Document: N1113 Date: 2005/03/21
1 Change title to
"Specification for additional C library functions with additional
parameter checking and/or re-entrancy".
Make consequential changes; in particular, change
to __STDC_[WANT_]CHECKING_LIB__ and change _s suffixes to _c or _r as
RATIONALE: these functions don't provide additional security, since they
can still be misused (e.g. set all bounds parameters to RSIZE_MAX). They
do, however, provide parameter checking and re-entrancy.
2 Change the term "diagnosed undefined behaviour" to "diagnosed erroneous
behaviour" or some other term not using the conformance terms "undefined"
RATIONALE: the term "undefined" has a well-known meaning which includes
*no* requirement to diagnose it. A different term would be less confusing.
3 Prefix to 5.1.1 para 3:
"For those names which are reserved by ISO/IEC 9899:2004,"
RATIONALE: footnote 7 is not normative, and this change makes it clear
that this requirement does not allow an implementation to intrude into
the user's name space.
4 Delete clause 5.2. More generally, replace the use of the errno_t and
rsize_t typedefs with some other notational mechanism.
RATIONALE: typedefs should not be used for pedagogical purposes, but
only where the type that meets the requirements varies between
implementations. Slightly reducing the amount of text in the TR does
not justify polluting the namespace.
5 In 184.108.40.206 para 2, delete the second "compar == NULL".
RATIONALE: clearly an error.
6 Delete clause 5.5.3.
RATIONALE: the Standard already has better functions in the form of
mbrtowc and wcrtomb. If these latter have a problem, fix it rather than
7 The strcpy_s, strncpy_s, strcat_s, strncat_s, wcscpy_s, wcsncpy_s,
wcscat_s, and wcsncat_s functions should all explicitly guarantee that
s1 is left null-terminated after the call, provided of course that
(s1 != NULL && s1max > 0 && s1max < RSIZE_MAX).
RATIONALE: lack of null termination is a major cause of problems.
Better to require it than to rely on other bits of code spotting it.
8 The strtok_s function needs an s1max parameter with appropriate tests
on s1 and s2. I am agnostic as to whether an s2max is needed.
RATIONALE: any string which gets altered should be bounds-checked.
9 Delete 220.127.116.11 para 5, second sentence.
RATIONALE: "..." is a cultural-specific convention, and it is not even
clear that three dot characters is the right approach. In particular,
some people would say that "[...]" is better while others might point to
the specific ellipsis character in various character sets.
Any such patching should be left to the application, based on the return
10 In 5.7.1, change "rages" to "ranges".
11 In 18.104.22.168 para 2, change "0" to "-999".
RATIONALE: the behaviour of asctime is defined for these years, so there
is no justification for the restriction.
12 Checking versions of the strftime and wcsftime functions should be
RATIONALE: although these functions already provide a "maxsize"
parameter, there are many other checks which can and should be made -
for example, the RSIZE_MAX test or that the year number is sensible.
13 If item 4 is not accepted, change "size_t" to "rsize_t" in 22.214.171.124 para
Changing these would be sufficient to alter my vote to YES WITH COMMENTS.
1 5.1.1 should use the same terminology concerning reserved names as 7.1 of
the main Standard does. For example, it is not clear whether "are
defined" means macro versions of function names *must* be defined.
RATIONALE: clarity of the text.
2 In 126.96.36.199, the newline should not count towards the maximum number of
RATIONALE: the size parameter is supposed to indicate how much space is
available. Compare %s and friends in scanf, which don't count the
skipped leading spaces.
3 In 188.8.131.52 and 184.108.40.206.1, RSIZE_MAX + 1 would seem a better return value
than 0 for the null pointer and not-null-terminated cases.
RATIONALE: making the value be RSIZE_MAX + 1 will trigger appropriate
alerts in the other functions in this library, while zero will just
silently truncate strings. If RSIZE_MAX == SIZE_MAX, this will still fall
back to zero.
4 In 220.127.116.11, change the description to simply require the output to be
the same as that of asctime.
RATIONALE: avoids the risk of inconsistency creeping in.
5 In many places the character "s" is spuriously italicised