Ranum on the root of the problem
Marcus Ranum writes a good article for ACM Queue, in which he points out that better tools to improve languages can help. I take issue with his claim that better languages can’t help. Java, because of its string representation, is harder to mess up with than C. Its not perfect, and no useful language can solve the entire problem.
Richard at Taosecurity propagates the myth of -Wall
. Things are about to get (deeply) technical, follow the jump if you know what -Wall
means.
In a nutshell, the person who named -Wall
needs gob-smacking. It does not run all tests. Hello? All is not everything?
For example, if we take this code:
#includeint main() { int x; unsigned int y; x=0; y=1; if (y < x) { printf("first if"); } if ( y < 0) { printf ("second if"); } if ( 0 > y ) { printf ("third if"); } return 0; }
and save it as sc.c.
Do you see the problem? Comparing signed and unsigned ints? -Wall
doesn’t. But if we add a -W, (which as I understand it, stands for “We really mean it!”), we get some warnings!
$ gcc -Wall sc.c $ gcc -W -Wall sc.c sc.c: In function `main': sc.c:8: warning: comparison between signed and unsigned sc.c:10: warning: comparison of unsigned expression < 0 is always false sc.c:12: warning: comparison of unsigned expression < 0 is always false $
Pretty cool? In a lot of ways, the tools are out there. We just need better ways of ensuring they're used. More reflections on this topic will be a feature here.
So this inspired me to reread the man page for gcc for the first time in like 10 years. I discovered a whole slew of things not included in -Wall including -Wformat-nonliteral and -Wformat-security, which seem like important features
…switch-default, cast-align, strict-prototypes….