[HN Gopher] Modernizing C arrays for greater memory safety: a ca...
___________________________________________________________________
Modernizing C arrays for greater memory safety: a case study in the
Linux kernel
Author : diegocg
Score : 39 points
Date : 2023-01-31 21:18 UTC (1 hours ago)
(HTM) web link (people.kernel.org)
(TXT) w3m dump (people.kernel.org)
| tmtvl wrote:
| TL;DR is the introduction of C99 VLAs, not Pascal-style arrays,
| though a potential attribute could be added so we could do
| int some_int; int some_array[]
| __attribute__((__element_count__(some_int)));
|
| to store the size of _some_array_ in _some_int_.
| ashvardanian wrote:
| Call me crazy, but zero length arrays are a great abstraction,
| when you working with implicit data-structures. Not safe, but
| elegant and performant. Many codebases could be 2x faster if
| their designers embraced that concept.
| zabzonk wrote:
| both c and c++ have the concept of zero-length arrays, if you
| malloc them - int * a = malloc(0); is ok
| monocasa wrote:
| I think the parent is talking about the c pattern of having
| the last member of a struct be a zero length array, which is
| actually a dynamically sized array that the struct is only
| the header to (ostensibly with another field of the struct
| specifying the length of the array). It's fallen a bit out of
| favor, but it is a handy way to commingle the header and
| array with one allocation/pointer.
|
| And interestingly COBOL handled this in a cleaner way. I
| forget some of the specfics but there was a way to specify to
| the compiler that one field of a record specified the length
| of the following array, allowing the same pattern in a type
| safe way.
| ChrisSD wrote:
| According to the C spec, zero length arrays are explicitly
| illegal.
|
| > Zero-length array declarations are not allowed, even
| though some compilers offer them as extensions (typically
| as a pre-C99 implementation of flexible array members).
|
| However, as they say, gcc (and therefore clang) have an
| extension that allows it. So does MSVC but it works
| slightly differently.
| ufo wrote:
| According to the article, it's better to use the new
| flexible array syntax (int arr[]) instead of the old zero-
| length syntax (int arr[0]), because that allows the
| compiler emit better warning messages.
| ChrisSD wrote:
| Kind of:
|
| > If the size of the space requested is zero, the behavior is
| implementation-defined: either a null pointer is returned to
| indicate an error, or the behavior is as if the size were
| some nonzero value, except that the returned pointer shall
| not be used to access an object
|
| So it may actually allocate (although the allocation is
| unusable).
| tmtvl wrote:
| Hang on, let me think this through...
|
| If malloc(0) gets called as first malloc in the program the
| system break does not need to be moved, as there is always 0
| bytes space available... but malloc does like to move
| sysbreak by a large amount at a time to reduce the need for
| repeated calls...
|
| I'm guessing malloc(0) does not move sysbreak and simply
| returns a pointer to the bottom of the heap?
| zabzonk wrote:
| malloc is a user level library function - c/c++
| implementers can do what they like with it
| monocasa wrote:
| Implementation defined. I've heard of returning null (under
| the case that your free() implementation allows nulls to be
| passed in) or returning a pointer to a zero length object
| on the heap like you're suggesting. Really just about the
| only requirement is that the pointer can subsequently be
| given to free() since dereferencing the pointer is UB.
| ufo wrote:
| Does anyone know what is the status of their refactoring effort
| to update all the flexible array declarations in the kernel? How
| far along are they?
| zabzonk wrote:
| > Is it actually a 4 element array, or is it sized by the bytes
| member?
|
| i give up, what does sizeof say? and why would it be sized by
| bytes?
___________________________________________________________________
(page generated 2023-01-31 23:00 UTC)