James's Weblog

Everyone knows that the gets function in the C standard library is dangerous to use because it offers no protection against buffer overflows.

What should people use instead?

The typical answer is to use fgets. Unfortunately, although safe, fgets in non-trivial cases is much harder to use properly:

• How do you determine what a good maximum buffer size is? The reason why using gets is dangerous in the first place is because you don’t know how big the input can be.

• Unlike gets, fgets includes the trailing newline character, but only if the entire line fits within the buffer. This can be remedied easily by replacing the newline character with NUL, but it’s a nuisance.

• If the input line exceeded the buffer size, fgets leaves the excess in the input stream. Now your input stream is a bad state, and you either need to discard the excess (and possibly throw away the incomplete line you just read), or you need to grow your buffer and try again.

  Discarding the excess usually involves calling fscanf, and I don’t know anyone who uses fscanf without disdain, because fscanf is hard to use properly too. Furthermore, discarding the line by itself won’t necessarily make you any better off, because you’ve accepted incomplete input and still have to walk the road to recovery.

  Growing the buffer is also a hassle. You either need to grow the buffer exponentially as you fill the buffer to capacity, or you need to read ahead, find out how many more bytes you need, grow the buffer, backtrack, and read the excess bytes again. (The latter isn’t even possible with stdin.) And, of course, this means you also need to handle allocation failure.

In all, this means to use fgets properly, you need to make several more library calls than you want. For example, here’s an implementation that discards line excess:

/** Returns the number of characters read or (size_t) -1 if the
  * line exceeded the buffer size.
  */
size_t fgetline(char* line, size_t max, FILE* fp)
{
    if (fgets(line, max, fp) == NULL)
    {
        return 0;
    }
    else
    {
        /* Remove a trailing '\n' if necessary. */
        size_t length = strlen(line);
        if (line[length - 1] == '\n')
        {
            line[--length] = '\0';
            return length;
        }
        else
        {
            /* Swallow any unread characters in the line. */
            fscanf(fp, "%*[^\n]");
            fgetc(fp); /* Swallow the trailing '\n'. */
            return -1;
        }
    }
}

Ugh!

I personally prefer using C.B. Falconer’s public-domain ggets/fggets functions, which have gets-like semantics and dynamically allocate buffers large enough to accomodate the entire line.

Additional reading: Getting Interactive Input in C

I got my performance evaluation a few weeks ago.

VMware’s employee rating system has the following choices:

• Exceptional
• Outstanding
• Great
• Needs Improvement
• Unsatisfactory

Supposedly I’m doing “great”, but I’m not sure if that means I’m actually doing great or if that means I don’t need improvement. The lack of a “mediocre”/“adequate”/“satisfactory” rating throws things off.

One of my coworkers had a birthday last week, and to honor the occasion, the rest of us decided to surprise her by vandalizing her office with chinsy birthday decorations. I unexpectedly was given the task of writing “Happy Birthday” in big block letters across her whiteboard. Naturally my lettering came out awful, and what’s more, I didn’t even use a good style. (For some reason it didn’t occur to me to use the lopsided, cartoony letters that seem to permeate everything I do. Instead I used a quick, harried, angular, and totally unreadable, undisciplined mess that I rightfully abandoned many years ago.)

Anyhow, at this point I realized just how out of practice I am (which is all the worse since I was never very good to begin with). I hadn’t done anything remotely creative or artistic in months. (The last time was when I made the ambigrams.)

So last weekend I started getting back into the groove of fiddling with Photoshop, and now I’m once again my wanna-be artsy mood. I wonder how long it’ll last (and more importantly, if I’ll get anything accomplished).

Bleah. I guess I’m feeling narcissistic. Variations of my ambigram:

• Pretension

On a related note, other ambigram sites I’ve come across:

• Ambigram.Matic (it does an amazing job with “NOON”!)
• Inversions by Scott Kim
• Ambigrams by Kevin Pease

What’s wrong with this C++ code?

#include <iostream>
#include <string>


class Foo
{
public:
    Foo()
    {
    }


    operator bool()
    {
        return true;
    }


    std::string operator[](const std::string& s)
    {
        return s;
    }
};


int main(void)
{
    Foo foo;
    std::cout << foo["hello world!"] << std::endl;
    return 0;
}

Answer:

(more…)

… but can you blame it?

Apparently some software developers think it’s a good anti-piracy measure to sabotage a user’s computer. There’s one scheme that makes pirated games buggier, and there are some programs that delete your data if pirated.

That’s just retarded.

• You can’t lose something you never had. Anti-piracy advocates always love to claim that the software industry loses billions of dollars each year to piracy. Did developers actually lose money? Did nasty pirates break into their bank accounts and withdraw all their cash? The only thing that companies can claim to lose are potential sales. Do they really believe that every pirate would have purchased their software if it were uncrackable?

  (Or maybe what the advocates really mean is that the software industry wastes oodles of money each year developing new and ultimately futile anti-piracy schemes. That I’d believe.)

• Who says there’s no such thing as bad publicity? If you want your software to act buggy if it thinks it’s pirated, go ahead, but don’t expect word-of-mouth reviews to be positive. If anything, the presence of bugs, intentional or not, will make people less likely to give you money. Will people be able to distinguish real bugs from the deliberate copy-prevention bugs? Will people think your game is fun if its physics are amiss and their bullets keep missing?

  And if you destroy people’s data, forget it. You’ve just guaranteed that you never, ever will see a dime from them or from anyone within complaining distance. Congratulations, you’ve alienated potential customers.

• Free advertising is better than bad publicity. To some degree, piracy can help software companies. Piracy can help build name recognition. It can lead to de facto standards. Would Microsoft Windows and Microsoft Office be as widespread if users didn’t copy them from their workplaces? Piracy levels the cost of Windows down to $0, and at that price, it’s hard for Windows not to outcompete Linux. Microsoft doesn’t gain money directly from this, but it does gain market- and mind-share. As other examples, look at Adobe Photoshop, 3DS Max, and Maya.

  Even if you could make your software uncrackable, are your competitors’ products uncrackable too? Do you really want to drive your users—paying or not—to them?

  Software developers should be happy that people are using their products at all.

In the end, I think the best defense is a strong offense. The best anti-piracy measure is to make a good product that’s worth buying. People take pride in doing things that are worthwhile. (And for goodness’ sake, make sure your product is easy to buy!)

When I left Sony, one of the little things that pleased me was that I no longer had to deal with Microsoft Outlook and a finicky Microsoft Exchange server.

Well, it turns out VMware also uses Outlook and Exchange, and I am reminded how much I hate them.

• Inflexible rules. The rules don’t allow boolean expressions, and what constructs they do allow are crippled. Want to match email that contains both “foo” and “bar” in the subject line? Forget it.

• Rules aren’t filters. Outlook’s rules don’t act as filters. In a sane system, each rule is applied in order to each received email message; if a message can be matched to multiple rules, the first rule gets precedence. Not so in Outlook. Outlook displays an error message informing the user of the rule conflict, and then silently disables the conflicting rule. A single message triggering a rule conflict warrants turning off the rule completely? How helpful.

  I’ve been told that I’m supposed to add a “Stop processing more rules” command to each of my Outlook rules to avoid this stupidity, but apparently Outlook 2000 has a bug where “Stop processing more rules” really means “stop processing rules for email, period.”

• User-friendly search gone awry. Microsoft tried to make Outlook’s Find function user-friendly by making it task-centered, but they made it too task-centered. They focused only on some common tasks and made the less common (but not rare!) tasks hard. The Find dialog box offers the ability to search for email from specific time periods, such as this week, last week, the past 7 days, this month, last month. Some of the “user-friendly” options require a bit of cognitive thought (does “this week” start on Monday or Sunday? does “last month” mean the past 30 days or since the first day of the previous month?), and if you want to search any other time periods (the past two weeks, the past two months, the month of March, from the last week of January through the first week of February, …), forget it, you have to use Outlook’s bewildering Advanced Find dialog. To specify a date range, you must use the freeform text field that provides no clues how the input should look. (Outlook actually is surprisingly intelligent about parsing the input into this field, but it’s still intimidating and error-prone. How can you really tell that Outlook parsed the input correctly?)

• Network and fault intolerant. Outlook is so poorly designed that if the Exchange server goes down (which seems to happen fairly frequently), its entire UI is unusable. You can’t even access mail stored on your local disk. Outlook eventually will figure out that the Exchange server isn’t responding—if you’re willing to wait 10 minutes. Even better, when the Exchange server comes online again, as far as I can tell, you can’t tell Outlook to reconnect; you must quit Outlook and restart it.

• No source for you! Outlook inexplicably makes it really hard to view the message headers to Internet email.

These are all issues I’ve had with Outlook 2000. In Microsoft’s defense, maybe they’ve fixed some or all of them in later versions. On the other hand, it’s sad that they were issues in the first place, because Microsoft’s free, light-weight (and independently-developed) email client—Outlook Express—has had friendlier search and filtering capabilities for years before!

All too often I see web sites open new browser windows using HTML and JavaScript code such as:

<a href="#" onClick="window.open('foo.html');"> <!-- BAD! -->

or:

<a href="javascript:window.open('foo.html');"> <!-- BAD! -->

This is one of my biggest peeves. Here’s why:

• For the first case, when users click on the link, a new window will appear, but the original window will scroll to the top of the page, causing the users to lose their place. In many cases this defeats the point of opening a new window at all.
• The first case prevents the browser from marking visited links properly. This compounds the problems of my first point.
• Both cases make the link completely useless in browsers that don’t have JavaScript enabled.
• Both cases prevent users from right-clicking on the link and explicitly requesting a new window. Instead of a new window going to the desired page, they’ll get a new window with the original page (in the first case) or with a blank page (in the second case).

Better:

<a href="foo.html" onClick="window.open('foo.html');return false;">

This solves all of the problems above. The “return false” is important! When the onClick event handler returns false, a browser does not follow the href link.

Better yet:

Re-evaluate why you want to open links in new windows at all. Most browsers have an “Open in New Window” command; if users want new windows, let them ask for it.

Sometimes if I don’t care about a C function’s return value, I explicitly discard it with a (void) cast:

(void) foo();

Why bother? After all, isn’t the return value implicitly discarded simply by not assigning it to anything?

A (void) cast is a comment to the reader stating, “Yes, the author is aware that this function returns something, has considered the consequences of ignoring possible error values, and just doesn’t care.”

Without the cast, the code says, “Did the author intentionally ignore the return value of this function call? Is there some failure case the author forgot to handle? Can something go wrong here?”

Furthermore, if something does go wrong, the (void) cast marks a possible failure point.