[C-safe-secure-studygroup] Annex K - was RE: C-safe-secure-studygroup Digest, Vol 26, Issue 6

Andrew Banks andrew at andrewbanks.com
Tue Jan 22 07:26:29 GMT 2019

Hi all

> On 1/16/19 11:46 AM, Robert Seacord wrote:
> > I'm working on a paper on bounds-checked interfaces that I'm going to
> > solicit reviewers for soon.

I think I've previously expressed to you verbally my position:

I think Annex K was a good idea, but badly implemented - IMHO it would have been better to have introduced the size parameter (size>0) as an optional 2nd parameter to the existing functions (no parameter no checking)
... in time, deprecate no second parameter
... in time, mandate the second parameter

I appreciate that C does not (yet) support optional parameters, but that is not unsurmountable with a bit of will.

> > Meanwhile, I've heard Clive defend the following principle:
> >
> > This is a widely-held expert view that changes to “working code” only
> > increase the opportunities to inject new defects.  This view has even
> > been expressed by the safety-critical community.

Ah yes... the old "it's been working for years" when it couldn't possibly!

Software must be the only engineering discipline where we have such a low opinion of our team, that preventative maintenance is deemed riskier than waiting for a failure to actually happen :(


More information about the C-safe-secure-studygroup mailing list