Modernizing C arrays for greater memory safety: a case study in the Linux kernel

&gt; int flex[] __attribute__((__element_count__(items)));<p>While what the article describes is clever, it is needlessly complex, and filled with various compiler switches and extensions.<p>In contrast, here&#x27;s a stupid simple approach:<p><a href="https:&#x2F;&#x2F;www.digitalmars.com&#x2F;articles&#x2F;C-biggest-mistake.html" rel="nofollow">https:&#x2F;&#x2F;www.digitalmars.com&#x2F;articles&#x2F;C-biggest-mistake.html</a><p>where bounds-checkable arrays are declared as:<p><pre><code> int a[..]; </code></pre> `a` consists of two fields, a `length` and a `pointer`. Indexing it means the compiler can (optionally) insert a bounds check it.<p><pre><code> int s[..] = &quot;string&quot;; s[10] = &#x27;x&#x27;; &#x2F;&#x2F; fatal runtime error </code></pre> We can turn a pointer into a bounds checked array by &quot;slicing&quot; it:<p><pre><code> int *p = (int*) malloc(10); int a[..] = p[0 .. 10]; </code></pre> A bounds checked array can be turned into a pointer:<p><pre><code> int *p = &amp;a[3]; &#x2F;&#x2F; point to 3rd element of a[..] </code></pre> That&#x27;s all there is to it. No pages and pages of compiler switches and extensions.<p>Does it work? We&#x27;ve been doing that with D for over 20 years. Hell yeah, it works. It works fantastically well. It does not disturb any existing C code.

For code that is critical to performance, C99&#x27;s &quot;flexible array at the end of a struct&quot; is an useful tool. It basically allows you to attach a header at the beginning of some dynamically-allocated binary data of infinite length (yes, it can be implemented as a pointer at the end of the struct, but the extra latency of another pointer chasing can reduce performance). Before C99, the &quot;size-1 hack&quot; or &quot;size-0 GCC extension&quot; for this purpose was already widespread in both the Linux kernel and Windows [1], but with the disadvantage of triggering memory-safety tools, as the author pointed out.<p>Meanwhile, unlike C99, this construction is not allowed by any version of the C++ standards, any such use would be a non-standard extension, I think this is unfortunate. I only write C, I wonder if any C++ guru out there can answer this question: does modern C++ have a better solution to implement the same thing?<p>[1] <a href="https:&#x2F;&#x2F;devblogs.microsoft.com&#x2F;oldnewthing&#x2F;20040826-00&#x2F;?p=38043" rel="nofollow">https:&#x2F;&#x2F;devblogs.microsoft.com&#x2F;oldnewthing&#x2F;20040826-00&#x2F;?p=38...</a>

Good article. If you&#x27;re compiling C with MSVC then you can use SAL annotations [1] which serve the same purpose.<p>[1] <a href="https:&#x2F;&#x2F;learn.microsoft.com&#x2F;en-us&#x2F;cpp&#x2F;code-quality&#x2F;annotating-structs-and-classes?view=msvc-170#example" rel="nofollow">https:&#x2F;&#x2F;learn.microsoft.com&#x2F;en-us&#x2F;cpp&#x2F;code-quality&#x2F;annotatin...</a>

Call me crazy, but zero length arrays are a great abstraction, when you working with implicit data-structures. Not safe, but elegant and performant. Many codebases could be 2x faster if their designers embraced that concept.

Does anyone know what is the status of their refactoring effort to update all the flexible array declarations in the kernel? How far along are they?

IMO the right approach is to start with counted array struct wrapper types like `struct array_of_xyz { unsigned count; xyz a[1]; };` and use them to hold and pass by reference. When the array sizes are fixed, then use `struct array5_of_xyz { xyz a[5]; };` and pass by reference or by value as needed. Add to this a decoration to indicate that the `count` field is a count of the number of elements in the array and now the compiler can do bounds checking.<p>Then fix codebases recursively until it&#x27;s all ok. At ABI boundaries that don&#x27;t use such types create values of such types corresponding to the given arguments (e.g., you could count the elements of `argv[]` then create a wrapper for the `argv`).

&gt; Is it actually a 4 element array, or is it sized by the bytes member?<p>i give up, what does sizeof say? and why would it be sized by bytes?

Everyone says a memory-safe C would be slower, but has anyone actually tested that recently?<p>It seems that a memory safe C would be faster, in that you wouldn&#x27;t have to learn yet another language and runtime to deploy your stuff.

&gt; A simpler approach is the addition of struct member attributes, and is under discussion and early development by both the GCC and Clang developer communities.<p>Does anyone know where I can follow these discussions?

&gt; C is not just a fancy assembler any more<p>I wish this trope would die. It really never was one.

TL;DR is the introduction of C99 VLAs, not Pascal-style arrays, though a potential attribute could be added so we could do<p><pre><code> int some_int; int some_array[] __attribute__((__element_count__(some_int))); </code></pre> to store the size of <i>some_array</i> in <i>some_int</i>.