C considered dangerous (opens in new tab)

(lwn.net)

45 pointsjohnramsden7y ago62 comments

62 comments

rwmj7y ago

> He asked: why is there no argument to memcpy() to specify the maximum destination length?

I'm confused by this. The third argument provides the destination length, so what good would a "maximum destination length" do? I guess he must mean that because the length is often computed, you'd need a fourth argument to ensure the length isn't greater than some sane upper bound. But you can easily fix that using an if statement around the memcpy.

vardump7y ago

Perhaps because the memory buffers might be of different size.

Maybe memcpy_oobp (out of bounds protection) signature could be:

  memcpy_oobp(void* dst, size_t dst_size, void* src, size_t src_size);

Then again, I guess you could just as well do:

  memcpy(dst, src, min(dst_size, src_size));

But having to explicitly specify both destination and source sizes might have prevented a lot of buffer overwrite bugs.

sebcat7y ago

> But having to explicitly specify both destination and source sizes might prevented a lot of buffer overwrite bugs.

A good way to prevent this is to have a buffer abstraction, where the size is a property of the type, e.g.,

    typedef struct {
      size_t bytes_used;
      size_t capacity;
      void *data;
    } buf_t;

    int buf_init(buf_t *buf);
    void buf_cleanup(buf_t *buf);
    void buf_copy(buf_t *dst, buf_t *src);
    /* ... */

Of course, it doesn't prevent people from using memcpy directly.

rwmj7y ago

I guess so. One of the LWN comments mentions a Microsoft function memcpy_s defined as:

    memcpy_s (void *dest, size_t destSize, const void *src, size_t count);

which is effectively equivalent to your memcpy_oobp function.

However the Microsoft function also returns an error code which must be checked (because count might be larger than destSize), thus providing another way for the programmer to screw up. I'm not sure if this is better or worse than just copying the min() as in your second example. It probably depends on the situation.

1 more reply

rurban7y ago

Just use memcpy_s. This has the destbuf size argument. It's even in C11, but you need the safeclib or MSVC, as no libc cares about the safety annex.

deng7y ago

Thankfully, compiler warnings and static analyzers have become much better in recent years. For instance, gcc can now warn about a missing 'break;' mentioned in the article (you need to add a special comment like '/* fall through */' if it's intentional). Also, clang-tidy is getting better with each release. I highly recommend using it, although the initial configuration will take some time, depending on the code base.

xroche7y ago

Alas! strlcpy and strlcat are still not present in the glibc, despite numerous attempts, mainly for religious reasons (ie. "BSD sucks").

And yes, having something like "if (strlcat(buffer, src, sizeof(buffer) >= sizeof(buffer)) { abort(); } " is much better than buffer overrun. But security does not always seem to be a real concern, compared to politics.

yason7y ago

C is dangerous partly because assembly language is dangerous. We will always need some layer on top of assembly that is mostly unchecked and reflects back to how cpu instructions work. This is probably something we must live with until we have processors with the notion of type checking.

C is dangerous partly because of swaths of undefined behaviour and loose typing. Eliminating much of undefined behaviour either by defining the behaviour or forcing the compiler to refuse compile undefined behaviour could be of some help. There are still classes of undefined behaviour that cannot be worked around but narrowing that down to a minimal set would make it easier to deal with it. Strong typing would help build programs that won't compile unless they are correct at least in terms of types of values.

C is dangerous partly because of the stupid standard library which isn't necessarily a core language problem as other libraries can be used. The standard library should be replaced with any of the sane libraries that different projects have written for themselves to avoid using libc. It's perfectly possible not to have memcpy() or strcpy() like minefields or strtok() or strtol() which introduce the nice invisible access to internal static storage, fixed by a re-entrant variant like strtok_r(), or require you to do multiple checks to determine how the function actually failed. The problem here is that if there are X standards, adding one to replace them all will make it X+1 standards.

Yet, good programmers already avoid 99% of the problems by manually policing themselves. For them, C is simple, productive, and manageable in a lot more cases and domains than it is for the less experienced programmers.

pjmlp7y ago

Ironically other systems programming languages developed outside AT&T walls since 1961 did not suffer from the majority of C's pain points regarding memory corruption.

I really wish Bell Labs had been allowed to sell UNIX.

IshKebab7y ago

Terrible title. It's not remotely news that C is dangerous. This talk seems to be about ways of mitigating the dangers. Why not call it "Mitigating the dangers of C" or something else that is less of a tired cliche?

pjmlp7y ago

Because "Making C Less Dangerous" is the actual title of the talk, and "Towards less dangerous C" is part of the agenda?

fithisux7y ago

The title is completely misleading.

vardump7y ago

I write a ton of C and I completely agree with the title. With 20+ years of experience.

Kernel drivers and embedded system bare metal firmware.

The problem with C is that in any bigger project something always slips through even the best programmers, reviewers, static analysis and unit tests. And that something can lead to disastrous crashes and security vulnerabilities.

FraKtus7y ago

Don't you think that with the tools we have now it's easier to control the quality of code produced (Clang memory sanitizers and so on)? I feel more at ease to ship C code today after instrumenting it than a few years ago...

2 more replies

raxxorrax7y ago

For embedded systems I mostly go with "dynamic memory allocation of any kind is evil" and that solves a lot of issues already.

You can still overwrite memory but it suddenly became much less likely.

2 more replies

AlotOfReading7y ago

This is my view as well, from the same industry. However, the quality of the tools available in C to deal with its issues far exceed those in any other language. I would love to drop C from all my systems, but the alternatives simply aren't there.

1 more reply

abainbridge7y ago

> The problem with C is that in any bigger project something always slips through even the best programmers, reviewers, static analysis and unit tests.

That's also true of all the other languages.

yaris7y ago

Well, I can say the same about Python, Erlang, Lua, in addition to C and C++. I believe C is not worse than these languages, only that C requires different (sometimes very different) skills and discipline.

2 more replies

jojoo7y ago

It's probably a reference to https://en.m.wikipedia.org/wiki/Considered_harmful

aogl7y ago

I agree, it's very click-baity. C is actually great and is only really dangerous because it gives the programmer so much control.

simias7y ago

I'm a C coder first and foremost and I strongly disagree with this mentality (even though I know it's extremely pervasive in our circles). "Footguns don't make bugs, coders do" is technically true but if we could keep the footguns at a minimum and only get them out of the locker when truly necessary instead of having them spread all over the place all the time I'm sure it wouldn't hurt.

C is a very useful language and one you basically have to know if you're interested in low level software but it's very, very far from flawless.

If you look at many high profile software vulnerabilities of late (heartbleed, goto fail, etc...) many can be traced to the lack of safety and/or bad ergonomics of the C language.

We need to grow up as an industry and accept that using a seatbelt doesn't mean that you're a bad driver. Shit happens.

pietroglyph7y ago

> C is actually great and is only really dangerous because it gives the programmer so much control.

This doesn't actually refute the assertion that C is dangerous :)

Control and increased safety are not mutually exclusive. I'll take safe-by-default, unsafe-when-asked any day. It's not 1972 anymore.

buboard7y ago

"Programmers using C are considered dangerous"

willtim7y ago

C actually gives one rather limited control over modern hardware with it's memory hierarchies and superscaler CPUs. Programming language research has also moved on a lot since the 70's, which is why we should be considering less dangerous languages (e.g. better type systems and less undefined behaviour). Languages like ATS and Rust also support explicit memory management, whilst being a whole lot safer.

3 more replies

xvilka7y ago

Hopefully Zig [1] language will become a better alternative to C in upcoming years. Not talking about higher level code where Rust or Go can be a better choice.

[1] https://ziglang.org/

pjmlp7y ago

No language can become an alternative to C in the context of UNIX like OS because no one is going to re-write them from scratch, given their symbiotic nature.

Even if the complete userspace of Aix, HP-UX, *BSD, GNU/Linux, OS X, iOS, Solaris,.... gets re-writen in something else, there will always be the kernel written in C.

Hence why improving C's lack of safety is so important to get a proper IT stack.

abainbridge7y ago

The problem with Zig is that they changed almost everything. I think there's a high risk they introduced new design problems that we won't know about fully until Zig has been used in anger for 10 years.

I've always felt that C is near the sweet spot. I'd rather see a minimal change to C that broke backwards compatibility (because it has to) and fixed the top ten simple problems.

amelius7y ago

Why don't they use valgrind?

deng7y ago

The kernel has CONFIG_HAVE_DEBUG_KMEMLEAK.

j / k navigate · click thread line to collapse

62 comments

rwmj7y ago

> He asked: why is there no argument to memcpy() to specify the maximum destination length?

vardump7y ago

Perhaps because the memory buffers might be of different size.

Maybe memcpy_oobp (out of bounds protection) signature could be:

  memcpy_oobp(void* dst, size_t dst_size, void* src, size_t src_size);

Then again, I guess you could just as well do:

  memcpy(dst, src, min(dst_size, src_size));

But having to explicitly specify both destination and source sizes might have prevented a lot of buffer overwrite bugs.

sebcat7y ago

> But having to explicitly specify both destination and source sizes might prevented a lot of buffer overwrite bugs.

A good way to prevent this is to have a buffer abstraction, where the size is a property of the type, e.g.,

    typedef struct {
      size_t bytes_used;
      size_t capacity;
      void *data;
    } buf_t;

    int buf_init(buf_t *buf);
    void buf_cleanup(buf_t *buf);
    void buf_copy(buf_t *dst, buf_t *src);
    /* ... */

Of course, it doesn't prevent people from using memcpy directly.

rwmj7y ago

I guess so. One of the LWN comments mentions a Microsoft function memcpy_s defined as:

    memcpy_s (void *dest, size_t destSize, const void *src, size_t count);

which is effectively equivalent to your memcpy_oobp function.

1 more reply

rurban7y ago

Just use memcpy_s. This has the destbuf size argument. It's even in C11, but you need the safeclib or MSVC, as no libc cares about the safety annex.

deng7y ago

xroche7y ago

Alas! strlcpy and strlcat are still not present in the glibc, despite numerous attempts, mainly for religious reasons (ie. "BSD sucks").

yason7y ago

pjmlp7y ago

Ironically other systems programming languages developed outside AT&T walls since 1961 did not suffer from the majority of C's pain points regarding memory corruption.

I really wish Bell Labs had been allowed to sell UNIX.

IshKebab7y ago

pjmlp7y ago

Because "Making C Less Dangerous" is the actual title of the talk, and "Towards less dangerous C" is part of the agenda?

fithisux7y ago

The title is completely misleading.

vardump7y ago

I write a ton of C and I completely agree with the title. With 20+ years of experience.

Kernel drivers and embedded system bare metal firmware.

FraKtus7y ago

2 more replies

raxxorrax7y ago

For embedded systems I mostly go with "dynamic memory allocation of any kind is evil" and that solves a lot of issues already.

You can still overwrite memory but it suddenly became much less likely.

2 more replies

AlotOfReading7y ago

1 more reply

abainbridge7y ago

> The problem with C is that in any bigger project something always slips through even the best programmers, reviewers, static analysis and unit tests.

That's also true of all the other languages.

yaris7y ago

2 more replies

jojoo7y ago

It's probably a reference to https://en.m.wikipedia.org/wiki/Considered_harmful

aogl7y ago

I agree, it's very click-baity. C is actually great and is only really dangerous because it gives the programmer so much control.

simias7y ago

C is a very useful language and one you basically have to know if you're interested in low level software but it's very, very far from flawless.

If you look at many high profile software vulnerabilities of late (heartbleed, goto fail, etc...) many can be traced to the lack of safety and/or bad ergonomics of the C language.

We need to grow up as an industry and accept that using a seatbelt doesn't mean that you're a bad driver. Shit happens.

pietroglyph7y ago

> C is actually great and is only really dangerous because it gives the programmer so much control.

This doesn't actually refute the assertion that C is dangerous :)

Control and increased safety are not mutually exclusive. I'll take safe-by-default, unsafe-when-asked any day. It's not 1972 anymore.

buboard7y ago

"Programmers using C are considered dangerous"

willtim7y ago

3 more replies

xvilka7y ago

Hopefully Zig [1] language will become a better alternative to C in upcoming years. Not talking about higher level code where Rust or Go can be a better choice.

[1] https://ziglang.org/

pjmlp7y ago

No language can become an alternative to C in the context of UNIX like OS because no one is going to re-write them from scratch, given their symbiotic nature.

Even if the complete userspace of Aix, HP-UX, *BSD, GNU/Linux, OS X, iOS, Solaris,.... gets re-writen in something else, there will always be the kernel written in C.

Hence why improving C's lack of safety is so important to get a proper IT stack.

abainbridge7y ago

I've always felt that C is near the sweet spot. I'd rather see a minimal change to C that broke backwards compatibility (because it has to) and fixed the top ten simple problems.

amelius7y ago

Why don't they use valgrind?

deng7y ago

The kernel has CONFIG_HAVE_DEBUG_KMEMLEAK.

j / k navigate · click thread line to collapse