[U-Boot] C99 and dynamic arrays

Måns Rullgård mans at mansr.com
Wed Mar 13 20:55:37 CET 2013 

Simon Glass <sjg at chromium.org> writes:

> [once more from correct address, sorry]
>
> Hi,
>
> On Wed, Mar 13, 2013 at 11:03 AM, Måns Rullgård <mans at mansr.com> wrote:
>> Simon Glass <sjg at google.com> writes:
>>
>>> Hi Mans,
>>>
>>> On Wed, Mar 13, 2013 at 3:29 AM, Måns Rullgård <mans at mansr.com> wrote:
>>>> Tom Rini <tom.rini at gmail.com> writes:
>>>>
>>>>> On Tue, Mar 12, 2013 at 7:22 PM, Simon Glass <sjg at google.com> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Given that we seem to allow C99 features in U-Boot I wonder if it
>>>>>> would be OK to use dynamic arrays in SPL?
>>>>>>
>>>>>> I am trying to replace:
>>>>>>
>>>>>> ptr = malloc(size);
>>>>>>
>>>>>> with:
>>>>>>
>>>>>> char ptr[size];
>>>>>>
>>>>>> to avoid use of malloc in SPL. Can I assume that is permitted?
>>>>>
>>>>> Without knowing the underlying mechanics of how that works, "maybe".
>>>>
>>>> How it works depends on the compiler.  Some compilers implement it by
>>>> calling malloc().  GCC uses the stack.
>>>>
>>>> Regardless of how they are implemented, variable-length arrays should,
>>>> in my opinion, never be used.  There is simply no way they can be used
>>>> safely since no mechanism for detecting failure is provided.  If the
>>>> requested size is too large, you will silently overflow the stack or end
>>>> up with an invalid/null pointer.  In an environment without full memory
>>>> protection, errors resulting from this are very hard to track down.
>>>
>>> I suppose we could check the available stack space. However I don't
>>> really see a clear stack bottom in U-Boot - I think it is set up to
>>> grow downwards as much as needed. I can certainly add sanity checks on
>>> the input values.
>>
>> There is no way to check stack usage from C.
>
> Well there is an architecture-specific way. A function can generally
> find its own stack pointer by taking the address of a local variable,
> so it is possible to write a function to check for stack overflow.

Performing such checks without getting into undefined behaviours is
tricky if not impossible, and modern compilers are quite effective at
exploiting these, rendering such checks useless.  Remember the deleted
null checks in the kernel a while back?

> We could add this in U-Boot if it is a general problem. For my
> purposes the amount of stack I intend to allocate is fairly small
> (1-2KB perhaps).

I'm sure what you _intend_ to allocate is safe, but what's to guarantee
that the values are sane?

>>>> If the size is somehow limited to a safe value, it is more efficient to
>>>> simply allocate this maximum size statically.
>>>
>>> Yes although this does waste BSS.
>>
>> Sorry, I meant a statically sized stack allocation.
>
> OK, then I suppose this is not much different from dynamic arrays?

It gives more efficient code, if nothing else.

-- 
Måns Rullgård
mans at mansr.com

More information about the U-Boot mailing list