ISO/ IEC JTC1/SC22/WG14 N1113

Document: N1113					Date: 2005/03/21

MAIN COMMENTS

1 Change title to
    "Specification for additional C library functions with additional
     parameter checking and/or re-entrancy".
  Make consequential changes; in particular, change
__STDC_[WANT_]SECURE_LIB__
  to __STDC_[WANT_]CHECKING_LIB__ and change _s suffixes to _c or _r as
  appropriate.

  RATIONALE: these functions don't provide additional security, since they
  can still be misused (e.g. set all bounds parameters to RSIZE_MAX). They
  do, however, provide parameter checking and re-entrancy.

2 Change the term "diagnosed undefined behaviour" to "diagnosed erroneous
  behaviour" or some other term not using the conformance terms "undefined"
  or "unspecified".

  RATIONALE: the term "undefined" has a well-known meaning which includes
  *no* requirement to diagnose it. A different term would be less confusing.

3 Prefix to 5.1.1 para 3:
    "For those names which are reserved by ISO/IEC 9899:2004,"

  RATIONALE: footnote 7 is not normative, and this change makes it clear
  that this requirement does not allow an implementation to intrude into
  the user's name space.

4 Delete clause 5.2. More generally, replace the use of the errno_t and
  rsize_t typedefs with some other notational mechanism.

  RATIONALE: typedefs should not be used for pedagogical purposes, but
  only where the type that meets the requirements varies between
  implementations. Slightly reducing the amount of text in the TR does
  not justify polluting the namespace.

5 In 5.5.2.1 para 2, delete the second "compar == NULL".

  RATIONALE: clearly an error.

6 Delete clause 5.5.3.

  RATIONALE: the Standard already has better functions in the form of
  mbrtowc and wcrtomb. If these latter have a problem, fix it rather than
  creating alternatives.

7 The strcpy_s, strncpy_s, strcat_s, strncat_s, wcscpy_s, wcsncpy_s,
  wcscat_s, and wcsncat_s functions should all explicitly guarantee that
  s1 is left null-terminated after the call, provided of course that
  (s1 != NULL && s1max > 0 && s1max < RSIZE_MAX).

  RATIONALE: lack of null termination is a major cause of problems.
  Better to require it than to rely on other bits of code spotting it.

8 The strtok_s function needs an s1max parameter with appropriate tests
  on s1 and s2. I am agnostic as to whether an s2max is needed.

  RATIONALE: any string which gets altered should be bounds-checked.

9 Delete 5.6.4.1 para 5, second sentence.

  RATIONALE: "..." is a cultural-specific convention, and it is not even
  clear that three dot characters is the right approach. In particular,
  some people would say that "[...]" is better while others might point to
  the specific ellipsis character in various character sets.

  Any such patching should be left to the application, based on the return
  code.

10 In 5.7.1, change "rages" to "ranges".

   RATIONALE: obvious.

11 In 5.7.2.1 para 2, change "0" to "-999".

   RATIONALE: the behaviour of asctime is defined for these years, so there
   is no justification for the restriction.

12 Checking versions of the strftime and wcsftime functions should be
   provided.

   RATIONALE: although these functions already provide a "maxsize"
   parameter, there are many other checks which can and should be made -
   for example, the RSIZE_MAX test or that the year number is sensible.

13 If item 4 is not accepted, change "size_t" to "rsize_t" in 5.8.1.1 para
3.

   RATIONALE: obvious.

Changing these would be sufficient to alter my vote to YES WITH COMMENTS.

OTHER COMMENTS

1 5.1.1 should use the same terminology concerning reserved names as 7.1 of
  the main Standard does. For example, it is not clear whether "are
  defined" means macro versions of function names *must* be defined.

  RATIONALE: clarity of the text.

2 In 5.4.4.1, the newline should not count towards the maximum number of
  characters read.

  RATIONALE: the size parameter is supposed to indicate how much space is
  available. Compare %s and friends in scanf, which don't count the
  skipped leading spaces.

3 In 5.6.4.2 and 5.8.2.3.1, RSIZE_MAX + 1 would seem a better return value
  than 0 for the null pointer and not-null-terminated cases.

  RATIONALE: making the value be RSIZE_MAX + 1 will trigger appropriate
  alerts in the other functions in this library, while zero will just
  silently truncate strings. If RSIZE_MAX == SIZE_MAX, this will still fall
  back to zero.

4 In 5.7.2.1, change the description to simply require the output to be
  the same as that of asctime.

  RATIONALE: avoids the risk of inconsistency creeping in.

5 In many places the character "s" is spuriously italicised