[langsec-discuss] a question on code volume

Jon Callas jon at callas.org
Mon Dec 29 15:17:45 UTC 2014

On Dec 28, 2014, at 5:59 AM, dan at geer.org wrote:

> Is anyone here in a position to tell me what percentage
> of various/aggregate code bases are in exception handling
> blocks?  There is this old rule that 40% of total code
> should be in exception handling; I wonder if any static
> analysis work is routinely measuring this or if there is
> a langsec theoretical argument w.r.t. that rule of thumb.

I confess I have a raised eyebrow at that 40% number. My quick thought runs in this vein:

Suppose all code is in an if-then-else. In this case, 50% is in an else clause. Bear with me, as there's no difference between a then and an else, because "if x" and "if !x" differ only in point of view. So -- why would 40% be exception processing? While we're at it, what's an "exception" as opposed to a mere other clause? Yeah, yeah, I know it when I see it, too, but how would you define it formally?

We also know that 80% of all statistics are made up on the spot just to prove the author's point. How do we know this isn't one of that 80%?


More information about the langsec-discuss mailing list