FélixMay 25, 2023
[clang frontend] RFC: Enforcing Bounds Safety in C https://discourse.llvm.org/t/rfc-enforcing-bounds-safety-in-c-fbounds-safety/70854
RFC: Enforcing Bounds Safety in C (-fbounds-safety)

Summary We propose -fbounds-safety, a C extension to enforce bounds safety to prevent out-of-bounds (OOB) memory accesses, which remain a major source of security vulnerabilities in C. -fbounds-safety aims to eliminate this class of bugs by turning OOB accesses into deterministic traps. The -fbounds-safety extension offers bounds annotations that programmers can use to attach bounds to pointers. For example, programmers can add the __counted_by(N) annotation to parameter ptr, indicating that t...

LLVM Discussion Forums
Show threadGreg Parker

@fay59 Bikeshedding: I dislike that `__single` implicitly allows null where most of the others do not. Did you consider a non-null `__single` alongside a new `__single_or_null` ?

How do these interact with the existing nullability attributes such as `nonnull` and `_Nonnull` and `_Nullable` ? (examples: Does __single+nonnull optimize away null checks? Does __counted_by+_Nullable convert to __counted_by_or_null? generate a compiler error?)

May 25, 2023 at 2:42amWeb
Show threadFélixMay 25, 2023

@gparker you’re right that __single isn’t the same as counted_by(1) in that regard, it’s effectively counted_by_or_null(1). It’s probably best for me keep design questions/answers on the discourse thread because it makes it easier for everyone else to see what’s going on, though.

(Even if you don’t bring it up yourself, I’m almost certain that somebody will)