From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-return-200999-listarch-gcc=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 35549 invoked by alias); 16 Dec 2019 03:45:59 -0000
Mailing-List: contact gcc-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc/>
List-Post: <mailto:gcc@gcc.gnu.org>
List-Help: <http://gcc.gnu.org/ml/>
Sender: gcc-owner@gcc.gnu.org
Received: (qmail 35520 invoked by uid 89); 16 Dec 2019 03:45:56 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=engineers, D*126.com, H*f:sk:085aaf8, H*i:sk:085aaf8
X-HELO: mail-il1-f195.google.com
Received: from mail-il1-f195.google.com (HELO mail-il1-f195.google.com) (209.85.166.195) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 16 Dec 2019 03:45:55 +0000
Received: by mail-il1-f195.google.com with SMTP id s15so1213947iln.1;        Sun, 15 Dec 2019 19:45:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=mime-version:references:in-reply-to:reply-to:from:date:message-id         :subject:to:cc:content-transfer-encoding;        bh=DacITQezI7BLJIJ2MjxfU0JX6J3z728qmRwTNSEGf4s=;        b=rysy4guhj/0X8qiWXoi15ynuv9HDYmKrKF1Uve0boRO2gvReyHwBvGtERTUg7GlOzt         6gttvaoyJLZZmrmp8ZPNoEWxErCDWKiMwdvWHxNy0do3cZpNh/1VxSw96bpSRqMf6Ay8         8n0NBPt5Z7omDU5EpkjEUuqMk0E7jH11tizCrGp3yfksAumplfYvuJ0yzpTmZ3/FdBP3         oco0EEOU92kZi/dyGlNRSSIw/8GbZTz48leYIzgBDhI0e5lId8jz973U7qC5cxVH1Dcs         hs9cBZJsV1PmmH/Vn3RnNOb3LUVIrqra5ea2Q1nUf751HIUaixqyPQrHNoT2rRy6mbBz         mojg==
MIME-Version: 1.0
References: <PS1PR03MB4890F3B2D13ADCFC35C8278BA45B0@PS1PR03MB4890.apcprd03.prod.outlook.com> <74cc34eb-9ddf-ac42-7570-19501d30254c@gmail.com> <CAH8yC8kDBhr3y0UXz82a3=r+y53kEhMZ4HCH9rZ2pzG66uS10w@mail.gmail.com> <7854d62c-45c6-3294-47e4-8a9ef8984c7d@hesbynett.no> <CAH8yC8mFoLm=RqyeRdXEMmZHLXZ4DKB8nCXef8SkKyDrvex==w@mail.gmail.com> <085aaf83-675c-8376-8d3f-3dd87adb4222@126.com>
In-Reply-To: <085aaf83-675c-8376-8d3f-3dd87adb4222@126.com>
Reply-To: noloader@gmail.com
From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 16 Dec 2019 03:45:00 -0000
Message-ID: <CAH8yC8=QdgX2Yuh0VidrXFx1AM3PRs4uVwaPd3runixLEck5rg@mail.gmail.com>
Subject: Re: Usage of C11 Annex K Bounds-checking interfaces on GCC
To: Liu Hao <lh_mouse@126.com>
Cc: David Brown <david.brown@hesbynett.no>, Martin Sebor <msebor@gmail.com>, 	"gcc-info@gcc.gnu.org" <gcc-info@gcc.gnu.org>, "gcc@gcc.gnu.org" <gcc@gcc.gnu.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-IsSubscribed: yes
X-SW-Source: 2019-12/txt/msg00217.txt.bz2

On Sun, Dec 15, 2019 at 9:43 PM Liu Hao <lh_mouse@126.com> wrote:
>
> =E5=9C=A8 2019/12/16 4:00, Jeffrey Walton =E5=86=99=E9=81=93:
> >
> > If RTFM was going to work, then it would have happened in the last 50
> > years or so.
> >
> > If error free programming was going to happen, then it would have
> > happened in the last 50 years or so.
> >
> > Come back to reality.
> >
>
> What's your point? Don't RTFM then don't code, period.
>
> >
> > Microsoft calls them "safer" functions. They are "safer" then the
> > original C functions they are supplementing. For completeness,
> > Microsoft does not claim they are completely safe.
> >
>
> They are of course not 'safer' for two reasons:
>
> One is that by having an additional parameter you ask for an additional
> size argument, but it is still possible that the user passed a wrong
> size, such as when you want the number of `wchar_t`s but your user
> supplied the number of bytes, which you have no clue about. The best
> advice would be using C++ templates to deduce the size of output buffer,
> but it doesn't work in C, and even in C++ it works only when the
> argument is an array, string, vector, etc. It doesn't work if the
> argument is a pointer, in which case you still have to pass the size
> yourself.
>
> The other reason is that by requiring more arguments you increase the
> probability of bugs. Let's say there is a 1% chance that you pass a
> wrong argument. Then if there is 1 argument, the probability that you do
> everything right is 99%. If there are 2 arguments, it is 98.01%. If
> there are 10 arguments, it is 97.0299%. If there are 100 arguments, it
> is about 36.6%. It is not something we would like.

Typical of engineers... Now you are arguing for problems that don't exist.

Perhaps you should stick with the problems that do exist.

> > Hugh? Are you begging the argument:
> >
> >     char* ptr =3D malloc (50);
> >
> > And then claiming you don't know the size?
>
> Why don't you use Java which keeps tracking of allocated arrays and
> throws exceptions in case of out-of-bound access?

Yeah, that's the answer. We could write the whole OS in JavaScript.

> > Developer training does not work. If it was going to work, then it
> > would have happened in the last 50 years or so.
> >
> > Microsoft recognized the fact years ago. You have to force developers
> > to use something safer.

[More useless shit snipped].

Jeff