On teaching C
May 19, 2016  

John Regehr has a post on Teaching C:

My main idea is that we need to teach C in a way that helps students understand why a very large fraction of critical software infrastructure, including almost all operating systems and embedded systems, is written in C, while also acknowledging the disastrously central role that it has played in our ongoing computer security nightmare.

I don’t find much to disagree with in his post, except, of course, that my takeaway is that we must RUN, not walk away from C as rapidly as possible. And here is why:

The second big thing each student should learn is: How can I avoid being burned by C’s numerous and severe shortcomings? This is a development environment where only the paranoid can survive; we want to emphasize a modern C programming style and heavy reliance on the (thankfully excellent) collection of tools that is available for helping us develop good C.

Static analysis is the first line of defense; the students need to use a good selection of -W flags and then get used to making things compile without warnings. A stronger tool such as the Clang static analyzer should also be used. On the dynamic side, all code handed in by students must be clean as far as ASan, UBSan, and MSan are concerned. tis-interpreter holds code to an even higher standard; I haven’t had students use this tool yet but I think it’s a great thing to try. Since dynamic testing is limited by the quality of the test cases, the students need to get used to using the output of a code coverage tool to find gaps in test coverage. Lots of coverage tools for C are available but I usually just use gcov since it is ubiquitous and hassle-free.

Regehr, who knows C very well, says that C programmers must use a collection of static and dynamic analysis tools on their programs to “avoid being burned.” This begs the question: Is this how C programmers are programming on a day-to-day basis, or are they ignoring these tools? And is this how new C programmers are being taught?

I believe that the answer to both of these questions is, by and large, NO. Yes, there are programmers who use these tools on every commit (Microsoft). Yes, there are teachers who teach these techniques (Regehr). But most programmers do not use these tools as a matter of course and most programmers are not taught to use them as a matter of course.

If these tools were used as a matter of course, you would not need to “use a good selection of -W flags,” because those flags would be the default. If these tools were used as a matter of course, you would not need to “get used to making things compile without warnings,” because they wouldn’t be warnings, they would be errors that stopped compilation and you would already be used to them. The reason that these flags are not defaults and these warnings are not errors is that practicing C programmers want to disregard these warnings and routinely do disregard these warnings.

And turning on compiler warning flags is the least disruptive suggestion that Regehr makes. Most of the other suggestions require installing separate tools, each with its own learning curve, and each adding to compile time.

As far as teaching goes, one only has to look at books and online materials to see that these tools and techniques are rarely taught. Certainly the most popular book, Kernighan and Ritchie, does not teach them. It was written before they existed and has not been updated.

C/C++ in the modern CS curriculum

You might be surprised but I’m not saying that C/C++ should have no place in the modern computer science curriculum. (You might also be surprised to learn that Bjarne Stroustrup was my department head for years and didn’t fire me :-).

Any computer security course should teach C, since it is so central to “our ongoing computer security nightmare.” Security students should know how to trigger buffer overflows, memory corruption, etc. in C programs.

A compiler course is a great place to teach C. You’ll need to understand machine code for compilers and C serves as a nice high-level machine code. It is also an interesting language to compile from, and an interesting language to instrument and analyze.

Systems programmers should be required to take a compiler course and a security course. I don’t think that there is any way a systems major should be allowed to avoid those two courses. Any university permitting that should lose their accreditation.