Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

I'm sorry, but I don't think you've quite gotten the reasons why it was lambasted:

> Not only does it not check, the design of the function means that there is no possible way for it to check safely. s and t are both pointers to characters? How long are the strings they might represent supposed to be?

strlen

> This leads into the second problem and one that is more subjective: this code is incredibly dense and relies on enough quirks of C that it's almost never going to be clear to a beginner reader what they are supposed to take away from it.

Most "nice" C functions are much terser than this.



strlen is not safe and the design of this function does not permit it to ever be safe. That is my point.

Most "nice" C functions are also not used as teaching examples. There's a difference in how one writes C code for production use and instructive use.


I take it you come from a higher level language, where null termination would seem risky. In C, however, strlen is considered safe (as opposed to say strcpy, strcat, etc. which do have "safe" replacements). As for terse examples being given to beginners, here's the example The C Programming Language gives for strcpy:

    void strcpy(char *s, char *t) {
    	while ((*s++ = *t++) != '\0') ;
    }


C11 introduced strnlen_s, a "safe" replacement to strlen.


strnlen_s is in Annex K, which is an optional part of the standard. Incidentally, no libc in widespread usage has implemented it.


True. The non standard strnlen is however more widespread. Microsoft implements strnlen_s in terms of strnlen like so.

    _String == 0 ? 0 : strnlen(_String, _MaxCount)


What’s safer about it? Doesn’t `strlen' just scan until the null character, then go

    nullCharPtr - str
? Is there something unsafe with that?


strnlen_s takes a parameter for the maximum number of characters to scan. This way, it won’t overflow the buffer you provide it if there’s no trailing null byte.


What if there is no null?


Then you probably shouldn't feed it to the str* functions at all. Use the mem* functions instead.


That's the same as saying you should never use the str* functions. Nothing in C guarantees a string must have a null byte. As you're well aware, C-strings aren't a separate type that's distinct from char arrays.

Sure you can say that good programmers will always ensure a C-string is a C-string but there's decades of programming history that shows that's not true in practice.


Then use a language other than C that doesn't shoehorn string handling into char , as I've mentioned in other comments. If you're have a char with no terminating null byte and you hand it to a function with "str" and its name, you're going to have a bad time.


If there isn't a NUL, then you're asking for a property relevantly distict from length of a datum relevantly distinct from a C-string. Use `strchr(s,0x00)` or `memchr(s,0x00,zs)`.


You haven’t read K&R C I’m going to guess. Terseness is a traditional component of C and UNIX (cf creat). I don’t care to debate the merits but that is a fact. Most C books in the 80s were written in this style. Furthermore in the days or micros code was generally terse for many and varied reasons. There were people typing code on membrane keyboards.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: