Re: [PATCH] inttostr.h: add compile-time buffer overrun checks

[Bruno Haible]

Hi Paul,

> My kneejerk reaction is that this is way overkill for inttostr.

Part of the macros should then be refactored into a separate file,
so that we can use them also for u16_sprintf and other functions.

> Also, I've had problems with __builtin_object_size not behaving
> as documented for GCC: it is sometimes not allowed in a constant
> expression, even though it always returns a constant.

Yes. And sizeof (variable-length-array) is also not a constant expression.
Therefore one needs to use primitives which don't require a constant
expression. That's one of the reasons for the _chk function at runtime.

The other reason is that in order to get a compile-time warning using
__attribute__ __warning__ you need a non-inline function.

> I suspect Jim's original proposal is a better way to go.

This and the other proposals violate a simple principle from compiler
design: Optimization and warnings must not result in a compile-time error
on valid input. It is OK to miss an optimization or a warning location,
but it is not OK to reject valid code. And variable-length arrays are
valid C and C++ syntax.

> I'll look into one or two possible improvements that don't involve so
> many changes to the code.

Cool. I'd like to see it. You find a test file with 6 use-cases, 
test-inttostr2.c,
in <http://lists.gnu.org/archive/html/bug-gnulib/2010-10/msg00371.html>.

Bruno