|
Munkeymon posted:Because the charity that maintains it is called Legion of the Bouncy Castle, obviously: In May I start at a firm called literally 1337, but they're chill.
|
# ? Apr 14, 2014 06:32 |
|
|
# ? Jun 8, 2024 06:59 |
|
More fun code from the project I work on: we have some tests around our image processing (not the actual processing, just that things get called and files created). Well, the person who wrote the test decide to stub a couple methods on all instances of the String class which ended up causing ~250mb of the string "Image" repeating for each test in the context (which was about 5). Needless to say, this caused issues with Jenkins crashing and forced us to delay a couple deploys because our build system kept crashing.
|
# ? Apr 14, 2014 17:49 |
|
zokie posted:In May I start at a firm called literally 1337, but they're chill. Ask them what happened to the previous 1,336 firms.
|
# ? Apr 14, 2014 19:53 |
|
Alien Arcana posted:Ask them what happened to the previous 1,336 firms. They have not failed. They've just found 1,336 ways that don't work.
|
# ? Apr 14, 2014 19:56 |
|
We call it Continuous Business Model Deployment.
|
# ? Apr 14, 2014 22:26 |
|
code:
Look carefully at the ampersand on the last line.
|
# ? Apr 15, 2014 01:18 |
|
I found a bug in GNU bash, so I went to go check out the source code. Huh...
|
# ? Apr 15, 2014 04:34 |
|
Suspicious Dish posted:I found a bug in GNU bash, so I went to go check out the source code. Huh... Take a look at http://git.savannah.gnu.org/cgit/bash.git/commit/?id=ac50fbac377e32b98d2de396f016ea81e8ee9961 to understand the horror.
|
# ? Apr 15, 2014 08:55 |
|
pseudorandom name posted:Take a look at http://git.savannah.gnu.org/cgit/bash.git/commit/?id=ac50fbac377e32b98d2de396f016ea81e8ee9961 to understand the horror. I'm not sure I get it? Is it a huge monolithic commit that's not a merge?
|
# ? Apr 15, 2014 09:11 |
|
hackbunny posted:I'm not sure I get it? Is it a huge monolithic commit that's not a merge? No, its the 45 undocumented commits over a two year period followed by a single commit containing the changelog.
|
# ? Apr 15, 2014 09:41 |
|
AlsoD posted:
This one is nasty, but entire article deserves a read. It surely would give you warnings though, no?
|
# ? Apr 15, 2014 11:50 |
|
pseudorandom name posted:No, its the 45 undocumented commits over a two year period followed by a single commit containing the changelog. code:
|
# ? Apr 15, 2014 13:16 |
|
Otto Skorzeny posted:Also the fact that the repository makes frankly bizarre assumptions as to where the source lives That is generated code.
|
# ? Apr 15, 2014 13:19 |
|
Athas posted:That is generated code. Yacc dumbs absolute paths in the comments of its generated code?
|
# ? Apr 15, 2014 13:26 |
Otto Skorzeny posted:Yacc dumbs absolute paths in the comments of its generated code? You're not supposed to distribute Yacc-generated code anyway, it's just an intermediate compilation step.
|
|
# ? Apr 15, 2014 13:52 |
|
Otto Skorzeny posted:Yacc dumbs absolute paths in the comments of its generated code? Yep, just like cpp. Edit: I've made so many of the errors in that UE4 analysis, and so many of them have made it into production... Subjunctive fucked around with this message at 15:05 on Apr 15, 2014 |
# ? Apr 15, 2014 14:39 |
|
$CLIENT's database devs: "We want our own dev server so the eventual end users who are not programmers or designers can play around with and bikeshed our case management system." $CLIENT: "Sure. Eventually. Whatever." $CLIENT's database devs: "Oh can we use the sandbox environment currently in use by the $CONTRACTOR to develop our system? We never got that server" $CLIENT: "Sure, whatever." US: "Would you like is to twiddle our thumbs but keep billing you almost six figures a month?" I should add that about half a year ago someone fat fingered, spilled beer, or quit in an actionable manner; they managed to delete all of our development VMs and a lot of other VMs, and most of the backups, and I think even our TFS server. Our local copies saved a lot of asses. Nevertheless, their tables are so normalized it's a bit of a breeze to work with them. They just kind of suck at the whole backups and best practices thing.
|
# ? Apr 15, 2014 15:13 |
|
Something I found in our codebase today, slightly paraphrased:code:
|
# ? Apr 15, 2014 17:31 |
|
Apart from the use of globals, what's really wrong with that code?
|
# ? Apr 15, 2014 18:32 |
|
Dessert Rose posted:Apart from the use of globals, what's really wrong with that code? Look at the function signature of fprintf(3), then look at how he's calling it, then look at what he's doing with snprintf and the fixed buffer. e: i can't use spoiler tags properly code:
code:
code:
Blotto Skorzany fucked around with this message at 18:41 on Apr 15, 2014 |
# ? Apr 15, 2014 18:38 |
|
Dessert Rose posted:Apart from the use of globals, what's really wrong with that code? Not using sizeof for the buffer No guarantee that the message will fit in the buffer Not using fprintf
|
# ? Apr 15, 2014 18:38 |
|
logStuff("%s");
|
# ? Apr 15, 2014 18:40 |
|
Somehow I missed that nagging voice in the back of my head "doesn't fprintf do the same thing as all the other printfs...?"tractor fanatic posted:logStuff("%s"); This is the best part, because I bet the original author was like, "I know, I'll be extra secure with snprintf!"
|
# ? Apr 15, 2014 18:43 |
|
Volmarias posted:Not using sizeof for the buffer Plus, unlike POSIX platforms, snprintf on Windows doesn't guarantee null-termiantion so fprintf may not stop at the end of the buffer if the message is too long.
|
# ? Apr 15, 2014 18:44 |
|
eithedog posted:It surely would give you warnings though, no? One of the tools the article author used did: quote:PVS-Studio's diagnostic message: V564 The '&' operator is applied to bool type value. You've probably forgotten to include parentheses or intended to use the '&&' operator. particlemodules_location.cpp 2120
|
# ? Apr 15, 2014 19:30 |
|
necrotic posted:One of the tools the article author used did: Yes, but that's the app they're advertising on the cited site. I wondered if VS wouldn't pick up on it (I truly don't know - had only experience with gcc, and am pretty sure such casts are picked up)
|
# ? Apr 15, 2014 21:46 |
|
eithedog posted:Yes, but that's the app they're advertising on the cited site. I wondered if VS wouldn't pick up on it (I truly don't know - had only experience with gcc, and am pretty sure such casts are picked up) Oh wow, didn't even notice that.
|
# ? Apr 15, 2014 22:42 |
|
The details of this story have been changed to protect the guilty. At work, one of the things I work on is a system for managing server configuration. People write configuration files for various subsystems, and these files are processed and combined into a master configuration image which is periodically deployed to the servers. I am currently working on a major overhaul to the format of the configuration image and the way it's generated. This has turned up (and provided me with an excuse to destroy forever) a lot of terrible legacy stuff that was officially deprecated years ago but never actually retired. For testing, we have an end-to-end test that builds a config image from a test configuration, brings up a representative set of servers reading from that configuration, and makes requests to them and verifies the results. This test configuration shares the same default settings as the real configuration. However, some of these default settings actually interfere with the tests, so for the test, a small subset of them need to be overridden and then selectively changed during test execution. Now, this is pretty easy, since the configuration language supports conditional settings, so you can just do something like this: code:
A co-worker and I spend some time digging and, finally, the horrible truth dawns. The configuration language did not always support such conditional settings. In those days, the overrides were applied by a shell script. When the end to end test was starting up, but before actually starting any of the servers, it would not directly generate the configuration image from the input files. Instead, it would generate a (text-based) intermediate representation, then run this script to effectively do a find-and-replace on it, replacing the default settings with the test-specific overrides. Then it would convert the IR into the actual config image and start the servers. For some reason, when conditional settings were implemented, not all of the overrides were moved out of the script, and a few stayed there, buried in the bowels of the test harness, until the day that I tried to change the configuration format -- causing it not to fail, but instead start silently passing through the configuration unaltered.
|
# ? Apr 16, 2014 01:26 |
|
code:
|
# ? Apr 16, 2014 03:32 |
|
Perl code:
Not pictured: capturing STDOUT in a variable, then using regex matches to parse out the information that was queried from the database.
|
# ? Apr 16, 2014 04:23 |
|
Suspicious Dish posted:I found a bug in GNU bash, so I went to go check out the source code. Huh... e: If you were a real hacker you would have spent all of 30 minutes rigging up emacs to import the patches and tarballs into quilt Gazpacho fucked around with this message at 06:56 on Apr 16, 2014 |
# ? Apr 16, 2014 06:49 |
|
No, I didn't. I have a lingering feeling they wouldn't accept my patch anyway, so I'm not going to bother.
|
# ? Apr 16, 2014 06:55 |
|
Crossquotin'flyboi posted:has this been posted yet quote:Do not feed RSA private key information to the random subsystem as entropy.
|
# ? Apr 17, 2014 21:27 |
|
C code:
|
# ? Apr 17, 2014 21:42 |
|
x
revmoo fucked around with this message at 17:49 on May 21, 2014 |
# ? Apr 18, 2014 18:46 |
|
revmoo posted:The system is currently down for hardware maintenance and should return online at <b><? echo strftime('%D %H:00',time() + (3600*2)); ?> EST/EDT</b>. <br />Please call us if you need assistance. I'm the disingenuous estimated time for the system to become available.
|
# ? Apr 18, 2014 19:13 |
|
revmoo posted:The system is currently down for hardware maintenance and should return online at <b><? echo strftime('%D %H:00',time() + (3600*2)); ?> EST/EDT</b>. <br />Please call us if you need assistance. I guess they were looking to statically generate it to show during the outage? That libssl evisceration is nonstop gold.
|
# ? Apr 18, 2014 20:59 |
|
Apparently /dev/urandom has a spinlock that kills performance when read by multiple threads simultaneously. But this is by design, according to the author: Theodore Ts'o posted:Doctor, doctor it hurts when I do this. Well, then don't do that! (hint: you can get security AND speed simultaneously)
|
# ? Apr 19, 2014 07:22 |
|
Scaevolus posted:Apparently /dev/urandom has a spinlock that kills performance when read by multiple threads simultaneously. Not entirely convinced by that article, mainly the part where the author uses Python to measure lock contention in an external process.
|
# ? Apr 19, 2014 11:34 |
|
|
# ? Jun 8, 2024 06:59 |
|
Scaevolus posted:(hint: you can get security AND speed simultaneously) Is this why people implement their own memory allocator because they think the platform one isn't fast enough? That said, there isn't a reason not to have per-cpu urandom state if someone wants to put in the work to implement it.
|
# ? Apr 19, 2014 12:48 |