https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110848
--- Comment #16 from Martin Uecker <muecker at gwdg dot de> --- I do not think -Wall should warn about GNU extensions when used with -std=gnu++XX in C++ and I think it is annoying that clang does it now. It only drives people to use alloca or other alternatives with worse safety properties. And I think the security concerns for VLAs are largely based on a logical fallacy: Because they appear in CVE is no reason to believe they caused it: It is likely saying that people ICDs have more often cardiac arrests if because of the ICDs. Any kind of dynamically sized buffer will appear in CVEs because buffers are used to process data from the network. If you discourage the one with the best potential for bounds checking people will turn to worse options. This will not improve safety. But stack clash protection should become the default.
