> On Jul 26, 2025, at 12:43, Yeoul Na <yeoul...@apple.com> wrote: > > > >> On Jul 24, 2025, at 3:52 PM, Kees Cook <k...@kernel.org> wrote: >> >> On Thu, Jul 24, 2025 at 04:26:12PM +0000, Aaron Ballman wrote: >>> Ah, apologies, I wasn't clear. My thinking is: we're (Clang folks) >>> going to want it to work in C++ mode because of shared headers. If it >>> works in C++ mode, then we have to figure out what it means with all >>> the various C++ features that are possible, not just the use cases >> >> I am most familiar with C, so I may be missing something here, but if >> -fbounds-safety is intended to be C only, then why not just make it >> unrecognized in C++? > > The bounds safety annotations must also be parsable in C++. While C++ can get > bounds checking by using std::span instead of raw pointers, switching to > std::span breaks ABI. Therefore, in many situations, C++ code must continue > to use raw pointers—for example, when interoperating with C code by sharing > headers with C. In such cases, bounds annotations can help close safety gaps > in raw pointers.
-fbound-safety feature was initially proposed as an C extension, So, it’s natural to make it compatible with C language, not C++. If C++ also need such a feature, then an extension to C++ is needed too. If a consistent syntax for this feature can satisfy both C and C++, that will be ideal. However, if providing such consistent syntax requires major changes to C language, ( a new name lookup scope, and late parsing), it might be a good idea to provide different syntax for C and C++. Qing > > Yeoul > > >> Shared headers don't seem like much of a challenge; >> e.g. Linux uses macros specifically to avoid mixing illegal syntax into >> places where it isn't supported. For example, why can't Clang have: >> >> #if defined(__cplusplus) >> # define __counted_by(ARGS...) >> #else >> # define __counted_by(ARGS...) __attribute__((counted_by(ARGS))) >> #endif >> >> And then use __counted_by() in all the shared headers? C++ uses will >> ignore it, and C uses will apply the attributes. >> >> It seems weird to me that Clang needs to solve how -fbounds-safety works >> with C++ if it's not for _use_ in C++. I feel like I'm missing something >> about features that can't be macro-ified or some ABI issue, but I keep >> coming up empty. >> >> -- >> Kees Cook
