Bounds-checking interfaces

Names specified here
Name	Description	Notes				Source
`__STDC_LIB_EXT1__`	Identifier of version of bounds-checking conformance	L	?	M		Predefined	C11
`__STDC_WANT_LIB_EXT1__`	Enable bounds-checking interfaces		?	M		User-defined	C11
`abort_handler_s()`	Report constraint violation and abort		?		(·)	`<stdlib.h>`	C11
`constraint_handler_t`	Type of function handling run-time constraint violations		?		T	`<stdlib.h>`	C11
`ignore_handler_s()`	No operation		?		(·)	`<stdlib.h>`	C11
`RSIZE_MAX`	Maximum value of `rsize_t` avoiding run-time constraint	L	?	M		`<stdint.h>`	C11
`rsize_t`	Implementation-defined size type with implied run-time constraints	L	?		T	Headers	C11
`set_constraint_handler_s()`	Set the constraint handler		?		(·)	`<stdlib.h>`	C11

C11 introduces a set of extensions to the standard library to reduce the occurance of undefined behaviour due to mistakenly computed values exceeding sensible limits, or other constraint violations. Many standard functions are duplicated with alternative names, e.g., printf_s as an alternative to printf. They often take arguments of type rsize_t instead of size_t to document that such arguments are subject to bounds checking, although the two types are identical. If an argument of type rsize_t exceeds RSIZE_MAX, which can be smaller than SIZE_MAX, then there is a constraint violation. Standard functions that have some internal state, like gmtime, are duplicated with alternatives that allow the caller to provide the state, which is less error-prone than using shared state. Many functions return errno_t to signal success or failure, and store an actual result in a variable pointed to by the caller.

The bounds-checking interfaces are optional. The macro __STDC_LIB_EXT1__ expands to 1 only if they are available. For example:

#if __STDC_LIB_EXT1__
. . .
#else
#error "Bounds-checking interfaces unavailable"
#endif

Furthermore, while the extensions are integrated into standard headers, they are not available unless __STDC_WANT_LIB_EXT1__ is defined before including the headers. For example:

#define __STDC_WANT_LIB_EXT1__ 1
#include <stdlib.h>

When a bounds-checking function detects a constraint violation, it will invoke a constraint handler, a function whose address type matches constraint_handler_t:

#define __STDC_WANT_LIB_EXT1__ 1
#include <stdlib.h>
typedef
void (*constraint_handler_t)(const char *msg,
                             void *ctxt,
                             errno_t errnum);

errnum is the return value of the function that detected the constraint violation, if that function returns errno_t; otherwise, it is a positive value. ctxt could be anything, including NULL.

Two standard handlers are available:

#define __STDC_WANT_LIB_EXT1__ 1
#include <stdlib.h>
void abort_handler_s(const char *msg,
                     void *ctxt,
                     errno_t errnum);
void ignore_handler_s(const char *msg,
                      void *ctxt,
                      errno_t errnum);

abort_handler_s prints a message on stderr, including the null-terminated string at msg, then it aborts the program by calling abort. ignore_handler_s simply returns to its caller. The default constraint handler is not necessarily one of these.

#define __STDC_WANT_LIB_EXT1__ 1
#include <stdlib.h>
constraint_handler_t set_constraint_handler_s(constraint_handler_t fp);

The function set_constraint_handler_s sets the current constraint handler to fp, and returns the previous value.

Bounds-checking interfaces
Name	Description	Notes				Source
`abort_handler_s()`	Report constraint violation and abort		?		(·)	`<stdlib.h>`	C11
`bsearch_s()`	Search array		?		(·)	`<stdlib.h>`	C11
`constraint_handler_t`	Type of function handling run-time constraint violations		?		T	`<stdlib.h>`	C11
`errno_t`	Error-number type		?		T	Headers	C11
`fprintf_s()`	Print formatted text		?		(·)	`<stdio.h>`	C11
`fscanf_s()`	Input formatted text		?		(·)	`<stdio.h>`	C11
`fwprintf_s()`	Print formatted text		?		(·)	`<wchar.h>`	C11
`fwscanf_s()`	Input formatted text		?		(·)	`<wchar.h>`	C11
`getenv_s()`	Get environment string		?		(·)	`<stdlib.h>`	C11
`gets_s()`	Input line of characters from standard input		?		(·)	`<stdio.h>`	C11
`ignore_handler_s()`	No operation		?		(·)	`<stdlib.h>`	C11
`L_tmpnam_s`	Maximum temporary-file name length		?	M		`<stdio.h>`	C11
`memcpy_s()`	Copy memory		?		(·)	`<string.h>`	C11
`memmove_s()`	Copy overlapping memory		?		(·)	`<string.h>`	C11
`printf_s()`	Print formatted text		?		(·)	`<stdio.h>`	C11
`qsort_s()`	Sort array		?		(·)	`<stdlib.h>`	C11
`rsize_t`	Implementation-defined size type with implied run-time constraints	L	?		T	Headers	C11
`scanf_s()`	Input formatted text		?		(·)	`<stdio.h>`	C11
`set_constraint_handler_s()`	Set the constraint handler		?		(·)	`<stdlib.h>`	C11
`snprintf_s()`	Print formatted text		?		(·)	`<stdio.h>`	C11
`snwprintf_s()`	Print formatted text		?		(·)	`<wchar.h>`	C11
`sprintf_s()`	Print formatted text		?		(·)	`<stdio.h>`	C11
`sscanf_s()`	Input formatted text		?		(·)	`<stdio.h>`	C11
`strcat_s()`	Catenate strings		?		(·)	`<string.h>`	C11
`strcpy_s()`	Copy string		?		(·)	`<string.h>`	C11
`strerror_s()`	Interpret error number		?		(·)	`<string.h>`	C11
`strerrorlen_s()`	Get length of message interpreting error number		?		(·)	`<string.h>`	C11
`strncat_s()`	Catenate strings		?		(·)	`<string.h>`	C11
`strncpy_s()`	Copy string		?		(·)	`<string.h>`	C11
`strnlen_s()`	Compute length of string		?		(·)	`<string.h>`	C11
`strtok_s()`	Tokenize string		?		(·)	`<string.h>`	C11
`swprintf_s()`	Print formatted text		?		(·)	`<wchar.h>`	C11
`swscanf_s()`	Input formatted text		?		(·)	`<wchar.h>`	C11
`TMP_MAX_S`	Maximum number of temporary files		?	M		`<stdio.h>`	C11
`tmpfile_s()`	Create temporary file		?		(·)	`<stdio.h>`	C11
`tmpnam_s()`	Create temporary file name		?		(·)	`<stdio.h>`	C11
`vfprintf_s()`	Print formatted text		?		(·)	`<stdio.h>`	C11
`vfscanf_s()`	Input formatted text		?		(·)	`<stdio.h>`	C11
`vfwprintf_s()`	Print formatted text		?		(·)	`<wchar.h>`	C11
`vfwscanf_s()`	Input formatted text		?		(·)	`<wchar.h>`	C11
`vprintf_s()`	Print formatted text		?		(·)	`<stdio.h>`	C11
`vscanf_s()`	Input formatted text		?		(·)	`<stdio.h>`	C11
`vsnprintf_s()`	Print formatted text		?		(·)	`<stdio.h>`	C11
`vsnwprintf_s()`	Print formatted text		?		(·)	`<wchar.h>`	C11
`vsprintf_s()`	Print formatted text		?		(·)	`<stdio.h>`	C11
`vsscanf_s()`	Input formatted text		?		(·)	`<stdio.h>`	C11
`vswprintf_s()`	Print formatted text		?		(·)	`<wchar.h>`	C11
`vswscanf_s()`	Input formatted text		?		(·)	`<wchar.h>`	C11
`vwprintf_s()`	Print formatted text		?		(·)	`<wchar.h>`	C11
`vwscanf_s()`	Input formatted text		?		(·)	`<wchar.h>`	C11
`wcrtomb_s()`	Convert wide character to multibyte character		?		(·)	`<wchar.h>`	C11
`wcscat_s()`	Catenate wide-character strings		?		(·)	`<wchar.h>`	C11
`wcscpy_s()`	Copy wide-character string		?		(·)	`<wchar.h>`	C11
`wcsncat_s()`	Catenate wide-character strings		?		(·)	`<wchar.h>`	C11
`wcsncpy_s()`	Copy wide-character string		?		(·)	`<wchar.h>`	C11
`wcsnlen_s()`	Compute length of wide-character string		?		(·)	`<wchar.h>`	C11
`wcsrtombs_s()`	Convert wide string to multibyte string		?		(·)	`<wchar.h>`	C11
`wcstok_s()`	Tokenize wide-character string		?		(·)	`<wchar.h>`	C11
`wcstombs_s()`	Convert wide string to multibyte string		?		(·)	`<stdlib.h>`	C11
`wctomb_s()`	Convert wide character to multibyte character		?		(·)	`<stdlib.h>`	C11
`wmemcpy_s()`	Copy wide-character memory		?		(·)	`<wchar.h>`	C11
`wmemmove_s()`	Copy overlapping wide-character memory		?		(·)	`<wchar.h>`	C11
`wprintf_s()`	Print formatted text		?		(·)	`<wchar.h>`	C11
`wscanf_s()`	Input formatted text		?		(·)	`<wchar.h>`	C11