Re: split stdio-safer into fopen-safer, tmpfile-safer

[Eric Blake]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Ben Pfaff on 7/25/2006 11:21 AM:
> Paul Eggert <address@hidden> writes:
> 
>> With Bison I wanted fopen_safer but not tmpfile_safer (I think tmpfile
>> is not that safe due to signals and whatnot), so I split the fopen-safer
>> module into two, as follows:
> 
> Can you expand on why tmpfile is not so safe?

I'd still like to fear Paul's reasons.  But one of mine is that tmpfile is
allowed to leave a permanent file behind if the call to tmpfile() is
interrupted, or if the process _exit()s.  Yet there is no way to know what
that file is.  At least with mkstemp, you choose the file prefix.  Even
though there is a race between the time that you mkstemp() and unlink(),
such that the same problem exists of leaving a permanent file behind if
interrupted at the wrong time, at least you can document to the user where
to look for bogus files.  Another reason is that POSIX allows
implementations to limit you to TMP_MAX tmpfiles, which may be smaller
than the number of open fd's allowed.  (Hmm - sounds like an aardvark is
in order, since POSIX still calls out TMP_MAX in the normative text to
tmpnam, but deleted it from limits.h).

- --
Life is short - so eat dessert first!

Eric Blake             address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFExr3V84KuGfSFAYARAiGtAJ436Q7fwr4KZnhLPcXNTjxU6jaPdACeNDR9
y9o+G31/rrjQGu2sU3GcQq4=
=IsUK
-----END PGP SIGNATURE-----