microsoft
Provide way to declare bounds-safe interfaces for members of existing structure types.
@saeednj has pointed out that we need a way to declare bounds-safe interfaces for members of existing structure types, without altering existing source code. The structure type may be declared in a header file that cannot be modified, for example. We can add a redeclaration of functions with bounds-safe interfaces, but there is no corresponding functionality for redeclaring structure types with bounds-safe interfaces for members.
It makes sense to allow this functionality, but it would be a change from the C11 specification, which only allows a complete structure type to be declared once in a translation unit. The C11 specification allows an incomplete structure type to be declared along with a complete structure type. From the perspective of bounds-safety, we can regard a structure type without bound-safety information as being less complete than a structure type with bounds-safety information. We could allow a structure type to be redeclared, provided that the structure type is identical to a previous complete declaration, except that bounds-safe interfaces could be added to members where they do not occur before.
The Checked C specification already has a notion of compatibility for structs that is similar to functions (section 6.7 in version 0.6 of the specification). It is modeled after the definition of structure compatibility across translation units (discussed in Section 6.2.7 of the C11 specification). However, the specification does not explicitly allow compatible redeclarations of structs within translation units.
Here are examples of what is and is not allowed by C11 now for complete and incomplete structure types:
struct S;
struct S {
int len;
int *p;
};
The following is not allowed:
struct S {
int len;
int *p;
};
struct S {
int len;
int *p;
};
For Checked C, it would make sense to allow:
struct S {
int len;
int *p;
};
struct S {
int len;
int *p : count(len);
};
I am wondering if anything will break in the language definition by allowing a compatible redeclarations of a complete structure type within a translation unit. I can see why this feature wasn't allowed: it didn't seem needed, it would make the specification more complex, and it would require extra work from implementers. There doesn't seem to anything fundamental that disallows it, especially because the C specification already defines a notion of compatibility of structures across translation units.
Would you only allow redundant structs if the second one had bounds information? This would be more restrictive, perhaps avoiding problems the current spec had in mind?
