There's no point improving the implementation of a bad idea

Raymond Chen

IsBadXxxPtr is a bad idea and you shouldn’t call it. In the comments, many people proposed changes to the function to improve the implementation. But what’s the point? IsBadXxxPtr is just a bad idea. There’s no point improving the implementation of a bad idea.

On the other hand, some people suggested making it clear that IsBadXxxPtr is a bad idea by making it worse. While this is tempting in a “I’m forcing you to do the right thing” sense, it carries with it serious compatibility problems.

There’s a lot of code that uses IsBadXxxPtr even though it’s a bad idea, and making IsBadXxxPtr worse would risk breaking those programs that managed to get away with it up until now. The danger of this is that people would upgrade to the next version of Windows and their program would stop working. Who do you think the blame will be placed on?

Sure, you might tell these people, “That’s because it’s a bug in your program. Go contact the vendor for an update.” Of course, that’s assuming you can prove that the reason why the program stopped working was this IsBadXxxPtr stuff. How can you tell that that was the problem? Maybe it was caused by some other problem, possibly even a bug in Windows itself. Or is your answer just going to be “Any program that crashes must be crashing due to misuse of IsBadXxxPtr?”

And, as I’ve noted before, contacting the vendor may not be enough. Most large corporations have programs that run their day-to-day operations. Some of them may have been written by a consultant ten years ago. Even if they have the source code, they may not have the expertise, resources, or simply inclination go to in and fix it. This happens more often than you think. To these customers, the behavior change is simply a regression.

Even if you have the source code and expertise, fixing the problem may not be as simple as it looks. You may have designed your program poorly and relied on IsBadXxxPtr to cover for your failings. For example, you may have decided that “The lParam to this message is a pointer to a CUSTOMER structure, or it could just be the customer ID number. I’ll use IsBadReadPtr, and if the pointer is bad, then the value must be the customer ID number.” Or you may have changed the definition of a function parameter and now need to detect whether your caller is calling the “old function” or the “new one”. Or it could simply be that once you remove the call to IsBadXxxPtr, your program crashes constantly because the IsBadXxxPtr was covering up for a huge number of other programming errors (such as uninitialized variables).

“But what if I’m just using it for debugging purposes?” For debugging purposes, allow me to propose the following drop-in replacement functions:

inline BOOL IsBadReadPtr2(CONST VOID *p, UINT_PTR cb)
  memcmp(p, p, cb);
  return FALSE;
inline BOOL IsBadWritePtr2(LPVOID p, UINT_PTR cb)
  memmove(p, p, cb);
  return FALSE;

It’s very simple: To see if a pointer is bad for reading, just read it (and similarly writing). If the pointer is bad, the read (or write) will raise an exception, and then you can investigate the bad pointer at the point it is found. We read from the memory by comparing it to itself and write to the memory by copying it to itself. These have no effect but they do force the memory to be read or written. Of course, this trick assumes that the compiler didn’t optimize out the otherwise pointless “compare memory to itself” and “copy memory to itself” operations. (Note also that the replacement IsBadWritePtr2 is not thread-safe, since another thread might be modifying the memory while we’re copying it. But then again, the original IsBadWritePtr wasn’t thread-safe either, so there’s no loss of amenity there.)

(As an aside: I’ve seen people try to write replacements for IsBadXxxPtr and end up introducing a bug along the way. There are many corner cases in this seemingly-simple family of functions.)


Discussion is closed.

Feedback usabilla icon