Re: [SystemSafety] OpenSSL Bug

From: Steve Tockey < >
Date: Wed, 16 Apr 2014 10:17:41 +0000

I'm not arguing for or against C, but I have seen coding standards that prohibit:

if ((a = check()) == SUCCESS) { ... }

They require instead:

if ( SUCCESS == (a = check()) ) { ... }

Simply moving the constant to the left side makes it an ill-formed expression if the "==" is accidentally switched for "=":

if ( SUCCESS = (a = check()) ) { ... }

-----Original Message-----
From: David MENTRE <dmentre_at_xxxxxx Date: Wednesday, April 16, 2014 3:10 AM
To: "systemsafety_at_xxxxxx <systemsafety_at_xxxxxx Subject: Re: [SystemSafety] OpenSSL Bug


Le 14/04/2014 23:59, Derek M Jones a écrit :
>> Suppose technical methods T are known to avoid, definitively, mistakes
>> of type X,
> more empirical evidence,

No. As Peter said, the method T *definitely* avoids the mistake, by construction.

To take just one example, consider the "=" vs. "==" issue in C's if construct (e.g. "if ((a = check()) == SUCCESS) { ... }").

In C++, Ada and other languages, "if" construct only takes a Boolean as first test parameter (contrary to C that takes arbitrary expression), so an error like "if ((a = check()) = SUCCESS) { ... }" is systematically caught by the compiler with a type error if type of "a" is not boolean. In C, you could use a home defined bool type and have a static checker checks that the use of this bool type is properly made according to some typing rules.

>> and T are practical.
> and yet more empirical evidence,

No. In my previous example, the proposed approach is demonstratively practical because you can write *exactly* the same expressions as before (e.g. "if ((a = check()) == SUCCESS) { ... }"). The additional typing adds no additional burden on the programmer.

Sincerely yours,

The System Safety Mailing List

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Wed Apr 16 2014 - 12:17:56 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST