On 2/14/06, Julian Foad <julianfoad@btopenworld.com> wrote:
> > That obviously means we can't use assert to check function arguments,
>
> Not true. If one accepts that "assert" is allowed at all, it's perfectly valid
> to check arguments of private functions because we know all the callers and
> what they can do. As for public APIs, that's partly what the debate is about,> and the answer is far from obvious.
That's not exactly true either. We've had (for as long as I can
remember) a policy that we don't explicitly check for valid arguments
to ANY API calls, if a caller passes us bogus data (i.e. a NULL
pointer to a function defined to not take NULL pointers, etc) we
crash, with the end result being that these sort of problems are
usually found quickly and fixed. There's no real difference between
enforcing such things via an assert and enforcing them via the fact
that we dereference a NULL pointer a few lines later.
Note that this policy isn't just ours, it's also used in other
prominent C programs like the Apache HTTP Server, libraries like APR,
etc.
The fact that in this particular case there was a bug that allowed
such a situation to be triggered by a client, and that bug didn't get
fixed instantly is unfortunate, but it doesn't make the general policy
wrong.
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Feb 14 19:15:25 2006