From: Alejandro Colomar <alx@kernel.org>
To: Martin Uecker <uecker@tugraz.at>,
Christopher Bazley <chris.bazley.wg14@gmail.com>,
Alex Celeste <alexg.nvfp@gmail.com>,
Joseph Myers <josmyers@redhat.com>,
Aaron Ballman <aaron@aaronballman.com>
Cc: Douglas McIlroy <douglas.mcilroy@dartmouth.edu>,
Bruno Haible <bruno@clisp.org>, Paul Eggert <eggert@cs.ucla.edu>,
Florian Weimer <fweimer@redhat.com>,
Jonathan Corbet <corbet@lwn.net>, Kees Cook <kees@kernel.org>,
Eric Biggers <ebiggers@kernel.org>,
Ard Biesheuvel <ardb@kernel.org>,
Daniel Thompson <danielt@kernel.org>,
Daniel Lundin <daniel.lundin.mail@gmail.com>,
"Valentin V. Bartenev" <vbartenev@gmail.com>,
Andrew Clayton <andrew@digital-domain.net>,
"Brian W. Kernighan" <bwk@cs.princeton.edu>,
"G. Branden Robinson" <branden@debian.org>,
"Basil L. Contovounesios" <basil@contovou.net>,
"Jason A. Donenfeld" <jason@zx2c4.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
onf <onf@disroot.org>, Rich Felker <dalias@libc.org>,
linux-hardening@vger.kernel.org,
Alejandro Colomar <alx@kernel.org>
Subject: [RFC v3 5/6] alx-0081r2 - array parameters of 0 elements
Date: Mon, 26 Jan 2026 13:49:16 +0100 [thread overview]
Message-ID: <aXdiyLn3vxV2P807@devuan> (raw)
In-Reply-To: <aXdhh1r7ePA5SrIE@devuan>
[-- Attachment #1: Type: text/plain, Size: 4411 bytes --]
Name
alx-0081r2 - array parameters of 0 elements
Principles
- Uphold the character of the language
- Codify existing practice to address evident deficiencies
- Enable secure programming
And from previous charters:
C23:
- APIs should be self-documenting when possible.
Category
Language; array parameters.
Author
Alejandro Colomar <alx@kernel.org>
Cc: Martin Uecker <uecker@tugraz.at>
Acked-by: Doug McIlroy
Acked-by: Andrew Clayton <ac@sigsegv.uk>
Cc: Alex Celeste <alexg.nvfp@gmail.com>
History
<https://www.alejandro-colomar.es/src/alx/alx/std/wg14/alx-0081.git/>
r0 (2026-01-25):
- Initial draft.
r1 (2026-01-25):
- Array length expressions shall be nonnegative.
r2 (2026-01-26):
- Acked-by.
- Remove 'See also'.
Abstract
Function parameters that have zero elements are common and safe.
Let's acknowledge this, and allow array syntax for them.
Discussion
The following code is valid:
static inline wchar_t
my_wmemset(size_t n, wchar_t *wcs, wchar_t wc)
{
return wmemset(wcs, wc, n);
}
wchar_t a[42];
my_wmemset(0, a + 42, L'x');
It would be natural to be able to declare my_wmemset() as
wchar_t my_wmemset(size_t n, wchar_t wcs[static n], wchar_t);
However, that would result in UB for the call above, as the
number of elements isn't allowed to be zero. That restriction
is superfluous, and harmful; let's remove it.
Future directions
I'd like to allow any arrays of zero elements, but that needs
to be more careful than for array parameters. A future proposal
will address that.
Comments
On 2026-01-25T18:19:02-0500, Douglas McIlroy wrote:
> All six proposals look eminently reasonable. They simplify
> the language and remove surprises. I suspect these proposals
> will invalidate very few existing programs. In any event, the
> required corrections will improve the legibility and
> maintainability of such programs.
>
> Doug McIlroy
---
On 2026-01-26T02:01:16+0000, Alex Celeste wrote:
> Like Martin - these all seem eminently reasonable to me.
Proposed wording
Based on N3685.
6.7.7.3 Array declarators
@@ Constraints, p1
In addition to optional type qualifiers and the keyword static,
the [ and ] can delimit an expression or *.
If they delimit an expression,
called the array length expression,
the expression shall have an integer type.
If the expression is a constant expression,
-it shall have a value greater than zero.
+it shall have a nonnegative value.
+An array length expression
+that is a constant expression with value zero
+shall appear only in
+a declaration of a function parameter with an array type,
+and then only in the outermost array type derivation.
The element type shall not be an incomplete or function type.
The optional type qualifiers and the keyword static
shall appear only in
a declaration of a function parameter with an array type,
and then only in the outermost array type derivation.
@@ Semantics, p5
If the array length expression
is not an integer constant expression:
if it occurs in a declaration
at function prototype scope
or in a type name of a generic association (as described above),
it is treated as if it were replaced by *;
otherwise,
each time it is evaluated,
-it shall have a value greater than zero.
+it shall have a value greater than zero,
+unless in the outermost array type derivation
+of a function parameter with an array type,
+in which case it shall have a nonnegative value.
The size of each instance of a variable length array type
does not change during its lifetime.
Where an array length expression
is part of the operand of the typeof or sizeof operators
and changing the value of the array length expression
would not affect the result of the operator,
it is unspecified
whether or not the array length expression is evaluated.
Where an array length expression is part of
the operand with a _Countof operator
and changing the value of the array length expression
would not affect the result of the operator,
the array length expression is not evaluated.
Where an array length expression is part of
the operand of an alignof operator,
that expression is not evaluated.
--
<https://www.alejandro-colomar.es>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2026-01-26 12:49 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <aXZM5O2mU2e3LJBJ@devuan>
2026-01-26 12:48 ` [RFC v3 0/6] Improve function parameters in ISO C2y Alejandro Colomar
2026-01-26 12:48 ` [RFC v3 1/6] alx-0077r3 - disallow function parameters of function type Alejandro Colomar
2026-01-26 12:48 ` [RFC v3 2/6] alx-0076r3 - incompatible array parameters Alejandro Colomar
2026-01-26 12:48 ` [RFC v3 3/6] alx-0078r2 - [static n] shouldn't access more than n elements Alejandro Colomar
2026-01-28 9:54 ` Daniel Thompson
2026-01-28 15:14 ` Alejandro Colomar
2026-01-26 12:49 ` [RFC v3 4/6] alx-0079r2 - [static n] == non-null [n] Alejandro Colomar
2026-01-26 12:49 ` Alejandro Colomar [this message]
2026-01-28 10:14 ` [RFC v3 5/6] alx-0081r2 - array parameters of 0 elements Daniel Thompson
2026-01-28 15:21 ` Alejandro Colomar
2026-01-26 12:49 ` [RFC v3 6/6] alx-0080r1 - [static] without array length expression Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXdiyLn3vxV2P807@devuan \
--to=alx@kernel.org \
--cc=aaron@aaronballman.com \
--cc=alexg.nvfp@gmail.com \
--cc=andrew@digital-domain.net \
--cc=ardb@kernel.org \
--cc=basil@contovou.net \
--cc=branden@debian.org \
--cc=bruno@clisp.org \
--cc=bwk@cs.princeton.edu \
--cc=chris.bazley.wg14@gmail.com \
--cc=corbet@lwn.net \
--cc=dalias@libc.org \
--cc=daniel.lundin.mail@gmail.com \
--cc=danielt@kernel.org \
--cc=douglas.mcilroy@dartmouth.edu \
--cc=ebiggers@kernel.org \
--cc=eggert@cs.ucla.edu \
--cc=fweimer@redhat.com \
--cc=jason@zx2c4.com \
--cc=josmyers@redhat.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=onf@disroot.org \
--cc=torvalds@linux-foundation.org \
--cc=uecker@tugraz.at \
--cc=vbartenev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox