DEF CON (wasL A license plate of NULL)

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

DEF CON (wasL A license plate of NULL)

Keith Medcalf

On Monday, 12 August, 2019 11:09, Simon Slavin <[hidden email]> wrote:

>Some interesting things are emerging from this year's DEF CON.  This
>one is related to an issue we've often discussed here.  I hope you'll
>indulge this slightly off-charter post.
>
>https://www.iheart.com/content/2019-08-12-clever-vanity-license-plate-backfires-on-man-winds-up-with-tons-of-tickets/>

Perhaps more apropos is the following story from the Register, also originating at DEF CON:

https://www.theregister.co.uk/2019/08/10/memory_corruption_sqlite/

Although I would point out that the root problem is that the attacker already has access to the file in order to change it, and therefore already has presence on the machine.  This is really no different that saying that "if an attacker has access the filesystem to replace the login program, that the login program can be compromised".  In other words, much ado about nothing.  Solve the root issue (the inappropriate granting of access by some other method) and the issue is resolved.

This (seems to me) falls into the class of "if you have SYSTEM (root, for the *nix crowd) authority" you can "exploit vulnerability X" to obtain SYSTEM authority.  Why on earth would you bother?  Sure, you can exploit the vulnerability but it gains you nothing that you do not already have.  Perhaps I am just lazy but I see no point in engaging in extra work for no advantage (then again, maybe that is just the Control Systems background rearing its head).

As a side note, if one ALREADY HAS access to a machine hosting a database, and ALREADY HAS access to be able to make arbitrary changes to the database file, then the same exploit can be carried out on just about ANY system running just about ANY database imaginable .. it is trivial to create a view which replaces a table and have that view "do things" that are other than what was intended by the original designer, and have the fact that the table was replaced by a view remain "hidden" from routine uses.  And in any case, why bother with all the rigamarole.  You can already copy the contents of the database or make changes directly, so why go to such great lengths to be able to achieve indirectly that which you can already do directly?  (Not to mention that there are already capabilities to monitor for this sort of thing via the authorizer).

Granted, it is not usual to "ship around" SQLServer or DB2 databases or have those host "application file formats" quite like it is with SQLite3 databases, but then, files (no matter the type) originating from untrustworthy third-parties should be, well, untrusted.  The same applies to files which have been accessed (and perhaps modified) by untrustworthy parties.  The root problem is the prior untrustworthy access -- fix that and the problem goes away.

Conversely there is a great trend these days to "execute" data -- thankfully something which SQLite3 does not do.  An application might, but that is an application problem and not a data problem.

The only interesting thing is CVE-2015-7036, but I don't know if that was so much an SQLite3 issue, as it was an issue in the use of the tokenizer by Apple.  In either case, Apple fixed their bugs and SQLite3 was hardened against some inappropriate (unintended by the application developer) uses of the fts3_tokenizer() function.

https://www.sqlite.org/releaselog/3_28_0.html
Item 10

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.




_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: DEF CON (wasL A license plate of NULL)

Donald Shepherd
The difference, in Apple's case _very_ specifically, is that they sign the
majority (all the rest?  Unsure) of their files so that this style of
exploit fails.  Basically SQLite is being used to bypass an existing
Apple-specific security control.  Outside of the iOS world the
applicability is a lot lower (if any) as you detail.

Regards,
Donald Shepherd.

On Tue, 13 Aug 2019 at 06:14, Keith Medcalf <[hidden email]> wrote:

>
> On Monday, 12 August, 2019 11:09, Simon Slavin <[hidden email]>
> wrote:
>
> >Some interesting things are emerging from this year's DEF CON.  This
> >one is related to an issue we've often discussed here.  I hope you'll
> >indulge this slightly off-charter post.
> >
> >
> https://www.iheart.com/content/2019-08-12-clever-vanity-license-plate-backfires-on-man-winds-up-with-tons-of-tickets/
> >
>
> Perhaps more apropos is the following story from the Register, also
> originating at DEF CON:
>
> https://www.theregister.co.uk/2019/08/10/memory_corruption_sqlite/
>
> Although I would point out that the root problem is that the attacker
> already has access to the file in order to change it, and therefore already
> has presence on the machine.  This is really no different that saying that
> "if an attacker has access the filesystem to replace the login program,
> that the login program can be compromised".  In other words, much ado about
> nothing.  Solve the root issue (the inappropriate granting of access by
> some other method) and the issue is resolved.
>
> This (seems to me) falls into the class of "if you have SYSTEM (root, for
> the *nix crowd) authority" you can "exploit vulnerability X" to obtain
> SYSTEM authority.  Why on earth would you bother?  Sure, you can exploit
> the vulnerability but it gains you nothing that you do not already have.
> Perhaps I am just lazy but I see no point in engaging in extra work for no
> advantage (then again, maybe that is just the Control Systems background
> rearing its head).
>
> As a side note, if one ALREADY HAS access to a machine hosting a database,
> and ALREADY HAS access to be able to make arbitrary changes to the database
> file, then the same exploit can be carried out on just about ANY system
> running just about ANY database imaginable .. it is trivial to create a
> view which replaces a table and have that view "do things" that are other
> than what was intended by the original designer, and have the fact that the
> table was replaced by a view remain "hidden" from routine uses.  And in any
> case, why bother with all the rigamarole.  You can already copy the
> contents of the database or make changes directly, so why go to such great
> lengths to be able to achieve indirectly that which you can already do
> directly?  (Not to mention that there are already capabilities to monitor
> for this sort of thing via the authorizer).
>
> Granted, it is not usual to "ship around" SQLServer or DB2 databases or
> have those host "application file formats" quite like it is with SQLite3
> databases, but then, files (no matter the type) originating from
> untrustworthy third-parties should be, well, untrusted.  The same applies
> to files which have been accessed (and perhaps modified) by untrustworthy
> parties.  The root problem is the prior untrustworthy access -- fix that
> and the problem goes away.
>
> Conversely there is a great trend these days to "execute" data --
> thankfully something which SQLite3 does not do.  An application might, but
> that is an application problem and not a data problem.
>
> The only interesting thing is CVE-2015-7036, but I don't know if that was
> so much an SQLite3 issue, as it was an issue in the use of the tokenizer by
> Apple.  In either case, Apple fixed their bugs and SQLite3 was hardened
> against some inappropriate (unintended by the application developer) uses
> of the fts3_tokenizer() function.
>
> https://www.sqlite.org/releaselog/3_28_0.html
> Item 10
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven says
> a lot about anticipated traffic volume.
>
>
>
>
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: DEF CON (wasL A license plate of NULL)

Scott Perry
In reply to this post by Keith Medcalf
On Aug 12, 2019, at 1:14 PM, Keith Medcalf <[hidden email]> wrote:
> The only interesting thing is CVE-2015-7036, but I don't know if that was so much an SQLite3 issue, as it was an issue in the use of the tokenizer by Apple.  In either case, Apple fixed their bugs and SQLite3 was hardened against some inappropriate (unintended by the application developer) uses of the fts3_tokenizer() function.

Generally speaking, the issue was the availability of a built-in function accessible from the query language that took a function pointer as a parameter.

Specifically, the vector was that an attacker with the ability to execute arbitrary SQL could cause execution to jump to the address of their choosing via the second parameter to fts3_tokenizer. Using established ROP techniques this could be used to gain control of the process.

The attack is even more interesting when combined with Check Point Research's recent publication (search for "SELECT code_execution FROM * USING SQLite;"), which explains how to gain control of a process from a database file by replacing all of its tables with views containing malicious queries.

Scott
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: DEF CON (wasL A license plate of NULL)

James K. Lowden
In reply to this post by Keith Medcalf
On Mon, 12 Aug 2019 14:14:08 -0600
"Keith Medcalf" <[hidden email]> wrote:

> Perhaps I am just lazy but I see no point in engaging in extra work
> for no advantage

bool
is_true (bool tf) {
        if (tf == true) {
                return true;
        }
        return false;
}

--jkl
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Programming methodology (was DEF CON (wasL A license plate of NULL))

Jose Isaias Cabrera-4

James K. Lowden, on Tuesday, August 13, 2019 12:31 PM, wrote...

>
> On Mon, 12 Aug 2019 14:14:08 -0600
> "Keith Medcalf", on
>
> > Perhaps I am just lazy but I see no point in engaging in extra work
> > for no advantage
>
> bool
> is_true (bool tf) {
>         if (tf == true) {
>                 return true;
>         }
>         return false;
> }

Completely, completely off the subject, but since I see this code here, and I have always wanted to ask this...

When I started programming, back in 1982, my teachers taught me to match my end bracket to the same column where the beginning bracket was.  And they explained the whole theory behind it, which I think it's true, to today.  For example the above code, I would have written it this way:'

bool is_true (bool tf)
{
    if (tf == true)
    {
        return true;
    }
    return false;
}

Where, the brackets, begins/ends, would match the same column.  When did this ideology change?  I see all of you smart programmers using this non-column matching behavior, and I ask myself why?  Thoughts?  Or not. :-)  Thanks.

josé
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Warren Young
On Aug 13, 2019, at 1:16 PM, Jose Isaias Cabrera <[hidden email]> wrote:
>
> I see all of you smart programmers using this non-column matching behavior, and I ask myself why?  Thoughts?  Or not. :-)

It started in the days of real terminals, where the extra line was one of the 24-ish you got on a glass tty or it cost you a whole line on real paper on a traditional tty.

Today, you’re probably running your text editor windows 60-80 lines high, so the extra line might not seem like much of cost, proportionately speaking.  But, the more code you see on screen, the more context you have in front of you, so the less paging around through the file you have to do to maintain your mental model of what the program is doing.  Out of sight, out of mind.

As for alignment, every programmer’s text editor worth the name going back at least to vi (1980!) has some way of matching braces, no matter what column they’re in.  Now that all programmer’s text editors worth the name have copied Emacs’ flash-matching feature, you no longer even have to hit a command key to do the match.  There is no longer any reason to be unsure whether your braces are properly matched.

Aligned braces are not only unnecessary in any curly-brace language I’m aware of, they carry cost you might not be willing to pay.

Beyond that, you get into matters of style, rather than matters of pragmatic truth, which is not only off topic, it’s usually unproductive to argue over.  Pick one style per project and stick to it.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Keith Medcalf
In reply to this post by Jose Isaias Cabrera-4

On Tuesday, 13 August, 2019 13:17, Jose Isaias Cabrera <[hidden email]> wrote:

>James K. Lowden, on Tuesday, August 13, 2019 12:31 PM, wrote...

>> On Mon, 12 Aug 2019 14:14:08 -0600 "Keith Medcalf", on

>>> Perhaps I am just lazy but I see no point in engaging in extra
>>> work for no advantage

>> bool
>> is_true (bool tf) {
>>         if (tf == true) {
>>                 return true;
>>         }
>>         return false;
>> }

>Completely, completely off the subject, but since I see this code
>here, and I have always wanted to ask this...

>When I started programming, back in 1982, my teachers taught me to
>match my end bracket to the same column where the beginning bracket
>was.  And they explained the whole theory behind it, which I think
>it's true, to today.  For example the above code, I would have
>written it this way:'

>bool is_true (bool tf)
>{
>    if (tf == true)
>    {
>        return true;
>    }
>    return false;
>}

>Where, the brackets, begins/ends, would match the same column.  When
>did this ideology change?  I see all of you smart programmers using
>this non-column matching behavior, and I ask myself why?  Thoughts?
>Or not. :-)  Thanks.

It is a matter of taste I suppose, since there are numerous bits of software which can prettify various languages to a number of different formats.  The primary reason I have heard putting the opening brace on the same line is that it takes less space on the screen, and after all we can only afford 5 line monitors, am-I-right?

Personally I like the format where the braces line up with the start of the statement that they belong to and appear on a line by themselves, and the contained block is indented.  Then again I can afford an absolutely humongous monitor that can display about 50 lines per page.

Some people are severely allergic to white-space and so eliminate every non-required space/tab character all line-feeds/carriage-returns that are not within a quoted string and write their software as one big never-ending single line of code 40 miles long.

There are also some wierd formats that some seem to like as well where they half-indent the braces and other such malarky.

It is all a matter of taste and what you can see easily.  I also tend to use blocks around code that technically does not need them (as in the above example) because it makes it easier to see what is going on -- the visual appearance matches the parse tree generated by the compiler as it were.  Only the folks that do not use blocks obviously are struck by decades old code editing errors that they did not intend (and we have had a few of those in the last couple of years where the "visual depiction" did not match the "computer generated parse tree" ...

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.




_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Don V Nielsen
If I were to have coded that junk (and I do see it too many times to
count), I would have coded it even junkier, as in

bool is_true (bool tf)
{
    if (tf == true) return true; else return false;
}

If it's single statement following an if and that statement isn't beyond 80
characters, I will code it as a single line

bool is_true (bool tf)
{
    if (tf == true) { return true;}
    return false;
}

I would normally comment the method with something like

// SWEET MOTHER OF MOSES, WHO CODED THIS????
// But since it is existing code, I have chosen not to touch it and kick
the can down the road.
// I don't want to be responsible for retesting the 97 million functions
that actually employ
// this piece of




On Tue, Aug 13, 2019 at 2:52 PM Keith Medcalf <[hidden email]> wrote:

>
> On Tuesday, 13 August, 2019 13:17, Jose Isaias Cabrera <[hidden email]>
> wrote:
>
> >James K. Lowden, on Tuesday, August 13, 2019 12:31 PM, wrote...
>
> >> On Mon, 12 Aug 2019 14:14:08 -0600 "Keith Medcalf", on
>
> >>> Perhaps I am just lazy but I see no point in engaging in extra
> >>> work for no advantage
>
> >> bool
> >> is_true (bool tf) {
> >>         if (tf == true) {
> >>                 return true;
> >>         }
> >>         return false;
> >> }
>
> >Completely, completely off the subject, but since I see this code
> >here, and I have always wanted to ask this...
>
> >When I started programming, back in 1982, my teachers taught me to
> >match my end bracket to the same column where the beginning bracket
> >was.  And they explained the whole theory behind it, which I think
> >it's true, to today.  For example the above code, I would have
> >written it this way:'
>
> >bool is_true (bool tf)
> >{
> >    if (tf == true)
> >    {
> >        return true;
> >    }
> >    return false;
> >}
>
> >Where, the brackets, begins/ends, would match the same column.  When
> >did this ideology change?  I see all of you smart programmers using
> >this non-column matching behavior, and I ask myself why?  Thoughts?
> >Or not. :-)  Thanks.
>
> It is a matter of taste I suppose, since there are numerous bits of
> software which can prettify various languages to a number of different
> formats.  The primary reason I have heard putting the opening brace on the
> same line is that it takes less space on the screen, and after all we can
> only afford 5 line monitors, am-I-right?
>
> Personally I like the format where the braces line up with the start of
> the statement that they belong to and appear on a line by themselves, and
> the contained block is indented.  Then again I can afford an absolutely
> humongous monitor that can display about 50 lines per page.
>
> Some people are severely allergic to white-space and so eliminate every
> non-required space/tab character all line-feeds/carriage-returns that are
> not within a quoted string and write their software as one big never-ending
> single line of code 40 miles long.
>
> There are also some wierd formats that some seem to like as well where
> they half-indent the braces and other such malarky.
>
> It is all a matter of taste and what you can see easily.  I also tend to
> use blocks around code that technically does not need them (as in the above
> example) because it makes it easier to see what is going on -- the visual
> appearance matches the parse tree generated by the compiler as it were.
> Only the folks that do not use blocks obviously are struck by decades old
> code editing errors that they did not intend (and we have had a few of
> those in the last couple of years where the "visual depiction" did not
> match the "computer generated parse tree" ...
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven says
> a lot about anticipated traffic volume.
>
>
>
>
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Simon Slavin-3
On 13 Aug 2019, at 9:42pm, Don V Nielsen <[hidden email]> wrote:

> bool is_true (bool tf)
> {
>    if (tf == true) return true; else return false;
> }

Do you get paid by the line of code ?
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Richard Hipp-3
In reply to this post by Jose Isaias Cabrera-4
On 8/13/19, Jose Isaias Cabrera <[hidden email]> wrote:
>
> I see all of you smart programmers using this
> non-column matching behavior, and I ask myself why?

Because that's the way Dennis Richie did it.  :-)
--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Jose Isaias Cabrera-4
Richard Hipp, on Tuesday, August 13, 2019 04:47 PM, wrote...
>
> On 8/13/19, Jose Isaias Cabrera, on
> >
> > I see all of you smart programmers using this
> > non-column matching behavior, and I ask myself why?
>
> Because that's the way Dennis Richie did it.  :-)

Somewhere in my basement exists a book called, "The C Programming Language."
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Warren Young
On Aug 13, 2019, at 3:11 PM, Jose Isaias Cabrera <[hidden email]> wrote:
>
> Somewhere in my basement exists a book called, "The C Programming Language.”

It’s worth a re-read, even if you no longer use C.  You will certainly find insights that affect however you *do* program these days.

The last time I dipped into my first-edition copy, I discovered that K&R C didn’t even have malloc()!  That was considered outside the language, something to be left to the host OS’s API.  Instead, the book has two code examples showing how to implement something malloc-like atop the old Unix brk(2) syscall.  

There is no malloc() in V6 UNIX’s libc, either.  That didn’t appear until V7 UNIX, which was released about a year after the first edition of K&R was published.  That code is a lot like the second implementation of alloc() in K&R, within its Appendix A.

The earlier implementation of alloc() in the book was trivial: inefficient, but easy to understand.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: DEF CON (wasL A license plate of NULL)

Hick Gunter
In reply to this post by James K. Lowden
But surely any compiler worth ist salt would optimize away all of that code and just use the result of the expression given as argument in the call ;)

-----Ursprüngliche Nachricht-----
Von: sqlite-users [mailto:[hidden email]] Im Auftrag von James K. Lowden
Gesendet: Dienstag, 13. August 2019 18:31
An: [hidden email]
Betreff: [EXTERNAL] Re: [sqlite] DEF CON (wasL A license plate of NULL)

On Mon, 12 Aug 2019 14:14:08 -0600
"Keith Medcalf" <[hidden email]> wrote:

> Perhaps I am just lazy but I see no point in engaging in extra work
> for no advantage

bool
is_true (bool tf) {
        if (tf == true) {
                return true;
        }
        return false;
}

--jkl
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


___________________________________________
 Gunter Hick | Software Engineer | Scientific Games International GmbH | Klitschgasse 2-4, A-1130 Vienna | FN 157284 a, HG Wien, DVR: 0430013 | (O) +43 1 80100 - 0

May be privileged. May be confidential. Please delete if not the addressee.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Hick Gunter
In reply to this post by Don V Nielsen
How about

#define is_true(tf) ((uintptr_t)0 != (uintptr_t)(tf))

-----Ursprüngliche Nachricht-----
Von: sqlite-users [mailto:[hidden email]] Im Auftrag von Don V Nielsen
Gesendet: Dienstag, 13. August 2019 22:42
An: SQLite mailing list <[hidden email]>
Betreff: [EXTERNAL] Re: [sqlite] Programming methodology (was DEF CON (wasL A license plate of NULL))

If I were to have coded that junk (and I do see it too many times to count), I would have coded it even junkier, as in

bool is_true (bool tf)
{
    if (tf == true) return true; else return false; }

If it's single statement following an if and that statement isn't beyond 80 characters, I will code it as a single line

bool is_true (bool tf)
{
    if (tf == true) { return true;}
    return false;
}

I would normally comment the method with something like

// SWEET MOTHER OF MOSES, WHO CODED THIS????
// But since it is existing code, I have chosen not to touch it and kick the can down the road.
// I don't want to be responsible for retesting the 97 million functions that actually employ // this piece of




On Tue, Aug 13, 2019 at 2:52 PM Keith Medcalf <[hidden email]> wrote:

>
> On Tuesday, 13 August, 2019 13:17, Jose Isaias Cabrera
> <[hidden email]>
> wrote:
>
> >James K. Lowden, on Tuesday, August 13, 2019 12:31 PM, wrote...
>
> >> On Mon, 12 Aug 2019 14:14:08 -0600 "Keith Medcalf", on
>
> >>> Perhaps I am just lazy but I see no point in engaging in extra
> >>> work for no advantage
>
> >> bool
> >> is_true (bool tf) {
> >>         if (tf == true) {
> >>                 return true;
> >>         }
> >>         return false;
> >> }
>
> >Completely, completely off the subject, but since I see this code
> >here, and I have always wanted to ask this...
>
> >When I started programming, back in 1982, my teachers taught me to
> >match my end bracket to the same column where the beginning bracket
> >was.  And they explained the whole theory behind it, which I think
> >it's true, to today.  For example the above code, I would have
> >written it this way:'
>
> >bool is_true (bool tf)
> >{
> >    if (tf == true)
> >    {
> >        return true;
> >    }
> >    return false;
> >}
>
> >Where, the brackets, begins/ends, would match the same column.  When
> >did this ideology change?  I see all of you smart programmers using
> >this non-column matching behavior, and I ask myself why?  Thoughts?
> >Or not. :-)  Thanks.
>
> It is a matter of taste I suppose, since there are numerous bits of
> software which can prettify various languages to a number of different
> formats.  The primary reason I have heard putting the opening brace on
> the same line is that it takes less space on the screen, and after all
> we can only afford 5 line monitors, am-I-right?
>
> Personally I like the format where the braces line up with the start
> of the statement that they belong to and appear on a line by
> themselves, and the contained block is indented.  Then again I can
> afford an absolutely humongous monitor that can display about 50 lines per page.
>
> Some people are severely allergic to white-space and so eliminate
> every non-required space/tab character all line-feeds/carriage-returns
> that are not within a quoted string and write their software as one
> big never-ending single line of code 40 miles long.
>
> There are also some wierd formats that some seem to like as well where
> they half-indent the braces and other such malarky.
>
> It is all a matter of taste and what you can see easily.  I also tend
> to use blocks around code that technically does not need them (as in
> the above
> example) because it makes it easier to see what is going on -- the
> visual appearance matches the parse tree generated by the compiler as it were.
> Only the folks that do not use blocks obviously are struck by decades
> old code editing errors that they did not intend (and we have had a
> few of those in the last couple of years where the "visual depiction"
> did not match the "computer generated parse tree" ...
>
> --
> The fact that there's a Highway to Hell but only a Stairway to Heaven
> says a lot about anticipated traffic volume.
>
>
>
>
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


___________________________________________
 Gunter Hick | Software Engineer | Scientific Games International GmbH | Klitschgasse 2-4, A-1130 Vienna | FN 157284 a, HG Wien, DVR: 0430013 | (O) +43 1 80100 - 0

May be privileged. May be confidential. Please delete if not the addressee.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Richard Damon
In reply to this post by Richard Hipp-3
On 8/13/19 4:47 PM, Richard Hipp wrote:
> On 8/13/19, Jose Isaias Cabrera <[hidden email]> wrote:
>> I see all of you smart programmers using this
>> non-column matching behavior, and I ask myself why?
> Because that's the way Dennis Richie did it.  :-)

There are many ways to format code, and many programmers have a strong
preference to the way THEY want it. In many ways this choice is a bit
like religion, sometimes hard to really explain why, but often the
believer has some ideas about it, and the choice is often firmly held
and hard to change.

I personally like the K&R style, as it is compact and dense, so you can
see more code. Some people dislike it for much the same reason.

While the braces don't align, the closing brace does align with the
beginning of the statement it is closing, and there is nothing else in
that column between so scanning up to find it isn't that hard (and then
to the end of the line to see the opening brace).

If the distance is long, I will add a comment after the closing brace
describing the start statement to make it easier to match.

Yes, this format makes it harder to see mismatched braces, but by
compiling often you get a syntax error with miss-matched braces, and
letting your editor find matching braces it tends to be fairly quick to
locate it. The key is to compile (or have the editor syntax check) often
enough that you can't make two opposing errors like this that hide each
other.

--
Richard Damon

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: DEF CON (wasL A license plate of NULL)

Warren Young
In reply to this post by Hick Gunter
On Aug 14, 2019, at 12:27 AM, Hick Gunter <[hidden email]> wrote:
>
> But surely any compiler worth ist salt would optimize away all of that code and just use the result of the expression given as argument in the call ;)

You joke, but the answer is “Maybe.”

   See https://godbolt.org/z/K9g-ai

In English, that assembly says “return the passed value.”

Take out the -O3 on that page and observe the change.

But now change the compiler to see whether your favorite compiler can do this optimization.  The latest version of Visual C++ won’t optimize this away, as the latest GCC will:

    https://godbolt.org/z/tnr9cT

There’s probably an optimization setting that will do this, but the point is, you can’t always count on the optimizer to do what you think it should.  Thus Compiler Explorer.
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

James K. Lowden
In reply to this post by Richard Hipp-3
On Tue, 13 Aug 2019 16:47:43 -0400
Richard Hipp <[hidden email]> wrote:

> On 8/13/19, Jose Isaias Cabrera <[hidden email]> wrote:
> >
> > I see all of you smart programmers using this
> > non-column matching behavior, and I ask myself why?
>
> Because that's the way Dennis Richie did it.  :-)

That's right.  Like many of a certain age, I learned C from K&R, and
adopted Ritchie's style.  

I'm reminded of Bjarne Stroustrup's complaint about the C++
standardization process.  He would ask those assembled to offer
suggestions for how C++ could be made easier to use and more
approachable for the novice.  That question was always met with
silence.  If you want a lively discussion, he said, ask where the curly
braces belong.  

--jkl

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Programming methodology (was DEF CON (wasL A license plate of NULL))

Tim Streater-3
On 15 Aug 2019, at 18:13, James K. Lowden <[hidden email]> wrote:

> On Tue, 13 Aug 2019 16:47:43 -0400
> Richard Hipp <[hidden email]> wrote:
>
>> On 8/13/19, Jose Isaias Cabrera <[hidden email]> wrote:
>> >
>> > I see all of you smart programmers using this
>> > non-column matching behavior, and I ask myself why?
>>
>> Because that's the way Dennis Richie did it.  :-)
>
> That's right.  Like many of a certain age, I learned C from K&R, and
> adopted Ritchie's style.  

In terms of learning C, me too. However I looked at the various styles and adopted Whitesmiths; the braces align and I'm not wasting time looking for the matching one.


--
Cheers  --  Tim
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users