Re: Why does rewind() ignore errors?

Dr A. N. Walker wrote:
In article <1149221290.216651.303370@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
<kuyper@xxxxxxxxxx> wrote:
[...]
If you know with a certainty that your input doesn't contain any
over-length lines, it's safe, but such certainty usually reflects
self-delusion, not reality.

Whoa! In your reality, perhaps; but not so in mine; and
I'd guess that my reality matches that of at least a significant
proportion, and perhaps a large majority, of C code being written
[not *used*, but *written*]. ...

I don't know where your reality is; mine includes computers connected
to the internet that cannot, despite the best available security
systems, be kept perfectly clean at all times from unwanted intrusions.
However, while malicious intruders who deliberately misuse a program
are a problem, a far more serious threat (assuming the system has
decent security software that is being used properly) are the ordinary
users who through either stupidity or carelessness or badly written
documentation invoke a program in the wrong context.

In reality, a program that fails
catastrophically when handed input that doesn't match it's input
specifications is usually defective; [...]

... Ditto. ...

There is one exception: some software is deliberately designed to
damage the system it is run on [...]

... No, there are *lots* of exceptions. Most of my
programs have no security, safety or commercial implications,
likewise those of my colleagues or students.

The consequence of buffer overruns isn't just a possible security
violation. It's undefined behaviour. To me, undefined behavior is
serious - as far as the C standard is concerned, there's no limits to
the damage that can occur when the behavior is undefined. Reality is a
little kinder than that, but not a lot. Basically, anything your C
program could have done deliberately by means of code with defined
behavior is something that could occur when the behavior is undefined,
and in most contexts that includes at least one behavior that I REALLY
don't want to have happen; usually, it includes a very large number of
possibilities that I never want to have happen. There's relatively few
contexts, for instance, in which it would be acceptable for a program
to malfunction by deleting or overwriting every file that you have
permission to write to.

If input validation *is* required, what happened to the
notion of a validation *phase*? In Unix-like systems, this is

In my code, I use the standard that the fact that a given piece of code
has defined behavior must be verifiable simply by looking at other code
in the same translation unit; I insert validation code wherever needed
to make that possible. For calls to a function defined in another TU,
this requirement only applies to the arguments and return value of that
function; that the other function works properly is something to be
determined by looking at the TU that it's defined in. Despite the fact
that I break my code into fairly short files (typically no more than a
few hundred lines), I've not found this a burdensome requirement.

Again, if there are security/safety/commercial implications, then
the rest of the pipeline should be somewhat paranoid, but in most
research/academic/domestic applications?

Most research/academic/domestic applications that I'm aware of are run
in contexts where plausible forms of "undefined behavior" includes at
least one completely unacceptable behavior, and usually a LOT more than
one.

.

Relevant Pages

  • Re: Evaluation of ++ different in C and perl?
    ... you can keep saying that but it won't change the reality. ... documented to be undefined behavior. ... --Perl Consulting, Stem Development, Systems Architecture, Design and Coding- ...
    (perl.beginners)
  • Re: Why cant OpenBSDs securelevels be saved?!
    ... I will give you my interpretation of reality. ... *all* facets of security, including crypto. ... The developers make an OS that *they* wish to use, ... If you have not already STFA'd regarding securelevels, ...
    (comp.unix.bsd.openbsd.misc)
  • Re: What is a "perfect secret" ?
    ... Terry Ritter wrote: ... >showing the models to be consistent with reality, ... the attacker to respect this model. ... the security theorem may no longer hold. ...
    (sci.crypt)
  • Re: Cases where Forth seems a little clunky
    ... an extra extension that is NOT necessary to perform the work. ... an absolute statement: That negative numbers as address constants add ... I don't believe that reality around us is relative. ... In such contexts, ...
    (comp.lang.forth)
  • Re: why get a scope?
    ... That is a fundamental question for our age, and it's being asked in many different contexts. ... It boils down to a definition of what is reality and what constitutes a meaningful experience. ...
    (sci.astro.amateur)