kern/78256: strstr could be more robust

Dan Allen danallen46 at airwired.net
Mon Jul 4 07:10:05 GMT 2005 

The following reply was made to PR kern/78256; it has been noted by GNATS.

From: Dan Allen <danallen46 at airwired.net>
To: Bruce Evans <bde at zeta.org.au>
Cc: Gleb Smirnoff <glebius at FreeBSD.org>, freebsd-bugs at FreeBSD.org
Subject: Re: kern/78256: strstr could be more robust
Date: Sun, 3 Jul 2005 12:50:38 -0600

 On Mar 9, 2005, at 2:18 PM, Bruce Evans wrote:
 
 > On Wed, 9 Mar 2005, Dan Allen wrote:
 >
 >> On Mar 9, 2005, at 7:18 AM, Gleb Smirnoff wrote:
 >>
 >>> Not a bug, sorry. See also bin/52691.
 >> Why are you so reluctant to add one test to improve robustness?   
 >> Since it is not specified one way or the other in the standard, it  
 >> will not break compatibility with the standard.  So it is not a  
 >> bug technically - you still could with a single line of C code  
 >> improve the robustness of the system.  Not doing so seems  
 >> shortsighted.
 >>
 >
 > Adding the test would unimprove robustness (except on systems that  
 > don't
 > trap on null pointers -- then a test, followed by a call to abort() or
 > signal(), would be needed to give the same behaviour as a null pointer
 > trap).  Aborting a program immediately when undefined behaviour in it
 > is detected improves robustness by limiting the undefined behaviour to
 > just halting the program and possibly generating a core dump, and by
 > making the bug obvious and easy to debug so that it gets fixed.
 
 My use of strstr() is quite a bit different than if I had an off-by- 
 one error, or if I overflowed a buffer, or some other definitely bad  
 practice.  My use of strstr() is perfectly legitimate, but it falls  
 into the area of an undefined case in the C standard.  Searching for  
 something in nothing should return nothing, not crash, i.e., strstr 
 (NULL,"a string") should return NULL.  Plauger agrees with me and he  
 is the best expert on the C standard.
 
 <SOAPBOX>
 I guess my belief is this: it is never proper to crash.  It is better  
 for a function to return some error code that at least informs the  
 caller that an illegal argument was given than it is to just  
 immediately die.  You believe it is better to just crash the system  
 immediately rather than return an error code.
 
 So why do even support errno then?  It is a method of returning error  
 codes.   By your reasoning programmers should find their errors by  
 letting improper function calls cause a segment violation or bus  
 fault... a very poor method indeed.
 </SOAPBOX>
 
 Thanks for listening.  I still like FreeBSD but am somewhat dismayed  
 at this philosophy...
 
 Dan

More information about the freebsd-bugs mailing list