<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Prefer a warning for when VLAs declared on stack"
href="https://bugs.llvm.org/show_bug.cgi?id=48460">48460</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Prefer a warning for when VLAs declared on stack
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Macintosh
</td>
</tr>
<tr>
<th>OS</th>
<td>MacOS X
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>C18
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedclangbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>svoboda@cert.org
</td>
</tr>
<tr>
<th>CC</th>
<td>blitzrakete@gmail.com, dgregor@apple.com, erik.pilkington@gmail.com, llvm-bugs@lists.llvm.org, richard-llvm@metafoo.co.uk
</td>
</tr></table>
<p>
<div>
<pre>The Clang docs (<a href="https://clang.llvm.org/docs/DiagnosticsReference.html#wvla">https://clang.llvm.org/docs/DiagnosticsReference.html#wvla</a>)
define the "-Wvla" flag to do the following:
Also controls -Wvla-extension.
warning: variable length array used
Warn if a variable-length array is used in the code. -Wno-vla prevents the
-Wpedantic warning of the variable-length array.
The -Wvla flag causes both GCC 10 and Clang 12 to holler about this declaration
having a VLA:
void func1(int n, int array[n]);
This happens even if func1 is called with a regular array or an int pointer.
Whether you consider 'array' to be a VLA or not depends on how you interpret
ISO C17 6.7.6.3p4. A colleague called the declaration of array a "heisen-VLA"
on the grounds that array may be cast to a VLA before being immediately cast to
an int pointer.
Clang 12 also hollers about this line, but GCC 10 doesn't:
void func2(int array[*]);
ISO C17 6.7.6.3p4 is pretty clear that an array declared this way is indeed a
VLA.
But both code examples use VLAs only as an actual parameter argument type. The
main hazard of VLAs is being declared as a stack variable with an unsecured
dimension, where they could potentially exhaust your stack.
Most experts on VLAs would suggest that casting something to a VLA is not a
problem per se, and the real danger of VLAs is declaring a VLA on the stack
(because of the potential for stack exhaustion). However, neither GCC nor
Clang seem to have a warning to detect VLA stack declarations. This would be a
useful feature, as either a replacement for -Wvla's current behavior, or for a
new warning flag.
void func1(int n, int array[n]) { /* ok, no warning */
int array2[n]; /* bad, VLA on stack, warn! */
int (*array3)[n]; /* ok, no VLA on stack, so no warning */
}
Finally, declaring a function argument type as a VLA with an explicit
(non-compile-time) array bounds can improve software security, as a VLA bounds
conveys useful semantic information to programmers. Also a VLA bounds can be
checked by the compiler or a static-analysis tool. At CERT, we call such an
array a "conformant array". For more background, see CERT guideline:
API05-C. Use conformant array parameters
<a href="https://wiki.sei.cmu.edu/confluence/x/n9UxBQ">https://wiki.sei.cmu.edu/confluence/x/n9UxBQ</a>
I have also submitted a similar bug report to GCC, it is here:
<a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98217">https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98217</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>