From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 67266 invoked by alias); 27 Oct 2015 17:09:25 -0000 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org Received: (qmail 67239 invoked by uid 55); 27 Oct 2015 17:09:21 -0000 From: "joseph at codesourcery dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c/68065] Size calculations for VLAs can overflow Date: Tue, 27 Oct 2015 17:09:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c X-Bugzilla-Version: 5.2.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: joseph at codesourcery dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-10/txt/msg02266.txt.bz2 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68065 --- Comment #8 from joseph at codesourcery dot com --- I think it's undefined at the point where a type exceeds the limit on the size of an object (half the address space minus one byte), whether or not sizeof is used or any object with that type is constructed - that is, as soon as the language semantics involve evaluation of the array sizes for the VLA type in question. (If the sizes are neither evaluated nor required, e.g. sizeof (int (*)[size]), or when replaced by [*] at function prototype scope, I don't consider that undefined; if required but not evaluated, as in certain obscure cases of conditional expressions, that's a different case of undefined behavior.)