 |
C++Talk.NET
C++ language newsgroups
|
| View previous topic :: View next topic |
| Author |
Message |
John Nagle
Guest
|
 Posted: Wed Nov 08, 2006 11:29 pm Post subject: C99 Variable length arrays, and generalization thereof |
 |
|
ISO/IEC 9899 (the C99 standard) has "variable length arrays" for
on-stack allocation:
size_t sum(int sz)
{
float arr[sz]; // VLA, dynamically allocated
while (sz-- > 0)
arr[sz] = sz;
return sizeof(arr); // Evaluated at runtime
}
C++ should, for compatibility, have this as well, and I believe
this is in the current draft.
For C++, I'd suggest going slightly further. I'd suggest allowing
variable length arrays as function parameters:
float sum(size_t n, char tab[n]);
This is useful for subscript checking, of course. But
that's not all.
We could go one step further, by defining ".begin()", ".end()",
and ".size()" for any built-in array for which "sizeof" is
meaningful. We could also provide "T::iterator"
for arrays of built-in types. This allows using C++ style
iteration on built-in arrays, and allows some useful generic
templates on built-in arrays. That may or may not be
worth the trouble. Comments?
Incidentally, it's time to add "lengthof()" to the language,
to obtain the length of an array, if it's not there already.
It's already in Microsoft's Visual C++ ".NET" and in the GCC
library, so it's a de-facto standard. With variable
length arrays, it's more useful; it's what you use
to get array bounds. The usual idiom will be
for (int i=0; i < lengthof(tab); i++)
{ ... }
which is easy to understand and easy to get right.
One last thing. If we allow
float sum(size_t n, char tab[n]);
we should also allow
float sum(char tab[n], size_t n);
even though the use of n precedes its declaration. This is
for backwards compatibility. Many library functions take
an array and a size, but the array first. We could now
declare the standard function "write" as
int write(int fd, char buf[n], size_t n);
which captures the size information.
One small step towards eliminating buffer overflows.
Comments?
John Nagle
Animats
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
 |
Guest
|
| Posted: Wed Nov 08, 2006 11:29 pm Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
John Nagle wrote:
| Quote: | ISO/IEC 9899 (the C99 standard) has "variable length arrays" for
on-stack allocation:
size_t sum(int sz)
{
float arr[sz]; // VLA, dynamically allocated
while (sz-- > 0)
arr[sz] = sz;
return sizeof(arr); // Evaluated at runtime
}
C++ should, for compatibility, have this as well, and I believe
this is in the current draft.
For C++, I'd suggest going slightly further. I'd suggest allowing
variable length arrays as function parameters:
float sum(size_t n, char tab[n]);
|
C99 supports this feature, so I think if C++ is going to borrow the
other uses of VLAs from C99, it should borrow this one, too.
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Andrei Polushin
Guest
|
| Posted: Wed Nov 08, 2006 11:29 pm Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
John Nagle wrote:
| Quote: | We could go one step further, by defining ".begin()", ".end()",
and ".size()" for any built-in array for which "sizeof" is
meaningful. We could also provide "T::iterator"
for arrays of built-in types. This allows using C++ style
iteration on built-in arrays, and allows some useful generic
templates on built-in arrays. That may or may not be
worth the trouble. Comments?
|
We may get it with the concepts proposal:
auto concept Measurable<class T> {
size_t T::size(T) const;
};
concept_map Measurable<char[32]> {
size_t T::size(T) const { return 32; }
};
"auto concept" is applied automatically, and suitable for use in
generic code.
--
Andrei Polushin
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Alberto Ganesh Barbati
Guest
|
| Posted: Thu Nov 09, 2006 12:06 am Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
John Nagle ha scritto:
| Quote: | ISO/IEC 9899 (the C99 standard) has "variable length arrays" for
on-stack allocation:
size_t sum(int sz)
{
float arr[sz]; // VLA, dynamically allocated
while (sz-- > 0)
arr[sz] = sz;
return sizeof(arr); // Evaluated at runtime
}
C++ should, for compatibility, have this as well, and I believe
this is in the current draft.
|
There's no such thing in the current draft. I have read the minutes of
the Portland meeting and I could not find any hint that this feature is
even being considered. In fact, I disagree that C++ should support such
feature. Compatibility with C is a very weak argument in this particular
case, IMHO, because the C type system is completely different from C++.
| Quote: | For C++, I'd suggest going slightly further. I'd suggest allowing
variable length arrays as function parameters:
float sum(size_t n, char tab[n]);
This is useful for subscript checking, of course. But
that's not all.
|
Is that really different from:
float sum(size_t n, char tab[]);
? I don't think so.
| Quote: | One small step towards eliminating buffer overflows.
|
I don't see how it could really help.
I'm not in the committee, but after reading the minutes it seems that
they already have a lot of (much) more important work to do.
Ganesh
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Robert Mabee
Guest
|
| Posted: Thu Nov 09, 2006 4:37 am Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
John Nagle wrote:
| Quote: | We could now
declare the standard function "write" as
int write(int fd, char buf[n], size_t n);
which captures the size information.
One small step towards eliminating buffer overflows.
|
At the expense of the cases where either pointer or length is computed
for a partial bufferload, or maybe with new rules for promoting char[m]
to char[n] iff n <= m, and char[m]+i to char[n] iff i+n <= m.
The C interface is unchangeable, and I think you can already do what
you want for C++ with a templated wrapper.
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Guest
|
| Posted: Thu Nov 09, 2006 5:27 am Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
Alberto Ganesh Barbati wrote:
| Quote: | John Nagle ha scritto:
..
For C++, I'd suggest going slightly further. I'd suggest allowing
variable length arrays as function parameters:
float sum(size_t n, char tab[n]);
This is useful for subscript checking, of course. But
that's not all.
Is that really different from:
float sum(size_t n, char tab[]);
? I don't think so.
|
In C99, they're identical; that's not really a VLA argument. This is:
void matrix_add(int l, int m, int n, double left[l][m], double
right[m][n], product[l][n]);
which is equivalent to:
void matrix_add(int l, int m, int n, double left[][m], double
right[][n], product[][n]);
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Guest
|
| Posted: Thu Nov 09, 2006 5:16 pm Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
kuyper (AT) wizard (DOT) net wrote:
| Quote: | Alberto Ganesh Barbati wrote:
John Nagle ha scritto:
.
For C++, I'd suggest going slightly further. I'd suggest allowing
variable length arrays as function parameters:
float sum(size_t n, char tab[n]);
This is useful for subscript checking, of course. But
that's not all.
Is that really different from:
float sum(size_t n, char tab[]);
? I don't think so.
In C99, they're identical; that's not really a VLA argument. This is:
void matrix_add(int l, int m, int n, double left[l][m], double
right[m][n], product[l][n]);
which is equivalent to:
void matrix_add(int l, int m, int n, double left[][m], double
right[][n], product[][n]);
|
That should, of couse, have been matrix_mul(), not matrix_add(), though
that's not directly relevant to what I was saying.
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
John Nagle
Guest
|
| Posted: Fri Nov 10, 2006 10:10 am Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
kuyper (AT) wizard (DOT) net wrote:
| Quote: | kuyper (AT) wizard (DOT) net wrote:
Alberto Ganesh Barbati wrote:
John Nagle ha scritto:
.
For C++, I'd suggest going slightly further. I'd suggest allowing
variable length arrays as function parameters:
float sum(size_t n, char tab[n]);
This is useful for subscript checking, of course. But
that's not all.
Is that really different from:
float sum(size_t n, char tab[]);
? I don't think so.
In C99, they're identical; that's not really a VLA argument.
|
In C99, "sizeof" works on variable-length arrays, and it's
not a compile-time constant result. Does that work for
the parameter case?
What I'm working towards, of course, is a way to express
array sizes such that subscript checking implementations
are possible. There are still too many buffer overflows
in the world.
Incidentally, did "lengthof" ever go into the standard?
It's an extension in both Microsoft and GCC implementations,
so it's a de-facto standard. Why not put it in for real?
John Nagle
Animats
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Joe Van Dyk
Guest
|
| Posted: Fri Nov 10, 2006 10:10 am Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
On Wed, 08 Nov 2006 22:37:34 -0600, Robert Mabee wrote:
| Quote: | John Nagle wrote:
We could now
declare the standard function "write" as
int write(int fd, char buf[n], size_t n);
which captures the size information.
One small step towards eliminating buffer overflows.
At the expense of the cases where either pointer or length is computed
for a partial bufferload, or maybe with new rules for promoting char[m]
to char[n] iff n <= m, and char[m]+i to char[n] iff i+n <= m.
|
I'm confused by what you mean by the above sentence. Could you please
clarify it? Or give an example?
Thanks,
Joe
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Guest
|
| Posted: Fri Nov 10, 2006 5:15 pm Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
John Nagle wrote:
| Quote: | kuyper (AT) wizard (DOT) net wrote:
kuyper (AT) wizard (DOT) net wrote:
Alberto Ganesh Barbati wrote:
John Nagle ha scritto:
..
For C++, I'd suggest going slightly further. I'd suggest allowing
variable length arrays as function parameters:
float sum(size_t n, char tab[n]);
This is useful for subscript checking, of course. But
that's not all.
Is that really different from:
float sum(size_t n, char tab[]);
? I don't think so.
In C99, they're identical; that's not really a VLA argument.
In C99, "sizeof" works on variable-length arrays, and it's
not a compile-time constant result. Does that work for
the parameter case?
|
Yes. However, as I said, "tab" is not a VLA parameter - it's type is
"pointer to char", just as it was in C90. They had to retain that rule,
if only for backwards compatibility. Here's an example that does have a
VLA parameter:
double determinant(int n, double array[n][n])
{
...
}
Inside the function block, sizeof(array) == sizeof(double(*)[n]), and
sizeof(*array)==sizeof(double[n]).
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Guest
|
| Posted: Fri Nov 10, 2006 7:28 pm Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
Robert Mabee wrote:
| Quote: | Joe Van Dyk wrote:
On Wed, 08 Nov 2006 22:37:34 -0600, Robert Mabee wrote:
John Nagle wrote:
We could now
declare the standard function "write" as
int write(int fd, char buf[n], size_t n);
One small step towards eliminating buffer overflows.
At the expense of the cases where either pointer or length is computed
for a partial bufferload, or maybe with new rules for promoting char[m]
to char[n] iff n <= m, and char[m]+i to char[n] iff i+n <= m.
I'm confused by what you mean by the above sentence.
C write is commonly used with a portion of an array, such as when a
preceding read didn't fill the entire array. In that case the actual
parameters won't match the suggested new requirement.
|
What suggested new requirement would they violate? John Nagle didn't
specify any requirements, merely cross-referencing the C99 standard,
with modifications to allow the parameter that determines the length of
a VLA parameter to be declared after the VLA parameter itself. The
simplest way to do that would be to declare that the scope of parameter
names begins with the '(' that starts the argument list, rather than
starting at the end of the declarator. With such a modification, and
assuming the above declaration for write(), C99 has no requirements
that would be violated by calling write() with the arguments you
describe.
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Robert Mabee
Guest
|
| Posted: Sat Nov 11, 2006 12:35 am Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
Joe Van Dyk wrote:
| Quote: | On Wed, 08 Nov 2006 22:37:34 -0600, Robert Mabee wrote:
John Nagle wrote:
We could now
declare the standard function "write" as
int write(int fd, char buf[n], size_t n);
One small step towards eliminating buffer overflows.
At the expense of the cases where either pointer or length is computed
for a partial bufferload, or maybe with new rules for promoting char[m]
to char[n] iff n <= m, and char[m]+i to char[n] iff i+n <= m.
I'm confused by what you mean by the above sentence.
|
C write is commonly used with a portion of an array, such as when a
preceding read didn't fill the entire array. In that case the actual
parameters won't match the suggested new requirement. Perhaps it
could be salvaged by promotion rules that would let the compiler see
an array subset as an array.
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Robert Mabee
Guest
|
| Posted: Sat Nov 11, 2006 10:10 am Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
kuyper (AT) wizard (DOT) net wrote:
| Quote: | Robert Mabee wrote:
C write is commonly used with a portion of an array, such as when a
preceding read didn't fill the entire array. In that case the actual
parameters won't match the suggested new requirement.
What suggested new requirement would they violate?
|
The suggestion that this helps defeat buffer overruns implies that
something is checking the new information. write() reliably respects
its length, so the bug to be detected must be that the caller is
passing a length inconsistent with whatever else may be known, in the
caller, about the char array. My only point is that the type system
alone can't check this, for many reasons including that the actual
buffer region to be written isn't of the exact type of the char array
declared somwhere in the caller (ie length can be different).
Please note, I have nothing against the VLA proposal. I am only
quibbling about an add-on (buffer overrun detection) that must either
break existing code or be too weak to be worth anything.
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Guest
|
| Posted: Mon Nov 13, 2006 4:58 pm Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
Robert Mabee wrote:
| Quote: | kuyper (AT) wizard (DOT) net wrote:
..
What suggested new requirement would they violate?
The suggestion that this helps defeat buffer overruns implies that
something is checking the new information. write() reliably respects
its length, so the bug to be detected must be that the caller is
passing a length inconsistent with whatever else may be known, in the
caller, about the char array. My only point is that the type system
alone can't check this, for many reasons including that the actual
buffer region to be written isn't of the exact type of the char array
declared somwhere in the caller (ie length can be different).
|
Ah! That's the confusion. That would require borrowing an addifional
C99 feature:
int write(int fd, char buf[static n], size_t n);
C99 6.7.5.3p7: "... If the keyword static also appears within the [ and
] of the array type derivation, then for each call to the function, the
value of the corresponding actual argument shall provide access to the
first element of an array with at least as many elements as specified
by the size expression."
The "first element" requirement would indeed restrict the usuability of
write(), for precisely the reasons you suggest, and would therefore
probably be a bad idea.
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
Robert Mabee
Guest
|
| Posted: Mon Nov 13, 2006 8:15 pm Post subject: Re: C99 Variable length arrays, and generalization thereof |
|
|
John Nagle wrote:
| Quote: | kuyper (AT) wizard (DOT) net wrote:
int write(int fd, char buf[static n], size_t n);
C99 6.7.5.3p7: "... If the keyword static also appears within the [ and
] of the array type derivation, then for each call to the function, the
value of the corresponding actual argument shall provide access to the
first element of an array with at least as many elements as specified
by the size expression."
The C99 people are slowly breaking away from the "array equals pointer"
mindset, difficult though that is. That's a good thing.
C has brought us three decades of buffer overflows, and C++
didn't fix the problem, although it helped. Anything that can be
done to fix that problem should be done. This is far more
important that extended template features that few will ever use.
|
I strongly agree. But can it be done incrementally? Or would it
be better to make a clean break (to a new array type or to a new
language)? And are we implicitly accepting run-time bounds checking
for cases where the compiler can't prove correctness? Special debug
modes won't help find the overflows that happen only when the deployed
(non-debug-mode) system is deliberately attacked.
---
[ comp.std.c++ is moderated. To submit articles, try just posting with ]
[ your news-reader. If that fails, use mailto:std-c++@ncar.ucar.edu ]
[ --- Please see the FAQ before posting. --- ]
[ FAQ: http://www.comeaucomputing.com/csc/faq.html ] |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
