[Swan] strncpy doesn't do what many people think that it does

[D. Hugh Redelmeier]

| From: Wes Hardaker <opensource at hardakers.net>

| > 	assert(n != 0);		/* won't hold a string! */
| 
| Asserts are pure evil in production servers.  They cause important
| software to go down and are an easy spot for denial of service attacks.
| The better thing to do is return an error code, let the above code catch
| and handle it and keep running.

I understand your point.

BTW, I wrote "assert", which is generic, not "passert" which is what
would be used in Pluto.  That was a too-subtle hint that this was
schematic.

Furthermore, I also said silent truncation is almost never what is
wanted.

However: the number of unchecked failure returns in C code is really
really high and a scandal.  It is time to realize that humans can't
get this checking right -- we need help.  I don't have a simple 
suggestion to fix this.

The right way to call this code is to check/prove length>0 as a
precondition, not check for failure after the fact.  The assert is a
safety mechanism.

Shame on me for not documenting the precondition.  It's tricky.
	src != NULL
	&& src points at a string
	&& dest != NULL
	&& dest points at writeable memory of size >= len
	&& len > 0
I'm not sure that I got them all.  I'm not documenting the postcondition.

Notice that most hardware would do:
	assert(src != NULL);
	assert(dst != NULL);
	and more
So just because I don't write assert doesn't mean your goal is
reached.

(C really needs a pointer type that isn't allowed to contain NULL.  That 
would help compilers and programmers help each other.  I had a last-minute 
hack for C99 but it wasn't accepted.)