On Thu, Sep 12, 2013 at 03:52:18PM +0000, Joseph S. Myers wrote:
> On Thu, 12 Sep 2013, Marek Polacek wrote:
>
> > This patch adds the instrumentation of VLA bounds. Basically, it just
> > checks that the size of a VLA is positive. I.e., We also issue an error
> > if the size of the VLA is 0. It catches e.g.
>
> This is not an objection to this patch, but there are a few other bits of
> VLA bound instrumentation that could be done as well. If the size has a
> wide-enough type to be bigger than the target's SIZE_MAX, and is indeed
> bigger than SIZE_MAX, that could be detected at runtime as well. Or if
> the multiplication of array size and element size exceeds SIZE_MAX (this
> covers both elements of constant size, and elements that are themselves
> VLAs, but the former can be handled more efficiently by comparing against
> an appropriate constant rather than needing a runtime test for whether a
> multiplication in size_t overflows).
>
> (Actually, I believe sizes (in bytes) greater than target PTRDIFF_MAX, not
> just SIZE_MAX, should be caught, because pointer subtraction cannot work
> reliably with larger objects. So it's not just when the size or
> multiplication overflow size_t, but when they overflow ptrdiff_t.)
Yup, this all sounds good. I'll look at this tomorrow. I think I'd
prefer doing this as a follow-up, after the C/C++ FE parts are
reviewed; doing SIZE_MAX/PTRDIFF_MAX checking then should require
changes only in c-ubsan.c.
Marek
