On Thu, May 9, 2013 at 2:13 PM, Ronan Keryell <span dir="ltr"><<a href="mailto:Ronan.Keryell@silkan.com" target="_blank">Ronan.Keryell@silkan.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
>>>>> On Thu, 9 May 2013 12:11:39 -0700, Richard Smith <<a href="mailto:richard@metafoo.co.uk">richard@metafoo.co.uk</a>> said:<br>
<br>
Richard> Hi! C++1y adds support for arrays of runtime bound (ARBs)<br>
Richard> to the C++ language. These are basically a restricted form<br>
Richard> of VLA,<br>
<br>
Very restricted... (Well I am biased, as a great fan of C99 VLA :-),<br>
mainly for automatic parallelization & vectorization issues)<br>
<br>
Richard> * Add a -farb-stack-limit=N command-line option to control<br>
Richard> the maximum stack memory which can be used by an ARB. If<br>
Richard> the ARB doesn't fit in this limit, we use heap allocation<br>
Richard> instead. By default, there is no limit. * Add a<br>
Richard> -farb-heap-limit=N command-line option to control the<br>
Richard> maximum heap memory which can be used by an ARB. If the ARB<br>
Richard> doesn't fit in this limit, we call<br>
Richard> __cxa_throw_bad_array_length. By default, the limit is 0<br>
Richard> (never use heap allocation). * If the bound is erroneous<br>
Richard> (too small, multiplication overflows, beyond our limit), we<br>
Richard> call __cxa_throw_bad_array_length. To support old C++ ABI<br>
Richard> libraries, we emit a weak form of this in every TU which<br>
Richard> invokes it, and the weak form calls __builtin_trap().<br>
<br>
Richard> Does this seem reasonable?<br>
<br>
Yes.<br>
<br>
Richard> Would we want any part of this checking (for instance, the<br>
Richard> overflow check + trap) in C, or in C++-before-C++14? Maybe<br>
Richard> the flags should be -fvla-foo instead of -farb-foo?<br>
<br>
I am curious about what is expected in the case of C checking.<br>
In this case do we test for overflows also in the case of<br>
multiple-dimension VLA too?<br></blockquote><div><br></div><div>Yes, that seems best.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
How to deal with C function definitions such as:<br>
void foo(int n, int m, float array[n][m]) {<br>
<br>
}<br>
<br>
where do you put the test for n and m?<br></blockquote><div><br></div><div>I don't think a test is necessary here, because this declaration doesn't allocate storage. Instead, any relevant test should have been performed when the argument passed as 'array' was created. I definitely see value in verifying that the 'array' argument can be used to access at least n * m floats, but I think that belongs in a separate check (maybe ASan could be taught to verify this).</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It looks to me that if you want to be ABI-compatible, you have to<br>
synthesize a function wrapper and put the tests in it before calling the<br>
real renamed function or something like that...<br>
<br>
But even if it is difficult, I think your proposition of providing such<br>
verification for C compilation in Clang is a good idea as it can improve<br>
the code safety for C99.<br>
<br>
Thank you,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Ronan KERYELL |\/ Phone: <a href="tel:%2B1%20650%20386%206482" value="+16503866482">+1 650 386 6482</a><br>
SILKAN Wild Systems |/)<br>
4962 El Camino Real #201 K <a href="mailto:Ronan.Keryell@silkan.com">Ronan.Keryell@silkan.com</a><br>
Los Altos, CA 94022 |\ skype:keryell<br>
USA | \ <a href="http://silkan.com" target="_blank">http://silkan.com</a><br>
</font></span></blockquote></div><br>