Open
Description
An initialization of a struct member with a pointer that does not satisfy the declared bounds of the member is accepted without a warning, leading to unsoundness. The following code generates a segmentation fault:
#pragma CHECKED_SCOPE on
struct sized_buf {
_Array_ptr<char> p : count(size);
int size;
};
int main(void) {
char x _Checked[5];
int big_count = 100000000;
struct sized_buf sb = {x, big_count};
for (int i = 0; i < big_count; i++) {
sb.p[i] = '\0';
}
return 0;
}I know the compiler is currently very limited in its ability to reason about modifications to structs: just about any assignment after initialization generates a "cannot prove declared bounds ... are valid after assignment" warning that the user has to review manually. For example, if the sb initialization above is replaced with the following:
struct sized_buf sb = {0};
sb.p = x, sb.size = big_count;then the assignment generates a warning. For consistency, I would expect the initialization to generate a warning too.