Skip to content

Compiler allows bogus bound for argv parameter to main (unsound) #1072

New issue
New issue
Open
Open
Compiler allows bogus bound for argv parameter to main (unsound)#1072
Labels
bugThis labels issues that are bugs.priority:3This labels bugs that are not very critical but still need to be addressed.
@mattmccutchen-cci

Description

@mattmccutchen-cci
mattmccutchen-cci
opened on May 27, 2021

I imagine the standard Checked C signature for main should be something like:

int main(int argc, _Nt_array_ptr<_Nt_array_ptr<char>> argv : count(argc));

(And maybe add an environ parameter too?) But the compiler does not enforce this: it seems to accept any signature with the correct unchecked type, including one with a bogus bound for argv. The following code compiles with no warnings and gives me a segmentation fault at runtime:

#pragma CHECKED_SCOPE on

const int bogus_count = 100000000;

int main(int argc, _Nt_array_ptr<_Nt_array_ptr<char>> argv : count(bogus_count)) {
  for (int i = 0; i < bogus_count; i++) {
    argv[i] = 0;
  }
  return 0;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis labels issues that are bugs.priority:3This labels bugs that are not very critical but still need to be addressed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions