On Wed, 3 Sep 2014, Florian Weimer wrote: > On 09/02/2014 11:22 PM, James Nelson wrote: > > > This is error-prone because even though a size parameter is given, the code > > in the function has no requirement to enforce it. With a bounded array > > type, the prototype looks like this: > > > > buf *foo(char buf[sz], size_t sz); > > GCC already has a syntax extension to support this: > <https://gcc.gnu.org/onlinedocs/gcc/Variable-Length.html>
But the size declared in a parameter declaration has no semantic significance; there is no requirement that the pointer passed does point to an array of that size. If you declare the size as [static sz] then that means it points to an array of at least that size, but it could be larger. Thus, any option for any sort of bounds checks based on parameter array sizes (constant or non-constant) would be an option that explicitly produces errors for valid C code. (You could always have a function attribute to enable checking based on parameter array sizes - such an attribute would declare that the function should never access the parameter array outside the bounds given by the size, even if the array passed by the caller is larger, and maybe also that the caller must not pass an array smaller than the size given.) -- Joseph S. Myers jos...@codesourcery.com
