July 19th, 2007

You don’t optimize for the case where somebody is mis-using your system

Commenter Rune Moberg asks why it takes the window manager so long to clean up 20,000 leaked objects.

Well, because you’re not supposed to leak 20,000 objects. Why optimize something that people aren’t supposed to be doing? That would just encourage them!

Actually, this scenario is doubly “don’t do that”. Creating 10,000 was already excessive; 20,000 is downright profligate. And in order to create 20,000 leaked objects in the first place, you have to override the default limit of 10,000. Surely this should be a clue that you’re taking the system beyond its design parameters: After all, you had to go in and change a system design parameter to get this far!

The window manager does clean them up eventually. Nothing goes wrong, but the experience is frustrating. Hopefully that’ll be a big clue that you’re doing something wrong.

Nitpicker’s corner

Of course, you have to apply the principle of “don’t optimize for abuse” with your brain still engaged. If the abuse can lead to a denial of service attack, then you have a security issue. (That’s not the case here, however. In order to leak 20,000 windows, an attacker has to be able to create 20,000 windows directly, rather than going through an intermediary such as a scripting engine, since the scripting engine will destroy the window rather than leak it. If an attacker can create windows directly, then why bother creating 20,000? Create one and use it to annoy the user.)

Topics
Other

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.