https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110848
--- Comment #8 from Aaron Ballman <aaron at aaronballman dot com> --- (In reply to Richard Biener from comment #7) > I think -std=c++XY should diagnose (at least with a warning) the use of GNU > extensions. Let me alter the summary and confirm. Thanks! I still think this should be diagnosed in all language modes due to the ease of accidental usage along with the feature's security concerns, but at least getting it diagnosed by default in C++ language modes is a step in the right direction. Some more evidence of the security concerns (VLAs in general, not specific to C++): https://nvd.nist.gov/vuln/detail/CVE-2015-5147 https://nvd.nist.gov/vuln/detail/CVE-2020-11203 https://nvd.nist.gov/vuln/detail/CVE-2021-3527 That said, it sounds like GCC maintainers feel (at least somewhat) strongly that this extension should not be diagnosed by default in GNU mode. I think Clang can follow suit so that there's less problems for folks porting between the two compilers. But we've recently started being more aggressive about diagnosing things that have security implications in C and C++ because of warnings to not use these languages due to poor security practices and lack of coverage with tooling: https://advocacy.consumerreports.org/wp-content/uploads/2023/01/Memory-Safety-Convening-Report-1-1.pdf https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF I think VLA usage in C++ meets the bar as something to be more aggressive with warning users about. It's not that the extension is broken, it's that it's very often a surprise you're using the extension in the first place. It's unfortunate to have to opt out of diagnostics about an extension you're intentionally using; IMO, it's more unfortunate to have a CVE for your product due to accidentally using an extension you weren't aware of.
