Should internet support software be written in Ada?

Should internet support software be written in Ada?

[Bennett, Chip (KTR) ~U]

I just read an interesting article in Federal Computer Week.  The article,
titled "Energy group uncovers hole in Web software" is rather old (Feb 20),
so if this ground has already been covered, I apologize for rehashing it.

The article points out that the NCSA's httpd version 1.3 has a flaw where a
hacker might be able to overflow internal buffers and gain root access.

Point 1:  Didn't we already go through this several years back with a UNIX
mail server that had a similar problem?  Any history buffs remember that
one?

Point 2:  I going to make a huge leap here and assume that httpd is written
in C.  I'd bet that if the software had been written in a constraint
checking language like Ada, the problem would not have occurred.  Comments?

Chip Bennett

Re: Should internet support software be written in Ada?

[Vladimir Vukicevic]

In article <2F5B780E@SMTPGATE2.STRATCOM.AF.MIL> "Bennett, Chip (KTR)
~U" <BennettC@J64.STRATCOM.AF.MIL> writes:
> I just read an interesting article in Federal Computer Week.  The
> article, titled "Energy group uncovers hole in Web software" is
> rather old (Feb 20), so if this ground has already been covered, I
> apologize for rehashing it.
>
> The article points out that the NCSA's httpd version 1.3 has a flaw
> where a hacker might be able to overflow internal buffers and gain
> root access.
>
> Point 1: Didn't we already go through this several years back with
> a UNIX mail server that had a similar problem?  Any history buffs
> remember that one?

I believe nearly every widely-used unix tool has had this problem. I
know that finger had it, sendmail had it, and I'm sure many, many more
had (or still have?) this same problem.

> Point 2: I going to make a huge leap here and assume that httpd is
> written in C.  I'd bet that if the software had been written in a
> constraint checking language like Ada, the problem would not have
> occurred.  Comments?

Yes and no. It depends on where the overrun occurs. If it overruns
while, say, reading from a socket (via a syscall), then it could not
be prevented by using Ada or any other language because all the
procedure which actually stuffs bytes into the buffer has is a
System.Address (in Ada terms). If, however, the overrun occurs in user
code, i.e. copying from one string to another (maybe they're actually
reading in 256 bytes at a time, and then just appending them to
another buffer until there's no more data), then Ada would have
probably raised Constraint_Error on this operation.

There is no reason why unix/internet tools shouldn't be written in
Ada. Perhaps the most persuasive argument against doing so is that,
sadly, the majority of unix systems do not have an Ada compiler, while
they probably have a C compiler. Hopefully GNAT will change this; I've
already convinced a few people who, according to them, have no
intention of ever writing in Ada to install gnat on their systems just
in case something "truly cool" is released in Ada95. I think they're
still waiting to use the compiler.

	- Vladimir

Re: Should internet support software be written in Ada?

[Bill Brooks]

In article <2F5B780E@SMTPGATE2.STRATCOM.AF.MIL>,
Bennett, Chip (KTR) ~U <BennettC@J64.STRATCOM.AF.MIL> wrote:
>  [...stuff deleted..]
>
>Point 2:  I going to make a huge leap here and assume that httpd is written
>in C.  [...stuff deleted..]
> Comments?
>
>Chip Bennett

Yep. Here's a representative sample of the code that comes with NCSA's
httpd (everything including the formatting is from the original):
----------------------- start paste --------------------------
     */
    if (strchr(mapname,'/')) {
      strcpy(conf,getenv("PATH_TRANSLATED"));
      goto openconf;
    }
    
    if ((fp = fopen(CONF_FILE, "r")) == NULL)
        servererr(strcat("Couldn't open configuration file:", CONF_FILE));

    while(!(getline(input,MAXLINE,fp))) {
        char confname[MAXLINE];
        if((input[0] == '#') || (!input[0]))
            continue;
        for(i=0;isname(input[i]) && (input[i] != ':');i++)
            confname[i] = input[i];
        confname[i] = '\0';
        if(!strcmp(confname,mapname))
            goto found;
     }
-----------------------  end paste  ---------------------------
In the rich tradition of discussing good software engineering practices in
c.l.a(regardless of language) I'll ask: is this good coding style?
Keep in mind that this code was written under the auspices of one of
the top 5 schools in CS in the United States.



-- 
"Bright young men of disheveled appearance, often with sunken glowing
eyes...their fingers, already poised to strike, at the buttons and
keys on which their attention seems to be riveted as a gambler's on
the rolling dice."  -Joseph Weizenbaum on "compulsive programmers"

Re: Should internet support software be written in Ada?

[Anthony Shipman]

In <3kaksj$iur@isnews.calpoly.edu> wbrooks@hertz.elee.calpoly.edu (Bill Brooks) writes:

>In the rich tradition of discussing good software engineering practices in
>c.l.a(regardless of language) I'll ask: is this good coding style?
>Keep in mind that this code was written under the auspices of one of
>the top 5 schools in CS in the United States.

I've noticed that academics seem to write terrible code (from a software
engineering point of view), compared with professionals who do it for a
living.

-- 
Anthony Shipman                 "You've got to be taught before it's too late,
TUSC Computer Systems Pty Ltd    Before you are six or seven or eight,
                                 To hate all the people your relatives hate,
E-mail:  als@tusc.com.au         You've got to be carefully taught."  R&H

Re: Should internet support software be written in Ada?

[David Weller]

In article <3kaksj$iur@isnews.calpoly.edu>,
Bill Brooks <wbrooks@hertz.elee.calpoly.edu> wrote:
>     */
>    if (strchr(mapname,'/')) {
>      strcpy(conf,getenv("PATH_TRANSLATED"));
>      goto openconf;
>    }
>    
>    if ((fp = fopen(CONF_FILE, "r")) == NULL)
>        servererr(strcat("Couldn't open configuration file:", CONF_FILE));
>
>    while(!(getline(input,MAXLINE,fp))) {
>        char confname[MAXLINE];
>        if((input[0] == '#') || (!input[0]))
>            continue;
>        for(i=0;isname(input[i]) && (input[i] != ':');i++)
>            confname[i] = input[i];
>        confname[i] = '\0';
>        if(!strcmp(confname,mapname))
>            goto found;
>     }
>-----------------------  end paste  ---------------------------
>In the rich tradition of discussing good software engineering practices in
>c.l.a(regardless of language) I'll ask: is this good coding style?
>Keep in mind that this code was written under the auspices of one of
>the top 5 schools in CS in the United States.
>

At the risk of exposing myself as some sort of heretic, the above
code example looks perfectly "normal" to me.  That's one of the nasty
little problems about C, it makes "dense" code "normal".  Some may
claim that the above style isn't "industrial quality" C code, but
that's not been my observation -- I've seen MUCH worse.

-- 
      Frustrated with C, C++, Pascal, Fortran?  Ada95 _might_ be for you!
	  For all sorts of interesting Ada95 tidbits, run the command:
"finger dweller@starbase.neosoft.com | more" (or e-mail with "finger" as subj.)
		if u cn rd ths, u r gd enuf to chg to Ada   :-)

Re: Should internet support software be written in Ada?

[Theodore Dennison]

David Weller <dweller@Starbase.NeoSoft.COM>
> In article <3kaksj$iur@isnews.calpoly.edu>,
> Bill Brooks <wbrooks@hertz.elee.calpoly.edu> wrote:
> >    while(!(getline(input,MAXLINE,fp))) {
> >        char confname[MAXLINE];
> >        if((input[0] == '#') || (!input[0]))
> >            continue;
> >        for(i=0;isname(input[i]) && (input[i] != ':');i++)
> >            confname[i] = input[i];
> >        confname[i] = '\0';
> >        if(!strcmp(confname,mapname))
> >            goto found;
> >     }
> >In the rich tradition of discussing good software engineering practices in
> >c.l.a(regardless of language) I'll ask: is this good coding style?
> >Keep in mind that this code was written under the auspices of one of
> >the top 5 schools in CS in the United States.
> At the risk of exposing myself as some sort of heretic, the above
> code example looks perfectly "normal" to me.  That's one of the nasty
> little problems about C, it makes "dense" code "normal".  Some may


I think the problem he has with this (at least the problem I have with it)
is not that it dense, or even that it is C. It think the problem is the 
"goto" statements. (At least, that's my problem with it).

Now, I too have seen some bad C code in my time. But this is the first I have
EVER seen anyone actually use a "goto". In a language with a good selection of
looping constructs like C, there is NO excuse for this. (Well, perhaps 
stupidity...)

There, That ought to get the flames going!




T.E.D.

Re: Should internet support software be written in Ada?

[Fred J. McCall]

In article <3ks2o3$bab@theopolis.orl.mmc.com> Theodore Dennison <dennison@escmail.orl.mmc.com> writes:

>I think the problem he has with this (at least the problem I have with it)
>is not that it dense, or even that it is C. It think the problem is the 
>"goto" statements. (At least, that's my problem with it).

I'd suggest you don't know enough about the code in question to make that kind 
of judgement.

>Now, I too have seen some bad C code in my time. But this is the first I have
>EVER seen anyone actually use a "goto". In a language with a good selection of
>looping constructs like C, there is NO excuse for this. (Well, perhaps 
>stupidity...)

T'would seem that this commodity is actually on your part.  Depending on the 
application and the structure of the problem, there are times when 'goto' is 
the appropriate solution.  This sort of 'structured programming' bigotry is 
merely silly and is the sort of thing that leads to code obfuscated by 
numerous loops, tests, and unnecessary control variables.

>There, That ought to get the flames going!

Hope you're happy now.  Don't bother to reply.  The very comment convinces me 
you don't know enough to have a valid opinion.

Re: Should internet support software be written in Ada?

[Robb Nebbe]

In article <3ks2o3$bab@theopolis.orl.mmc.com> Theodore Dennison <dennison@escmail.orl.mmc.com> writes:
...
>Now, I too have seen some bad C code in my time. But this is the first I have
>EVER seen anyone actually use a "goto". In a language with a good selection of
>looping constructs like C, there is NO excuse for this. (Well, perhaps 
>stupidity...)

As a control structure a goto provides something that the "structured"
control structures do not provide: a permanent transfer of control.
Loops, and subprogram calls represent a temporary transfer of control.

Now a permanent transfer of control is almost never what you want. The
only use I have found is in implementing state machines but even then
a goto is not always the best solution. If you need access to state
information then you should probably not use gotos.

Fred McCall is probably correct in pointing out that we don't really
have enough information in the code fragment to judge is the use of
gotos was appropriate or not. However, I'm more than a little
suspicious when I see code like that.

Robb Nebbe

Re: Should internet support software be written in Ada?

[Theodore Dennison]

Fred J. McCall <fjm@ti.com> writes
> In article <3ks2o3$bab@theopolis.orl.mmc.com> Theodore Dennison <dennison@escmail.orl.mmc.com> writes:
> >Now, I too have seen some bad C code in my time. But this is the first I have
> >EVER seen anyone actually use a "goto". In a language with a good selection of
> >looping constructs like C, there is NO excuse for this. (Well, perhaps
> >stupidity...)
> 
> T'would seem that this commodity is actually on your part.  Depending on the
> application and the structure of the problem, there are times when 'goto' is
> the appropriate solution.  This sort of 'structured programming' bigotry is
> merely silly and is the sort of thing that leads to code obfuscated by
> numerous loops, tests, and unnecessary control variables.

"Structured Programming Bigotry"? Are you being serious?

Well, in case you are, I'm now curious. At what times is a "goto" an 
appropriate solution? The best excuse I ever heard was for simulating exception
handling in a language that didn't support it. 

I'm sorry if I'm taking sarcasm seriously, but I didn't see any smileys.

> 
> >There, That ought to get the flames going!
> 
> Hope you're happy now.  Don't bother to reply.  The very comment convinces me
> you don't know enough to have a valid opinion.

Oooh! Looks like I was right.

T.E.D.

Re: Should internet support software be written in Ada?

[Robert Dewar]

Hello, looks like a goto debate is about to start. It always surprises me
how many people react so defensively at the idea of a goto. Most peculiar.
Of course gotos are very rarely used.
Of course they are sometimes useful and appropriate.

In my experience it is a total waste of time to try to convnice people
of this if they are dead set against gotos, it's like trying to argue
religeon. For me, if someone doesn't see that gotos are sometimes useful,
fine, they are entitled to their [peculiar] opinion, and why should I
bother to try to persaude them otherwise.

No smileys here, none needed really, well maybe one for this last
sentence itself :-)

If you want to save yourself the troubvle of reading a long thread on this,
you could look at the long thread that just completed in comp.lang.cobol
on this very topic (of course on that newsgroup there are also people
who are convinced that mainframes will be around for ever :-)

Re: Should internet support software be written in Ada?

[Fred J. McCall]

In article <3l6hra$h05@theopolis.orl.mmc.com> Theodore Dennison <dennison@escmail.orl.mmc.com> writes:

>Fred J. McCall <fjm@ti.com> writes
>> In article <3ks2o3$bab@theopolis.orl.mmc.com> Theodore Dennison <dennison@escmail.orl.mmc.com> writes:
>> >Now, I too have seen some bad C code in my time. But this is the first I have
>> >EVER seen anyone actually use a "goto". In a language with a good selection of
>> >looping constructs like C, there is NO excuse for this. (Well, perhaps
>> >stupidity...)
>> 
>> T'would seem that this commodity is actually on your part.  Depending on the
>> application and the structure of the problem, there are times when 'goto' is
>> the appropriate solution.  This sort of 'structured programming' bigotry is
>> merely silly and is the sort of thing that leads to code obfuscated by
>> numerous loops, tests, and unnecessary control variables.

>"Structured Programming Bigotry"? Are you being serious?

Yes.  

>Well, in case you are, I'm now curious. At what times is a "goto" an 
>appropriate solution? The best excuse I ever heard was for simulating exception
>handling in a language that didn't support it. 

Any time the code is 'cleaner' with it than without it.  This is often the 
case for things like state machines and dispatchers.  By all means, though, if 
you don't have the judgement to be able to tell, you probably should never use 
it.

>I'm sorry if I'm taking sarcasm seriously, but I didn't see any smileys.

There weren't any.  Any time you think you can unequivocably say that 
'construct X is bad and should never be used', you are almost certainly wrong. 
 This is *EXACTLY* the sort of thinking all too many 'structured programming 
bigots' inflict on the people around them.

>> 
>> >There, That ought to get the flames going!
>> 
>> Hope you're happy now.  Don't bother to reply.  The very comment convinces me
>> you don't know enough to have a valid opinion.

>Oooh! Looks like I was right.

Wrong twice.  One more strike and you're out.

Re: Should internet support software be written in Ada?

[Theodore Dennison]

Fred J. McCall <fjm@ti.com> writes
> >Well, in case you are, I'm now curious. At what times is a "goto" an
> >appropriate solution? The best excuse I ever heard was for simulating
> Any time the code is 'cleaner' with it than without it.  This is often the
> case for things like state machines and dispatchers.  By all means, though, if
> you don't have the judgement to be able to tell, you probably should never use
> it.
> 

Could you be more specific than "state machines"? Any algorithm can be
expressed
as a state machine (I believe there is actually a theorem to this effect, but
it's been a while since college).

I have written a dispatcher before. It seemed clean enough as a loop enclosing
a case statement. I don't think goto's would have made it clearer.

T.E.D. (structured programming bigot)

Re: Should internet support software be written in Ada?

[Robert I. Eachus]

In article <3lbp1k$jij@theopolis.orl.mmc.com> Theodore Dennison <dennison@escmail.orl.mmc.com> writes:

  > Could you be more specific than "state machines"? Any algorithm
  > can be expressed as a state machine (I believe there is actually a
  > theorem to this effect, but it's been a while since college).

  > I have written a dispatcher before. It seemed clean enough as a
  > loop enclosing a case statement. I don't think goto's would have
  > made it clearer.

    A simple state machine can be expressed as a case statement in a
loop.  A more complex state machine will often have several selection
criteria, or may have states for which the "normal" method of choosing
the next state do not apply.  (The canonical example of these is error
recovery.)

    In such a state machine you can keep adding flags and tests to
keep the original structure intact, but a much better approach is to
say goto when you know where to go next.  It is much easier to
understand, and, surprise, surprise, it is a lot easier to maintain.

    Let me give you a simple example.  A parser generator generated
tables which were headers followed by lists of triples: (symbol,
action, next state).  Since many lists only differed from the a
similar state because they had one or two added triples, we put in an
optimization where some table headers indicated that if you didn't
find a match in this table you should go to some other table and try
there.  (There are the magic words again.)

    Now I could have written the parser with a loop of the form:

    while In_Continue_Table loop
      --search table...
    end loop;

    But that code would be totally misleading.  What I wrote was:


    <<Try_Again>>
       case Table.Kind is
         ...
         when Continue_Table =>
           if S /= Table.Entries(1)
           then
             Table := Table.Continuation;
             goto Try_Again;
           else
             -- process a match.
           end if;
    
    This makes it much clearer that you go back to the "top" of the
case statement only in specific failure cases.

    Another example in the same parser involved "panic mode" recovery.
If a neat clean correction can be found that allows the compiler to
continue can be found, make it and go on.  If not, you want to go back
to a consistant state and proceed from there.  Again if hand-waving
description uses go to, the proper implementation probably uses gotos.
In this case the reason for using goto was that the proper
continuation point depended on the type of error detected.  I could
have written this in Ada with several exceptions, several block
statements, several loops, etc.  Or I could, and did just use gotos
with appropriate labels so that the code was understandable.

    Now in both these cases, my description admitted that either one
could have been implemented without gotos.  As it happened, since both
of these were in the same code, and the artificially created nested
scopes would not have matched, one or the other had to be done with
gotos.  (Or you could use a number of artificial state variables,
etc., etc., like you learned in classes on computability theory.  But
not in anything I'm going to maintain!)

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Re: Should internet support software be written in Ada?

[Theodore Dennison]

eachus@spectre.mitre.org (Robert I. Eachus) wrote:
>    A simple state machine can be expressed as a case statement in a
>loop.  A more complex state machine will often have several selection
>criteria, or may have states for which the "normal" method of choosing
>the next state do not apply.  (The canonical example of these is error
>recovery.)
>
>    In such a state machine you can keep adding flags and tests to
>keep the original structure intact, but a much better approach is to
>say goto when you know where to go next.  It is much easier to
>understand, and, surprise, surprise, it is a lot easier to maintain.
>

Thank you for your explanation, and your example. 

In the dispatcher I wrote, I did have a similar problem. I ended up 
handling it by performing all the error checking BEFORE the dispatching
algorithm got called. I also set up all of the dispatching conditions 
beforehand in boolean expressions (with judicious use of short-circuts and 
boolean parsing functions). I have to admit that the code for those parts
did get kinda ugly. But it made the dispatcher itself relatively simple. 
It also had the drawback that some parsing might be done more than once.
I can see where this would be unacceptable for compiler writers who are
worried about benchmark performance.

I guess I can see where you guys are comming from now. However, I think
your cure may be worse than the disease.

T.E.D. 
p.s. Ignore me, I`m a "structured programming bigot"

Re: Should internet support software be written in Ada?

[Wes Groleau]

>Hello, looks like a goto debate is about to start. It always surprises me
>.......

Hey, well Dijkstra said 'goto' is bad, so we sheep had better get in line!

There are always those that jump on every new bandwagon with no comprehnsion
of the tune the band is playing.

What's the difference between the 'goto FOUND_CONFIG' in the example
that started this and " exit FIND_CONFIG" inin Ada?

compare also "raise EXCEP" and " goto <<EXCEP_HANDLER>>"

pardon my syntax, I'm ...

Re: Should internet support software be written in Ada?

[Keith Thompson]

Bill Brooks <wbrooks@hertz.elee.calpoly.edu> wrote:
>     */
>    if (strchr(mapname,'/')) {
>      strcpy(conf,getenv("PATH_TRANSLATED"));
>      goto openconf;
>    }
>    
>    if ((fp = fopen(CONF_FILE, "r")) == NULL)
>        servererr(strcat("Couldn't open configuration file:", CONF_FILE));
>
>    while(!(getline(input,MAXLINE,fp))) {
>        char confname[MAXLINE];
>        if((input[0] == '#') || (!input[0]))
>            continue;
>        for(i=0;isname(input[i]) && (input[i] != ':');i++)
>            confname[i] = input[i];
>        confname[i] = '\0';
>        if(!strcmp(confname,mapname))
>            goto found;
>     }
> -----------------------  end paste  ---------------------------
> In the rich tradition of discussing good software engineering practices in
> c.l.a(regardless of language) I'll ask: is this good coding style?
> Keep in mind that this code was written under the auspices of one of
> the top 5 schools in CS in the United States.

Whether it's good style or not, it's incorrect.  The strcat() function
modifies its first parameter (more precisely, its first parameter is a
pointer and it modifies what it points to).  In the statement

>        servererr(strcat("Couldn't open configuration file:", CONF_FILE));

the first parameter is a string literal.  Result: the statement writes
the value of CONF_FILE immediately after wherever the compiler decided
to store the value for the string literal.

As it happens, this is unlikely to cause the program to fail visibly
(the line is executed only when the configuration file can't be opened,
and the program probably terminates immediately afterward).

Perhaps someone who knows where this code came from (I've lost the
original article) should notify the authors.

-- 
Keith Thompson (The_Other_Keith)  kst@thomsoft.com (kst@alsys.com still works)
TeleSoft^H^H^H^H^H^H^H^H Alsys^H^H^H^H^H Thomson Software Products
10251 Vista Sorrento Parkway, Suite 300, San Diego, CA, USA, 92121-2718
That's Keith Thompson *with* a 'p', Thomson Software Products *without* a 'p'.