Bugtraq mailing list archives
Don't change C conventions; fix programmers instead
From: jsl2 () JEDITECH COM
Date: Tue, 25 Jul 2000 11:31:52 -0700
... My two cents regarding the discussion of changing the C varargs/stdarg calling convention: it's a waste of time - we should be teaching proper programming techniques instead. 1. There are other languages that provide strict type checking: C++, Java, etc. With the use of C++ iostream, one doesn't need varargs for printf() and friends. "Ease of use" of iostream, etc. is not for debate here - point is there are alternatives. 2. How long do we think it'll take before varargs supplement will take to ratify? For the compiler vendors to implement? and more important, to IMPLEMENT CORRECTLY? Do we want to take a chance this may introduce compiler bugs that could result in security problems? 3. The effort to "fix" varargs will solve ONE class of problems for ONE language. It doesn't fix buffer overflows; it doesn't fix numeric over/underflows; it doesn't remove dangerous chars from URLs (well, in some circumstances maybe it can) IMHO the effort should focused on teaching people how to write defensive programs; how to validate user input; and why the details matter. These topics are just as important as data structures. Needless to say, the proper techniques (and a dose of paranoia) will carry across languages. Don't waste time inventing crutches - time to flog the luser programmers. :=) Regards, -James
Current thread:
- Don't change C conventions; fix programmers instead jsl2 (Jul 25)