https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110848
--- Comment #24 from Jonathan Wakely <redi at gcc dot gnu.org> --- (In reply to Martin Uecker from comment #22) > There may be many good reasons to prefer std::vector over VLAs in C++ but > security and safety is not one of them. There are plenty of CVEs caused by > std::vector out-of-bounds accesses. There are plenty of CVEs caused by those for arrays too, static and variable length ones. The point is that vector carries its length with it properly, in a way that actually works with the type system (e.g. works with std::span and std::end etc.) A VLA has a length that the compiler knows in a limited scope, but you can't pass that to a function without passing the length explicitly as a separate argument. The length information is easily lost. > The question is whether in GNU mode one > should warn about a GNU extension. People who want to avoid VLAs for reasons > of standard compliance would also not use a GNU mode. Yes, I know, and the lack of integration with the type system should show they are simply inappropriate for general purpose use in idiomatic C++ code.
