安全的C库 [英] Safe C library

问题描述

我们经常讨论微软的建议

以获得更安全的C库。


理由文件由一名成员在此发布<微软的设计团队：
http://msdn.microsoft.com/msdnmag/is...C/default.aspx


jacob

We have discussed often the proposition from Microsoft
for a safer C library.

A rationale document is published here by one of the members of
the design team at microsoft:
http://msdn.microsoft.com/msdnmag/is...C/default.aspx

jacob

推荐答案

jacob navia写道：

jacob navia wrote:

我们经常讨论来自微软的命题

表示更安全的C库。


理由文档由microsoft设计团队的成员之一发布：

http://msdn.microsoft.com/ msdnmag /是...... C / default.aspx


jacob

We have discussed often the proposition from Microsoft
for a safer C library.

A rationale document is published here by one of the members of
the design team at microsoft:
http://msdn.microsoft.com/msdnmag/is...C/default.aspx

jacob

"我的团队拥有Visual C ++库，包括开发人员部门中的一些最新代码

（例如ATL Server）以及产品中一些最古老的

代码（例如作为CRT）。当我们查看代码时，我们看到

编码标准的一些巨大差异，因为在过去的20年中，通常的做法已经改善了。有一点突出的是，一些旧的代码

是在每个额外字节的代码都很珍贵的时候编写的，因此

缺乏对所有参数的完全验证。


新代码中充斥着断言和检查，我们发现

这些确实有助于调试。我们越来越重视确保零售代码在面对意外的

条件时与我们的调试代码一样强大。这些检查不仅仅是为了调试吗？他们还使图书馆代码更安全。安全库计划的一个关键部分是

，以便为大多数库函数添加验证代码，这些函数会对调试和零售代码产生影响。例如，如果您传递库无效

标志，它们现在将断言并告诉您有关您的错误。


否则称为：


新的库会慢一些。

"My team owns the Visual C++ Libraries, which includes some of the newest code
in the developer division (such as ATL Server) as well as some of the oldest
code in the product (such as the CRT). When we looked at the code, we saw
some large differences in coding standards as common practice has improved in
the last 20 years. One thing that stood out was that some of the older code
was written at a time when every extra byte of code was precious, and thus
lacked full validation of all parameters.

The newer code is littered with assertions and checks, and we''ve found that
these really help debugging. Increasingly, we''ve focused on making sure that
the retail code is just as robust as our debug code in the face of unexpected
conditions. These checks aren''t just for debugging any more?they also make
the library code safer. A key part of the Safe Libraries initiative has been
to add validation code to most of the library functions that has impact on
both debug and retail code. For example, if you pass the libraries invalid
flags, they will now assert and tell you about your bug."

Otherwise known as:

The new libraries will be slower.

jacob navia< ja *** @ jacob.remcomp.frwrites：

jacob navia <ja***@jacob.remcomp.frwrites:

我们经常讨论微软提出的建议

更安全的C库。


理由文件这是由微软设计团队的一位成员发布的：
http://msdn.microsoft.com/msdnmag/is...C/default.aspx

这是我见过的最荒谬的文件之一[1]。这将是一个有趣的教程，如果它是作为一篇文章和

本科生，但作为一个重要软件的严肃建议

公司？它可能真的进入吗？


他们从认为通过

目的地大小更安全的方式开始，而不是减去并使用 ; strn *"

函数。它可能是一个操作更短（在某些情况下），但

更安全？并且更安全的是，一组全新的功能应该添加到标准C中吗？


它引用代码片段来显示这些东西有多好。

例如：


//原件

wchar_t dest [20];

wcscpy （dest，src）; //编译器警告

wcscat（dest，L" ..."）; //编译器警告


可以使用闪亮的新_s函数进行改进。咄！他们可以用b $ b来显示一些正确的代码可以缩短一些，但似乎从这种不正确的废话和改善开始是不诚实的。它。


但最奇怪的部分是所有建议的东西（至少在我读到的部分中都是b $ b）都很难在标准C中做。

即任何喜欢这种风格的程序员都已经拥有这些

函数库。例如，strnlen_s是一个单行：测试

，它不传递NULL然后调用memchr。而且，当然，如果您不喜欢这种风格，那么完全可以在没有这些额外内容的情况下编写安全代码

。


我可能错过了真正的肉该提案，所以我应该说

只是引用的理由是愚蠢的。但是，如果有这个问题，他们会错过一个技巧，因为它没有让前面的事情变得清晰。


[1]它包括我做的C ++内容没看，是的，它可能是巨型诱饵，但它是星期天，我不必遛狗

。 br />

-

Ben。

This is one the most preposterous documents I''ve seen[1]. It would
make an interesting tutorial if it was as an essay from and
undergraduate, but as a serious proposal from a major software
company? Might it actually get in?

They start from the point of view that it is safer to pass the
destination size around than to subtract and use the "strn*"
functions. It may be one operation shorter (in some cases), but
safer? And so much safer that a whole new set of functions should be
added to standard C?

It references code fragments to show how much better this stuff is.
For example:

// Original
wchar_t dest[20];
wcscpy(dest, src); // compiler warning
wcscat(dest, L"..."); // compiler warning

can be improved with their shiny new _s functions. Duh! They could
show how some correct code can be made a little shorter, but it seems
disingenuous to start with such incorrect nonsense and "improve" it.

But the oddest part of all is that none of the things suggested (in
the part I read, at least) is at all hard to do in standard C.
I.e. any programmer who prefers that style will already have these
functions a library. For example, strnlen_s is a one-liner: testing
that is not passed NULL and then calling memchr. And, of course, if
you don''t like that style it is perfectly possible to write safe code
without these extras.

I may have missed the real "meat" of the proposal, so I should say
that it is only the cited rationale that is daft. But if there is
meat to this, they miss a trick by not making it clear up front.

[1] It includes C++ stuff that I did not look into and, yes, it is
probably troll-bait, but it is Sunday and I don''t have to walk the dog
for a bit.

--
Ben.

Ben Bacarisse写道：

Ben Bacarisse wrote:

这是我见过的最荒谬的文件之一[1]。这将是一个有趣的教程，如果它是作为一篇文章和

本科生，但作为一个重要软件的严肃建议

公司？它可能真的进入？

This is one the most preposterous documents I''ve seen[1]. It would
make an interesting tutorial if it was as an essay from and
undergraduate, but as a serious proposal from a major software
company? Might it actually get in?

Microsoft。

Microsoft.

这篇关于安全的C库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！