On Fri, Mar 07, 2025 at 01:38:32PM -0800, Kees Cook wrote:
> I'm all for better diagnostics, but since C doesn't have a way specify
> scope for a named variable, I don't see how such a diagnostic would
> be actionable.
>
> int nr;
> struct foo {
> int nr;
> u8 array[] __counted_by(nr);
> };
If __attribute__((counted_by (nr))) is meant to change meaning from
this->nr to ::nr (expressed in C++ syntax), given that there are (or are
going to be) released compilers with the former meaning, I think the attribute
either should have a different name or some other way to distinguish it from
the old syntax. E.g. one possibility is to distinguish the two by number of
arguments of the attribute; at that point __self wouldn't have to be a
keyword, but just some identifier the user chooses.
One could then use __attribute__((counted_by (self, self.nr))) (but could
call it any other way, ideally something that doesn't conflict with global
or local variables or the field names). This would be similar to e.g.
OpenMP iterators,
#pragma omp task depend (iterator (i=1:7:2), depobj: *(depobja + i))
also declares that identifier i will be special in the following expression
and will iterate like for (int i = 0; i < 7; i += 2).
Or counted_by (identifier) could mean always the old syntax and if the
argument is not an identifier, it would be the new syntax, so way to
represent a global or local variable in the new syntax would be
__attribute__((counted_by (var + 0))).
Jakub
