the C library would leave the obsession
with unbounded pointers and accept this type too.

As far as I know, there is nothing in the standard
which specifies the contents of a pointer. (Please
correct me if I am wrong.) Thus an *implementation *
may choose to somehow store the limits (bounds) of the valid area
for that pointer to operate on as part of the pointer
representation and doing something implementation
dependent when the pointer is out of bounds.
This would, of course, break code which relies
on pointer arithmetic, but that is bad practice
anyway. I know of no implementation which has
chosen to do so.

The implementation may also choose to implement
the standard libaries in a way in which the size
of the array_of_whatev er is stored in the size_t
bytes just before the array and perform bounds
checking that way. (Much like some malloc implementations
keep track of the size of an allocated area.)
Again, I know of no *C* implementation
which has chosen to do so. (Although some Fortran
string-handling packages do exactly that.)

Thus there appear, at least on the face of it,
a couple of possible ways to do this without changing
the language definition.

better to create a new type, say "string", which contains the size info
within the type. What does that remind me of... :-)

Yes. The other solution is to overload the [] operator
and use bounded strings. This is much easier but
probably would provoke such an outcry that a smaller
but still useful solution is better.

jacob

if (strlen(src) < sizeof(dst))
strcpy(src,dst) ;

You see a lot of code like that?

No, I don't, and that's because where I work we
consider the use of strcpy() to be bad practice
and use strncpy() instead.

The problem is that src will be longer than dst for a reason. Maybe someone
has an unusually long address, for example. Simply putting in a check
removes the undefined behaviour, but substitutes wrong behaviour, which is
no benefit at all. So you need either to exit the program with an error
message or code some sort of intelligent address truncator.As far as I know, there is nothing in the standard
which specifies the contents of a pointer. (Please
correct me if I am wrong.) Thus an *implementation *
may choose to somehow store the limits (bounds) of the valid area
for that pointer to operate on as part of the pointer
representati on and doing something implementation
dependent when the pointer is out of bounds.
This would, of course, break code which relies
on pointer arithmetic, but that is bad practice
anyway. I know of no implementation which has
chosen to do so.

A function like strcpy takes now, two unbounded pointers.
No, it takes two pointers. They are bounded by common sense programming
safeguards (such as Everything Must Be Somewhere).
Unbounded pointers, i.e. pointers where there is no
range information, have catastrophic failure modes
specially when *writing* to main memory.
Not if you don't let them fail.
A better string library would accept *bounded* pointers.
A /different/ string library would accept bounded pointers.
We would have then:
char *strcpyN(char *destination, size_t bound1,
char *src,size_t bound2);

Bounded pointers are used in C in many interfaces.
This is absolutely nothing new.
Indeed. Lots of people have written string libraries. (Me too!)
Their use could be made more generalized when the
functions in the C library would leave the obsession
with unbounded pointers and accept this type too.
That would be a mistake. C is fast right now, because it assumes the
programmer knows what he's doing. When bounds-checking makes sense, the C
programmer puts it in (and, if he doesn't, on his own head be it). If it
doesn't make sense, why bother? You'll just slow everything down.
Of course, clever compilers could pass automatically
size information to the called function, but that would
be just an improvement. What is needed is a standard
that would allow generalized use of this type of
pointers in applications that need them.

Because in many applications security is more
important than sparing a few cycles.
If you want C++'s std::string, you know where to find it. And if you don't,
well, here is C - it's lean and it's mean and it's very, very keen, so
please don't slow it down for the rest of us just because some people don't
know when to bounds-check and when not to.
Of course there exist many string libraries that do
this, but each has its own syntax. Much better
would be if standard C would encourage the use
of bounded pointers with a string library
that uses them.

Most C programmers do not do it because is incredible
tedious:

if (strlen(src) < sizeof(dst))
strcpy(src,dst) ;

You see a lot of code like that?

In 'comp.lang.c', "jacob navia" <ja***@jacob.re mcomp.fr> wrote:

Most C programmers do not do it because is incredible
tedious:

if (strlen(src) < sizeof(dst))
strcpy(src,dst) ;

You see a lot of code like that?
I have this in my personal standard C library in my "STR" module :

<snip>
On my "str.h", I could add if I dared:

#undef strcpy()
#undef strcpy
#define strcpy(a, b) assert (0)