-
Notifications
You must be signed in to change notification settings - Fork 19
Compiler Feature Requests
This document contains a prioritized list of feature requests for the compiler with some example code snippets. By definition, it won't mention all the features that worked smoothly or all the typos found via the compiler's extra checking.
One of the most common types of bounds-related warnings looks like the following example:
free(example_string);
**warning: cannot prove argument meets declared bounds for 1st parameter**
expected argument bounds are bounds(example_string, example_string + 0)
inferred bounds are bounds(example_string, example_string + example_len).
example_len is of type size_t, which is an unsigned type, thus it must always be >= 0. It would be very helpful if the compiler could prove the bounds satisfied without requiring any additional dynamic annotation.
I have found nearly 10 instances of the precise example above with size_t typed string lengths not found to be >= 0.
Another example - for the following code:
int is_decimal(const char *string : itype(_Nt_array_ptr<const char>) count(length), size_t length) {
if (length > 2 && !strncmp(string, "-0", 2) && string[2] != '.') ...
}
the compiler produces the following warning about bounds:
warning: cannot prove argument meets declared bounds for 1st parameter [-Wcheck-bounds-decls-checked-scope]
strncmp(string, "-0", 2)
note: (expanded) expected argument bounds are 'bounds(string, string + 0)'
note: (expanded) inferred bounds are 'bounds(string, string + length)'
The clause to the left of the strncmp call establishes that the unsigned length > 2, so it must be greater than 0.
Many calls to malloc for strings will have arguments of the form (length * (size_t)1) which is how the compiler simplifies (length * sizeof(char)). In order for the bounds checks to go through without warning, all bounds declarations for such a malloc'd string must also have the * (size_t)1, which makes the code harder to read. If the compiler could simplify identity functions for multiplication (and perhaps addition as well), it would mean less work for a developer converting code.