On Mon, Oct 20, 2025 at 03:01:15PM -0700, Kees Cook wrote:
Introduce __counted_by_ptr(), which works like __counted_by(), but for pointer struct members:
struct foo { int a, b, c; char *buffer __counted_by_ptr(bytes); short nr_bars; struct bar *bars __counted_by_ptr(nr_bars); size_t bytes; };
Since "counted_by" can only be applied to pointer members in very recent compiler versions, its application ends up needing to be distinct from flexible array "counted_by" annotations, hence a separate macro.
Unfortunately, this annotation cannot be used for "void *" members (since such a member is considered a pointer to an incomplete type, and neither Clang nor GCC developers could be convinced otherwise[1], even in the face of the GNU extension that "void *" has size "1 byte" for pointer arithmetic). For "void *" members, we must use the coming "sized_by" attribute.
So why do we need both __counted_by_ptr() and this __sized_by(), won't one be good enough?
Also, given the existing __counted_by() is really only usable with
=19.1.3 and we're now at 22-ish, do we really need two of these?
That is, I'm really hating the idea we need 3 different annotations for what is effectively the same thing and feel we should try *really* hard to make it 1.