User: Password:
|
|
Subscribe / Log in / New account

Waiting for perfect appliation code == stupid plan

Waiting for perfect appliation code == stupid plan

Posted Jun 4, 2010 13:24 UTC (Fri) by jschrod (subscriber, #1646)
In reply to: Waiting for perfect appliation code == stupid plan by wahern
Parent article: Symbolic links in "sticky" directories

Most developers I know don't program signal handling, threads, socket-polling, don't use shared memory, and don't create pre-emptive multitasking applications. (Some of these operations may be done in libraries or frameworks that they are using, but this is safely hidden from them.) But many of them create files in /tmp et.al.

Sorry, but I don't consider it "as pragmatic as the next guy" to argue against stopping the most common class of problems by pointing out that there are multiple similar problem classes that actually happens much less often. (Empirical data: symlink attack is the most common atomicity problem in CVE database.)


(Log in to post comments)

Waiting for perfect appliation code == stupid plan

Posted Jun 8, 2010 20:42 UTC (Tue) by nix (subscriber, #2304) [Link]

Quite so. Most of the developers I mentioned above spend much of their time talking to databases. They're used to races (the system is highly concurrent, with the concurrency isolated in separate processes communicating via the database), but they're largely protected from TOCTTOU by the database's transactionality. So they never learnt about it.

I find it hard to believe that this is uncommon.

Waiting for perfect appliation code == stupid plan

Posted Jun 8, 2010 23:46 UTC (Tue) by jschrod (subscriber, #1646) [Link]

Exactly. It's not that there are no atomicity problems in their development work, but the developers are not affected as it is handled by middleware or frameworks.

The only place where I see that they meet concurrency and all its associated problems are Java web applications with session state. And then they mark all methods of the respective session bean classes as "synchronized", without ever analyzing if it's needed or if it's sufficient. Well, most of them wouldn't know how to analyze it in the first place; cargo cult programming at its best.

And that's not limited to specific customers; I make the same observation in finance (not the equity departments, though), automotive, and telco companies.

Waiting for perfect appliation code == stupid plan

Posted Jun 9, 2010 12:07 UTC (Wed) by nix (subscriber, #2304) [Link]

Exactly. Concurrency is hard enough that most people can't handle it. This is surely not news.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds