Hi Joseph, Martin,
On Wed, Jan 21, 2026 at 06:23:30PM +0000, Joseph Myers wrote:
> On Wed, 21 Jan 2026, Alejandro Colomar wrote:
>
> > Hi Joseph,
> >
> > On Wed, Jan 21, 2026 at 05:25:55PM +0000, Joseph Myers wrote:
> > > > > > +A caller must provide a pointer to at least @code{n} elements,
> > > > > > +and the function must not access more than @code{n} elements.
> > > > >
> > > > > That's misleading. "must provide" suggests UB for violation, which
> > > > > is not
> > > > > the case; this is just about warnings.
> > > >
> > > > I am indeed suggesting a constraint violation and subsequent UB if the
> > > > diagnostic is ignored.
> > >
> > > We certainly shouldn't introduce UB for such code that is entirely valid
> > > in ISO C.
> >
> > How about promoting it to a default error first? That would be
> > a constraint violation. I'll also start writing a proposal for C2y.
>
> Didn't Martin already have a proposal in that area (N2906, albeit not
> dealing with VLAs;
I didn't remember. Yes, now that you remind me, I remember Martin had
several related proposals.
> see my comments on it in [SC22WG14.21542], Thu, 3 Feb
> 2022 23:01:35 +0000)?
Would you mind sharing a link? I never remember how I can access old
messages on the mailing list.
> Duplicative proposals rather than working together
> on an improved and updated version aren't helpful.
Martin, how is the state of your papers about this?
> > My bad. How about this:
> >
> > void k (int n, int (*p)[n]; int n, int (*p)[n+1]) {}
> >
> > Currently, we say that the types must match, which makes it UB. But if
> > we change to using compatibility rules, that would still be UB because
> > these are evaluated, so n3685::6.7.7.3p6 would apply.
>
> That would indeed be UB based on compatibility. Whether such UB is needed
> for an array parameter where the given length is only visible to _Countof
> (if that _Countof feature is added) is less clear.
We already have UB for [static n], so it would be reasonable to make [n]
consistent with it.
void l (int n, int a[static n]; int n, int a[static n+1]) {}
After all, I expect diagnostics to have few false negatives, so UB would
be hard to trigger. Function prototypes are relatively simple.
And let's not forget that if one has violated n3685::6.7.7.3p6,
something really bad is going on in the program, and early errors (or
even UB) might prevent continuing a program that is in a bad state, so
this might increase safety, even if it is counter-intuitive. By having
UB, we would be allowed to trap and terminate early.
Cheers,
Alex
>
> --
> Joseph S. Myers
> [email protected]
>
--
<https://www.alejandro-colomar.es>
signature.asc
Description: PGP signature
