0000182: Unsafe use of LINE_MAX in fgets() example

Notes
(0000302) wpollock (reporter) 2009-11-12 20:22	It may be safe to assume fgets expects a stream of text as if it were reading a text file, but it is not safe to assume fgets won't be reading from stdin, i.e., a pipe or the keyboard. The wording should reflect that. Although fgets is defined strictly as working with bytes, someday that may change. As a result I think the example better not assume that one char equals one byte. I would thus change: line = malloc(line_max + 1); to: line = malloc(sizeof(char)*(line_max + 1));

(0000303) nsitbon (reporter) 2009-11-12 20:31	sizeof(char) == 1, can't change, or would break all existing application. The WG14 will never change this statement of the Standard. best practice is char * line = malloc((line_max + 1) * sizeof(line)); so one could easily change type of line: wchar_t line = malloc((line_max + 1) * sizeof(*line));

(0000304) geoffclare (manager) 2009-11-13 10:07	> it is not safe to assume fgets won't be reading from stdin, i.e., a > pipe or the keyboard. The wording should reflect that. The wording does already reflect that. You seem to be misreading "file" as "regular file". In the standard a "file" is "an object that can be written to, or read from, or both" (see XBD7 3.164).

(0000307) Konrad_Schwarz (reporter) 2009-11-16 10:14	The example above deals with the POSIX-specified requirement that text files could have infinite line length (i.e., sysconf (_SC_LINE_MAX) returns a negative number). It does so by imposing an arbitrary, hard coded limit on the maximum line length it is willing to process, and deals with lines larger than that by commenting that longer lines are either treated as an error or as a continuation line. When processing lines of unbounded length, fgetc() should be used in preference to fgets(): faced with the requirement to deal with lines piecemeal, an application draws no benefit from the buffer which is the hallmark of fgets() -- inappropriate to an example demonstrating fgets(). Thus, too long lines should be treated as errors in the example: the final, non-NULL character in the buffer must be a newline, and the code could/should show this. Faced with the choice between an application "guessing" and hard coding a limit, and using a system-supplied value, I think the better solution is the latter. Thus, I would use the macro (LINE_MAX) defined in <limits.h> as the fallback value. In fact, a conforming application may rely on LINE_MAX exclusively, omitting the query to sysconf() all together. For simplicity, such an approach should be considered -- it happens to be the original example (except that an extra position needs to be reserved for the trailing NULL). If using _SC_LINE_MAX is wished, I would use the following example: The following example uses fgets() to read lines of input. It assumes that the file it is reading is a text file. On a system that does not bound line lengths, it can process only lines that are no longer than LINE_MAX. (Note that the standard utilities have no line length limit if sysconf(_SC_LINE_MAX) returns -1 without setting errno. This example assumes that sysconf(_SC_LINE_MAX) will not fail.) #include <limits.h> #include <stdio.h> #include <unistd.h> #include <string.h> char *line; int line_max; line_max = sysconf(_SC_LINE_MAX); if (0 > line_max) line_max = LINE_MAX; // add room for the nul byte added by fgets(). ++line_max; line = malloc(line_max); if (line == NULL) { // out of space ... return error; } while (fgets(line, line_max, fp) != NULL) { // Verify that a full line has been read... if ('\n' != line [strlen (line) - 1]) { ... return error; } // Process line... ... } free(line); ...

(0000321) Don Cragun (manager) 2009-12-03 18:53	There was a lengthy discussion about how limits are handled in the standard in the email discussion of this defect report on the austin-group-l alias. Despite the desires of some, the decision made during today's conference call is that the current text in the standard accurately describes the intent of the balloting group when the standard was written and as it has been revised over the years since then. The full discussion of this issue can be found in the mail archives and in the some of the comments in a related bug (see bugID:177) concerning an example in strtok(). The email sequence numbers in the archives are: 12789, 13018-10320, 13023, 13025, 13026, 13028, 13031-13033, 13036, 13047, 13048, 13052, 13065, 13083-13092, 13100, 13116, 13117, and 13121-13124.

(0000323) SHwareSystems (reporter) 2009-12-05 21:05	While I'm sorry I wasn't able to make the teleconference, and have no basic objection to the example change, after further thought on the matter the change to <limits.h> I feel must be considered illegal. There is NO PRIOR OR CURRENT ART, as the standard REQUIRES, of any actual implementation that does not have implicit, due to hardware constraints, or arbitrarily set explicit limits. As even Mr. Cragun admitted in the mailing list discussion this is a 'holy grail' of operating system design, not something he's aware of having been implemented either, the use of a symbolic 'indefinite' to represent 'shall have no limit' is not permitted. While many functions in C are specified in terms of an indefinite ideal, and I certainly understanf the desire to have the standard match such ideals as near as practical, the underlying implementations of those functions ALL deal with specific limits in one form or another, whether heuristically or analytically derived from hardware constraints, and it is the purpose of sysconf() and the <limits.h> and other headers to expose those values so applications don't need to duplicate the logic to discover them on their own. It is the text of sysconf() that must be changed so the blanket allowance of 'indefinite' be excised. Desires for future hardware or not as the original intent, it shouldn't legally have been there to begin with. If a valid reason for 'indefinite' is established as mandated by the hardware hosting an implemenation that always needs to be accounted for by any application, for a specific _SC_* index value, the text describing that index can indicate this and the Rationale should explain in detail the circumstances which lead to it being mandated. No current or past hardware I'm aware of has this requirement; I include the caveat only on grounds that future computers based on theoretical technologies like quantum effect transistors and hyperspatial holographic memory systems could need them.

Issue History
Date Modified	Username	Field	Change
2009-11-12 19:23	Don Cragun	New Issue
2009-11-12 19:23	Don Cragun	Status	New => Under Review
2009-11-12 19:23	Don Cragun	Assigned To	=> ajosey
2009-11-12 19:23	Don Cragun	Name	=> Don Cragun
2009-11-12 19:23	Don Cragun	Organization	=> Self
2009-11-12 19:23	Don Cragun	User Reference	=> fgets() LINE_MAX
2009-11-12 19:23	Don Cragun	Section	=> fgets() EXAMPLES
2009-11-12 19:23	Don Cragun	Page Number	=> 852
2009-11-12 19:23	Don Cragun	Line Number	=> 28298-28308
2009-11-12 19:23	Don Cragun	Interp Status	=> ---
2009-11-12 20:22	wpollock	Note Added: 0000302
2009-11-12 20:31	nsitbon	Note Added: 0000303
2009-11-13 10:07	geoffclare	Note Added: 0000304
2009-11-16 10:14	Konrad_Schwarz	Note Added: 0000307
2009-12-03 16:25	Don Cragun	Resolution	Open => Accepted
2009-12-03 16:25	Don Cragun	Desired Action Updated
2009-12-03 16:26	Don Cragun	Status	Under Review => Resolved
2009-12-03 18:53	Don Cragun	Note Added: 0000321
2009-12-05 21:05	SHwareSystems	Note Added: 0000323

Relationships

Aardvark Mark III