←back to thread

Giving C a superpower: custom header file (safe_c.h)

(hwisnu.bearblog.dev)
271 points mithcs | 6 comments | 17 Nov 25 10:40 UTC | HN request time: 0s | source | bottom
Show context
rurban ◴[17 Nov 25 12:46 UTC] No.45953101[source]
Just don't mix that up with the real safec.h header from safeclib:

https://github.com/rurban/safeclib/tree/master/include

replies(1): >>45953192 #
debugnik ◴[17 Nov 25 13:00 UTC] No.45953192[source]
How can anyone be this interested in maintaining an annex k implementation when it's widely regarded as a design failure, specially the global constraint handler. There's a reason why most C toolchains don't support it.

https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm

replies(2): >>45953362 #>>45953655 #
1. rurban ◴[17 Nov 25 14:06 UTC] No.45953655[source]
It's only regarded as design failure by the linux folks. Maybe because it came from Microsoft, NIH syndrome.

A global constraint handler is still by far better than dynamic env handlers, and most of the existing libc/POSIX design failures.

You can disable this global constraint handler btw.

replies(2): >>45953782 #>>45959125 #
2. 1718627440 ◴[17 Nov 25 14:21 UTC] No.45953782[source]
> Maybe because it came from Microsoft, NIH syndrome.

No it is because you still need to get the size calculation correct, so it doesn't actually have any benefit over the strn... family other than being different.

Also a memcpy that can fail at runtime, seems to be only complicating things. If anything it should fail at compile time.

replies(1): >>45963009 #
3. loeg ◴[17 Nov 25 22:27 UTC] No.45959125[source]
Microsoft doesn't implement Annex K, either. They ship an non-conforming implementation. Literally no one cares about the "standardized" Annex K version.
4. rurban ◴[18 Nov 25 09:15 UTC] No.45963009[source]
If the optimizer cannot see the sizes, it has to defer the error to run-time. If it sees it (as with _FORTIFY_SOURCE=3) it fails at compile0-time already. The difference to _FORTIFY_SOURCE is that it guarantees to fail, whereas with _FORTIFY_SOURCE you never know.
replies(1): >>45963390 #
5. 1718627440 ◴[18 Nov 25 10:24 UTC] No.45963390{3}[source]
In C I am responsible to tell the compiler where my arrays end. How is it supposed to know how many arrays there are in an allocation? Why should the compiler trust one expression about the size, but not the other? If I would want to limit memcpy by the size of the destination, I could write memcpy(dest, src, MAX(dest_size, ...)) instead, but I don't want that most of the time.
replies(1): >>45964821 #
6. rurban ◴[18 Nov 25 12:35 UTC] No.45964821{4}[source]
The compiler knows about the sizes by either statically allocated sizes (_FORTIFY_SOURCE=2, __builtin_object_size) or malloc'ed sizes (_FORTIFY_SOURCE=3, __builtin_dynamic_object_size). See e.g. https://developers.redhat.com/articles/2022/09/17/gccs-new-f...

Since the user is mostly wrong with memory bounds, the compiler checks it also. And with clang even allows user-defined warnings.

We all known that C programmers know it better, and hate bounds-checks, that's why there are so many out-of-bounds errors still.