Making structs with variable-sized arrays unsized?

From: Linus Torvalds <torvalds@linux-foundation.org>
To: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
Cc: Sparse Mailing-list <linux-sparse@vger.kernel.org>
Subject: Making structs with variable-sized arrays unsized?
Date: Fri, 18 Sep 2020 12:33:56 -0700	[thread overview]
Message-ID: <CAHk-=wgJZ05ap8VQdzWDWJVWVtZiOYTc6cnNB8gNeQzEnfm-tw@mail.gmail.com> (raw)

Luc,
 we've been making kernel structures use flexible arrays as a
cleanliness thing, but it turns out that it doesn't find bugs that it
_should_ find.

We have that nice "struct_size()" macro to determine the size of the
flexible structure given the number of elements, which uses "offsetof
+ n*members". But sadly standard C still allows the (nonsensical)
'sizeof()' to be used - and I merged another fix for that just today.

Ok, so that's a C standard problem, but it's something that sparse
*could* warn about.

Comments? Appended is a kind of test-case for odd situations that
sparse happily and silently generates nonsensical code for (just
tested with test-linearize).

              Linus

---

    struct bad {
        unsigned long long a;
        char b[];
    };

    // An option to warn about this?
    static struct bad array[5];

    int odd(struct bad *a);
    int not_nice(struct bad p[2]);
    int please_fix(struct bad *p);
    void weird(struct bad *dst, const struct bad *src);

    // The layout is odd
    // The code does "info->align_size = 0" for unsized arrays, but it
still works?
    int odd(struct bad *a)
    {
        return __alignof__(*a);
    }

    // Arrays of flexible-array structures are pretty nonsensical
    // Plus we don't even optimize the constant return. Sad.
    int not_nice(struct bad p[2])
    {
        return (void *)(p+1) - (void *)p;
    }

    // This should at least have an option to warn
    int please_fix(struct bad *p)
    {
        return sizeof(*p);
    }

    void weird(struct bad *dst, const struct bad *src)
    {
        *dst = *src;
    }