On 2014-06-04, 09:46, coderman wrote:
there is a significant difference between engineering for safety, conservatively. and sloppy error prone techniques indicating haste and carelessness.
pointer arithmetic in C may be unavoidable, yet using them consistently with thoughtfulness and robustness is always a great idea.
Absolutely. My gripe was with the "automatic fail" of the OP. It's perfectly fine to say "this code doesn't look as if it was engineered for safety and you should consider rewriting it", and you can say "I can't audit this code, it's too complex for me", but you can't, IMHO, say "I fail this code's audit because it has a number of code smells" unless absence of code smells was a design requirement or there is evidence that these code smells are associated with security problems. Fun, Stephan --