[Exceptional C++ Style] Re: Unit tests and assertions

Mon Jan 10 18:13:26 EST 2005

>>Failed preconditions are not "functional" but they can be "operational". 
>>For example, it would be a bad move to not test preconditions only to find 
>>that failed preconditions somehow opended a security hole....
>
> This is one of those questions that has come up before on accu-general. 
> There is not necessarily a single fixed answer ....

Bad move or not, the root problem (well, one of them) is whet Kevlin wrote 
in a recent post, preconditions are different wrt testability, and quite a 
lot is impossible or infeasible to test.  [Leaving only extremely boring 
ones ;-]

> and -- inevitably enough -- it is somewhat context dependent. One of the 
> factors that need to be taken into account is what is the worst-case 
> scenario if a failed precondition is not arrested. Your example of a 
> security hole is such an example, eg buffer overruns.

Okey, we expect a 0-terminated string as input.  How the program can tell 
the address passed is associated with one?

Sure we have good guidelines  (like Howard/LeBlanc  Writing Secure Code) an 
what to do or avoid, but from a function;s perspective we still face 
situations we can't really handle.

> Denial of service is a particularly common and simple one to effect when 
> undefined behaviour is actually realised to the advantage of an attacker.

Are DoS attaks really interesting?  Tiny, very simple and perfectly legal 
pieces of code can bring down almost any system to the knees if they just 
manage to execute.

Also if you try very hard, you'll soon face Godel's theorem. :)

> I often talk about boundaries of trust when considering whether an 
> interface should guarantee a minimum quality of failure. This notion of 
> trust combined with satisfaction of some other constraints (performance, 
> acceptable worse-case scenario, etc) is probably the start of an answer.

But we also shall not forget what we build on -- what is the Trusted 
Computer Base -- and better rely on that, while also quit fighting for stuff 
it doesn't help us with.

Then thinking boundaries will be fruitful.