This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Bounded array type?
- From: Florian Weimer <fweimer at redhat dot com>
- To: "Joseph S. Myers" <joseph at codesourcery dot com>
- Cc: James Nelson <retrobanana dot jn at gmail dot com>, gcc at gcc dot gnu dot org
- Date: Wed, 03 Sep 2014 18:08:33 +0200
- Subject: Re: Bounded array type?
- Authentication-results: sourceware.org; auth=none
- References: <CAGrc-OBDFPeTK1T0VRrO2TWKmSthhTywf6+78aR4L-_+ybu4uA at mail dot gmail dot com> <5406C8A4 dot 9060902 at redhat dot com> <Pine dot LNX dot 4 dot 64 dot 1409031517420 dot 11036 at digraph dot polyomino dot org dot uk>
On 09/03/2014 05:20 PM, Joseph S. Myers wrote:
On Wed, 3 Sep 2014, Florian Weimer wrote:
On 09/02/2014 11:22 PM, James Nelson wrote:
This is error-prone because even though a size parameter is given, the code
in the function has no requirement to enforce it. With a bounded array
type, the prototype looks like this:
buf *foo(char buf[sz], size_t sz);
GCC already has a syntax extension to support this:
<https://gcc.gnu.org/onlinedocs/gcc/Variable-Length.html>
But the size declared in a parameter declaration has no semantic
significance; there is no requirement that the pointer passed does point
to an array of that size.
I believe this was different with the bounded pointer extension. But I
might misremember how things worked. I've never used it (I think), I
only recall reading some documentation which has now vanished.
If you declare the size as [static sz] then
that means it points to an array of at least that size, but it could be
larger.
GCC does not seem to enforce that. This compiles without errors:
int foo(char [static 5]);
int
bar(char *p)
{
return foo(p);
}
This could be
--
Florian Weimer / Red Hat Product Security