Why didn’t gcc (or glibc) implement _s functions?

by

The _s functions are optional (Annex K of the C11 standard). They’re widely regarded as ‘not very beneficial’.

In the answers to my question Do you use the TR-24731 “safe” functions?, you can find information about where there are problems with the standard specification — such as crucial differences between the standard and Microsoft’s implementation. TR 24731-1 was a technical report from the C standard committee. The report was incorporated almost verbatim — with an extra, previously omitted, function, memset_s() — in the C11 standard as (optional but ‘normative’) Annex K. There’s also TR 24731-2 for a different set of functions — without the _s suffix. It ran into resistance for a different set of reasons.

Also, there is a proposal before the C Standard Committee that the functions defined in Annex K should be removed from the next revision of the standard:

That paper is a straightforward and compelling read of the reasons why the TR-24731 (*_s()) functions have not been widely implemented.

Key reasons include:

  • The problem is only spotted once, then fixed, and then the *_s() function is unnecessary.
  • This makes it very hard to test the *_s() functions, or the code which uses them.
  • It isn’t easy to integrate the new functions into old code (which is where there’d be most benefit).
  • The functions inherently slow down software with extensive but redundant checking.

See the paper for more details. The paper ends with the section:

Suggested Technical Corrigendum

Despite more than a decade since the original proposal and nearly ten years since the ratification of ISO/IEC TR 24731-1:2007, and almost five years since the introduction of the Bounds checking interfaces into the C standard, no viable conforming implementations has emerged. The APIs continue to be controversial and requests for implementation continue to be rejected by implementers.

The design of the Bounds checking interfaces, though well-intentioned, suffers from far too many problems to correct. Using the APIs has been seen to lead to worse quality, less secure software than relying on established approaches or modern technologies. More effective and less intrusive approaches have become commonplace and are often preferred by users and security experts alike.

Therefore, we propose that Annex K be either removed from the next revision of the C standard, or deprecated and then removed.

Annex K was not removed from C17. Two new papers from the standards committee (ISO JTC1/SC22/WG14) discuss Annex K (and are in favour of retaining the functions):

More Related Contents:

  1. Do you use the TR 24731 ‘safe’ functions? [closed]
  2. Reading a character with scanf_s
  3. error C4996: ‘scanf’: This function or variable may be unsafe in c programming
  4. What is the default C -std standard version for the current GCC (especially on Ubuntu)?
  5. C11 in GCC?
  6. Why does GCC use multiplication by a strange number in implementing integer division?
  7. When are anonymous structs and unions useful in C11?
  8. Disable all optimization options in GCC
  9. C++11 aggregate initialization for classes with non-static member initializers
  10. constexpr and initialization of a static const void pointer with reinterpret cast, which compiler is right?
  11. What is the meaning of “__attribute__((packed, aligned(4))) “
  12. Embedding binary blobs using gcc mingw
  13. Why does GCC pad functions with NOPs?
  14. Can I use C++11 with Xcode?
  15. Tell gcc to specifically unroll a loop
  16. When is it necessary to use the flag -stdlib=libstdc++?
  17. Buffer overflow works in gdb but not without it
  18. How to check if a given file descriptor stored in a variable is still valid?
  19. C preprocessor: expand macro in a #warning
  20. multi-word addition using the carry flag
  21. Operator precedence table for the C programming language
  22. Inline assembly that clobbers the red zone
  23. Does any C library implement C11 threads for GNU/Linux?
  24. Is int main() { } (without “void”) valid and portable in ISO C?
  25. Process Linkage Table and Global Offset Table
  26. gcc can compile a variadic template while clang cannot
  27. Using a Single system() Call to Execute Multiple Commands in C
  28. Why both clang and gcc only give a warning when there is a space after backslash if C standard says that whitespace is forbidden?
  29. How to print value of global variable and local variable having same name?
  30. log(10.0) can compile but log(0.0) cannot with undefined reference?

Leave a Comment