From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 26CD43858C39; Mon, 31 Jul 2023 12:40:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 26CD43858C39 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1690807252; bh=YMOgZf2AEDW8d7dzmKO3v32QyI7sc0yrx8EHZq8gzhk=; h=From:To:Subject:Date:In-Reply-To:References:From; b=tzo4HtorC8p/oYwUw2I9AW3j2Wlm8UyC2MScnvG2+b3+p+WO/sQjHf19uInuvHue/ XBWLQ1qWGA5LPP7U/IHOdN1G/DPV7h1wOmrcS+UYX9Ja9kMvUffEgW/XXjdmc03zSb xJCWn+AjOIy0N5/o2JZs6D1QYXzfTiY2hYs+lT2E= From: "aaron at aaronballman dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c++/110848] Consider enabling -Wvla by default in non-GNU C++ modes Date: Mon, 31 Jul 2023 12:40:50 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c++ X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: enhancement X-Bugzilla-Who: aaron at aaronballman dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D110848 --- Comment #8 from Aaron Ballman --- (In reply to Richard Biener from comment #7) > I think -std=3Dc++XY should diagnose (at least with a warning) the use of= GNU > extensions. Let me alter the summary and confirm. Thanks! I still think this should be diagnosed in all language modes due to= the ease of accidental usage along with the feature's security concerns, but at least getting it diagnosed by default in C++ language modes is a step in the right direction. Some more evidence of the security concerns (VLAs in gener= al, not specific to C++): https://nvd.nist.gov/vuln/detail/CVE-2015-5147 https://nvd.nist.gov/vuln/detail/CVE-2020-11203 https://nvd.nist.gov/vuln/detail/CVE-2021-3527 That said, it sounds like GCC maintainers feel (at least somewhat) strongly that this extension should not be diagnosed by default in GNU mode. I think Clang can follow suit so that there's less problems for folks porting betwe= en the two compilers. But we've recently started being more aggressive about diagnosing things that have security implications in C and C++ because of warnings to not use these languages due to poor security practices and lack= of coverage with tooling: https://advocacy.consumerreports.org/wp-content/uploads/2023/01/Memory-Safe= ty-Convening-Report-1-1.pdf https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMOR= Y_SAFETY.PDF I think VLA usage in C++ meets the bar as something to be more aggressive w= ith warning users about. It's not that the extension is broken, it's that it's = very often a surprise you're using the extension in the first place. It's unfortunate to have to opt out of diagnostics about an extension you're intentionally using; IMO, it's more unfortunate to have a CVE for your prod= uct due to accidentally using an extension you weren't aware of.=