-fbounds-safety: Enforcing bounds safety for C — Clang 23.0.0git documentation Clang 23.0.0git documentation -fbounds-safety: Enforcing bounds safety for C « Allocation Tokens :: Contents :: Adoption Guide for -fbounds-safety » -fbounds-safety : Enforcing bounds safety for C ¶ Overview ¶ NOTE: This is a design document and the feature is not available for users yet. Please see Implementation plans for -fbounds-safety for more details. -fbounds-safety is a C extension to enforce bounds safety to prevent out-of-bounds (OOB) memory accesses, which remain a major source of security vulnerabilities in C. -fbounds-safety aims to eliminate this class of bugs by turning OOB accesses into deterministic traps. The -fbounds-safety extension offers bounds annotations that programmers can use to attach bounds to pointers. For example, programmers can add the __counted_by(N) annotation to parameter ptr , indicating that the pointer has N valid elements: void foo ( int * __counted_by ( N ) ptr , size_t N ); Using this bounds information, the compiler inserts bounds checks on every pointer dereference, ensuring that the program does not access memory outside the specified bounds. The compiler requires programmers to provide enough bounds information so that the accesses can be checked at either run time or compile time — and it rejects code if it cannot. The most important contribution of -fbounds-safety is how it reduces the programmer’s annotation burden by reconciling bounds annotations at ABI boundaries with the use of implicit wide pointers (a.k.a. “fat” pointers) that carry bounds information on local variables without the need for annotations. We designed this model so that it preserves ABI compatibility with C while minimizing adoption effort. The -fbounds-safety extension has been adopted on millions of lines of production C code and proven to work in a consumer operating system setting. The extension was designed to enable incremental adoption — a key requirement in real-world settings where modifying an entire project and its dependencies all at once is often not possible. It also addresses multiple of other practical challenges that have made existing approaches to safer C dialects difficult to adopt, offering these properties that make it widely adoptable in practice: It is designed to preserve the Application Binary Interface (ABI). It interoperates well with plain C code. It can be adopted partially and incrementally while still providing safety benefits. It is a conforming extension to C. Consequently, source code that adopts the extension can continue to be compiled by toolchains that do not support the extension (CAVEAT: this still requires inclusion of a header file macro-defining bounds annotations to empty). It has a relatively low adoption cost. This document discusses the key designs of -fbounds-safety . The document is subject to active updates with a more detailed specification. Programming Model ¶ Overview ¶ -fbounds-safety ensures that

Source: Hacker News | Original Link