[cfe-dev] [RFC] Approach for C++1y N3639 (runtime-sized arrays with automatic storage duration)

Richard Smith richard at metafoo.co.uk
Thu May 9 14:48:11 PDT 2013

On Thu, May 9, 2013 at 2:13 PM, Ronan Keryell <Ronan.Keryell at silkan.com>wrote:

> >>>>> On Thu, 9 May 2013 12:11:39 -0700, Richard Smith <
> richard at metafoo.co.uk> said:
>     Richard> Hi!  C++1y adds support for arrays of runtime bound (ARBs)
>     Richard> to the C++ language.  These are basically a restricted form
>     Richard> of VLA,
> Very restricted... (Well I am biased, as a great fan of C99 VLA :-),
> mainly for automatic parallelization & vectorization issues)
>     Richard> * Add a -farb-stack-limit=N command-line option to control
>     Richard> the maximum stack memory which can be used by an ARB. If
>     Richard> the ARB doesn't fit in this limit, we use heap allocation
>     Richard> instead. By default, there is no limit.  * Add a
>     Richard> -farb-heap-limit=N command-line option to control the
>     Richard> maximum heap memory which can be used by an ARB. If the ARB
>     Richard> doesn't fit in this limit, we call
>     Richard> __cxa_throw_bad_array_length. By default, the limit is 0
>     Richard> (never use heap allocation).  * If the bound is erroneous
>     Richard> (too small, multiplication overflows, beyond our limit), we
>     Richard> call __cxa_throw_bad_array_length. To support old C++ ABI
>     Richard> libraries, we emit a weak form of this in every TU which
>     Richard> invokes it, and the weak form calls __builtin_trap().
>     Richard> Does this seem reasonable?
> Yes.
>     Richard>  Would we want any part of this checking (for instance, the
>     Richard> overflow check + trap) in C, or in C++-before-C++14? Maybe
>     Richard> the flags should be -fvla-foo instead of -farb-foo?
> I am curious about what is expected in the case of C checking.
> In this case do we test for overflows also in the case of
> multiple-dimension VLA too?

Yes, that seems best.

> How to deal with C function definitions such as:
> void foo(int n, int m, float array[n][m]) {
> }
> where do you put the test for n and m?

I don't think a test is necessary here, because this declaration doesn't
allocate storage. Instead, any relevant test should have been performed
when the argument passed as 'array' was created. I definitely see value in
verifying that the 'array' argument can be used to access at least n * m
floats, but I think that belongs in a separate check (maybe ASan could be
taught to verify this).

> It looks to me that if you want to be ABI-compatible, you have to
> synthesize a function wrapper and put the tests in it before calling the
> real renamed function or something like that...
> But even if it is difficult, I think your proposition of providing such
> verification for C compilation in Clang is a good idea as it can improve
> the code safety for C99.
> Thank you,
> --
>   Ronan KERYELL                            |\/  Phone:  +1 650 386 6482
>   SILKAN Wild Systems                      |/)
>   4962 El Camino Real #201                 K    Ronan.Keryell at silkan.com
>   Los Altos, CA 94022                      |\   skype:keryell
>   USA                                      | \  http://silkan.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130509/e3c90919/attachment.html>

More information about the cfe-dev mailing list