From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 85DB73858C2A; Mon, 23 Oct 2023 10:46:11 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 85DB73858C2A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1698057971; bh=+WSw+R3ajXgL8a7515fs3jtKsEj/Th5QYhAN2iXYtZ8=; h=From:To:Subject:Date:In-Reply-To:References:From; b=xxSF61ZQ931cRfJ19EVnrCpKaQAIOH/TTtoJxBMhfcqq8dAnzitneHh/2XRn+M470 9qPY/dqQAzTeDJgtmLB5/KfvCRhFsUDSSUzRFkmton87m3CIEEPJmvrsmT2i3zNKuV SJhf5VPq4IqHYyQg/Howx7NTFOJkVbV+2ZJYar5E= From: "redi at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug c++/110848] Consider enabling -Wvla by default in non-GNU C++ modes Date: Mon, 23 Oct 2023 10:46:10 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c++ X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: enhancement X-Bugzilla-Who: redi at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D110848 --- Comment #23 from Jonathan Wakely --- (In reply to Martin Uecker from comment #20) > And what alternative do you think is fundamentally safer than VLAs? >=20 > VLAs know their bound. Thus, they integrate with _FORTIFY_SOURCE, and UBS= an > bounds checking. Also UBSan address checking at run-time. At compile-time > there is -Ws They don't integrate with idiomatic C++ such as ranges algorithms, and std::end. More generally, they simply don't integrate with the C++ type system, so are unusable with most generic code using templates. Not only does std::is_array not recognise them as arrays, but even attempting to ask the question with std::is_array is ill-formed. Variably modified types are not part of the C++ type system, so can't be template arguments. int n =3D 2; int a[n]{}; static_assert(not std::is_array_v); // error Clang doesn't even allow the {} initializer in the code above, so they're n= ot portable either, even among compilers that support -std=3Dgnu++17 modes. > std::vector has some protection, e.g. ASAN finds the out of bounds > access (at a high run-time cost) and one could activate the GLIBC asserti= ons > someho: >=20 > https://godbolt.org/z/8zanMG5x4 This will abort with the recommended hardening flags, specifically -D_GLIBCXX_ASSERTIONS (which is nothing to do with Glibc, and is suitable f= or production use, unlike ASan). Those assertions will be enabled by the propo= sed -fhardening flag. >=20 > But I would not call it safer and overhead is much worse. >=20 > Fundamentally, VLAs are the dynamic buffer which can be protected most > easily and should be *preferred*. Maybe for C, but not for C++. I know you are a big fan of VLAs, but please don't try to push them into a language where they do not fit, and are not needed.=