This is the mail archive of the
mailing list for the GCC project.
Request for comments on language extension: Safe arrays and pointers for C.
- From: John Nagle <nagle at animats dot com>
- To: gcc at gcc dot gnu dot org
- Cc: John Nagle <nagle at animats dot com>
- Date: Fri, 31 Aug 2012 14:55:32 -0700
- Subject: Request for comments on language extension: Safe arrays and pointers for C.
We have proposed an extension to C (primarily) and C++ (possibly)
to address buffer overflow prevention. Buffer overflows are still
a huge practical problem in C, and much important code is still
written in C. This is a new approach that may actually work.
"Safe arrays amd pointers for C, round 2", is here:
This has been discussed on Lambda the Ultimate and comp.std.c,
and the flaws found in those discussions have been dealt with.
So far, no one has found a killer reason why this can't work.
The proposal is to combine the concepts of C variable length
array formal parameters and C++ references. This allows
passing arrays as arrays, rather than pointers.
For "strict mode" translation units, arrays must be passed in
this way. For compatibility with old code, strict mode
code can call non-strict mode code, and vice versa.
When strict mode code calls strict mode code, there is
checking to insure that sizes match. This approach
doesn't require array descriptors or "fat pointers".
Example: Standard UNIX/Linux/Posix read, new strict form:
int read(size_t n; int fd, void_space(&buf)[n], size_t n);
The array parameter as a sized reference, an array of size n.
"void_space" is a new type, like "void *" for type matching
purposes, but like "char" for space allocation.
The initial "size_t n;" is an existing GCC extension, a forward
parameter declaration, needed because the array parameter
precedes the size parameter.
In non-strict code, this can be called with the good old form:
int stat = read(somefd, inbuf, 512);
The size is not checked in non-strict code. In strict code,
the compiler would generate a size check, based on the
prototype, that the size of the actual parameter matched the
size of the variable length formal parameter.
In strict code, arrays generally have to be passed around as references,
to keep the associated size information. There's also a way to
do this for structs. So this goes beyond C variable length arrays.
Again, there are no array descriptors; declarations tell the
language where to find the size of an array. So code is
compatible at the object level.
There's more, but that's the main idea. Programs would
be migrated to strict mode from the bottom up. First
standard libraries, then security-critical libraries,
then security-critical applications.
What I'd like for now is an an estimate of how hard this would
be to implement in GCC. Most of the necessary features, or
something close to them, are already implemented in GCC.
Implementors, please comment. Thanks.