[Bug c/108896] provide "element_count" attribute to give more context to __builtin_dynamic_object_size() and -fsanitize=bounds

["muecker at gwdg dot de" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896

--- Comment #9 from Martin Uecker <muecker at gwdg dot de> ---
Am Donnerstag, dem 02.03.2023 um 17:34 +0000 schrieb qinzhao at gcc dot
gnu.org:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
> 
> --- Comment #8 from qinzhao at gcc dot gnu.org ---
> (In reply to Martin Uecker from comment #7)
> > An attribute is certainly simpler and should be easy to add.
> yes.
> > 
> > I proposed similar extension for C23 and there was some interest,
> > but I did not have time to follow up.
> > 
> > https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2660.pdf
> very interesting proposal!
> are there any discussions on this proposal? if so, can you point me to them?

One has to check the minutes from the WG14 meetings. You
will find those at the website. But I forgot at which
meeting it was discussed. Although completeness
and quality of the minutes varies, so I am not sure how
interesting this is.

https://www.open-std.org/jtc1/sc22/wg14/www/wg14_document_log

There were thee follow-up proposals which I advanced for 
C23, but I changed jobs and most of them got delayed too
much for C23.

But we made variably modified types mandatory in C23 to
help with bounds checking and this already works quite
nicely with GCC / Clang:

https://godbolt.org/z/ddfsdWPMj

> > 
> > 
> > Sizeof is not a constant expression in ISO C for a VLA and it is not a
> > constant expression if the struct contains a VLA  (GNU extension).  So this
> > is already the case and nothing would need to change. It would also potentially  
> > avoid mistakes when computing the size of such a struct.
> agreed.
> However, my understanding is: VLA is only valid inside a function scope. GCC
> use a special SAVE_EXPR to record its size expression. and evaluated during
> runtime only once. 

Yes, this is correct.

> when this variable length concept is extended to global scope, not sure how to
> implement the size expression? need some study here.

Here, we want to use a member of the struct as a size 
expression. This could work equally at function and file scope.
But the semantics need to be worked out.  I have started to work
on a patch for GCC a couple of weeks ago using PLACEHOLDER_EXPR,
but did not get very far.

The idea is to evaluate the size expression whenever the member
with the size is accesses. If the size is not set before, this
would be undefined behavior.

Other languages such as Ada support this, so in principle this
should be a piece of cake.

> 
> >  But the
> > rules for initialization are not so clear.
> shall we make this clear?

We should...

> > 
> > I do not think it is a good idea to differentiate between file scope structs
> > and others. This would be confusing.
> Yes. agreed.
> 
> this proposal basically is to extend the VLA concept from function scope to
> global scope. is my understanding correct?

I would say the idea is to allow size expressions to refer
to member of a struct instead of only automatic variables.

> 
> > 
> > Considering that the GNU extensions is rarely used, one could consider
> > redefining the meaning of
> > 
> > int n = 1;
> > struct {
> >   int n;
> >   char buf[n];
> > };
> > 
> > so that the 'n' refers to the member. Or we add a new syntax similar to
> > designators (which intuitively makes sense to me).
> designator might be better IMO.
> 
> a question here is:
> 
> for the following nested structure: 
> 
> struct object {
>         ...
>         char items;
>         ...
>         struct inner {
>                 ...
>                 int flex[];
>         };
> } *ptr;
> 
> what kind of syntax is good to represent the upper bound of "flex" in the inner
> struct with "items" in the outer structure? any suggestion?

I would disallow it. At least at first. It also raises some
questions: For example, one could form a pointer to the inner
struct, and then it is not clear how 'items' could be accessed
anymore.



Martin