New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checked scopes and constructed types #142
Comments
I appreciate that you bring up this issue I think that a checked pointer to an unchecked pointer is not a common case we consider. To guarantee this constraint, maybe I should check checked pointer types recursively. How about your idea? |
In conclusion, by default function pointer type is unchecked pointer type |
I agree with your analysis that you should check checked pointer types recursively. I think you'll need to check arrays and other constructed types. For function pointer types, the type needs to be ptr<... function type>. For example, ptr<int (void)>. There is a function declared in type.h (hasCheckedType()) that you can use as the base for your recursive checking. You would want hasUncheckedType instead. |
…ructed type in checked scope (checkedc/microsoft#142) + add expected-error for incorrect constructed type in checked scope + add test cases for variable arguments type handling + variable arguments function definitino + variable arguments function use + variable arguments function pointer type
We have added implicit conversion rule between checked pointer types.
Actually,
For constructed type, For constructed type, how can we determine the compatibility bewteen types? |
…lock (#251) & BOUNDS_CHECKED pragma (#247) (#139) * + Add test code for variable argument function call in checked block (#251) + Variable argument function call is not allowed in checked blocks + variadic function call & printf function call is checked + Add test code for BOUNDS_CHECKED pragma (#247) + For elaborate test BOUNDS_CHECKED pragma with a scope, add test cases + For elaborate scope handling, implementation is changed to use annotation token By using annotation token, it can recognize scope corresponding to annotation token + Restore on-off-switch syntax in pragma BOUNDS_CHECKED + #pragma BOUNDS_CHECKED [on-off-switch] + on-off-switch = ON/OFF/DEFAULT * + Add test code for variable arguments issue(check-clang#251) & constructed type in checked scope (checkedc/#142) + add expected-error for incorrect constructed type in checked scope + add test cases for variable arguments type handling + variable arguments function definitino + variable arguments function use + variable arguments function pointer type * + Add test code for variable arguments issue(check-clang#251) + test code for checking variable arguments C-style cast is added + modified expected error message due to check-clang modification * + Test code clean-up for checked scope(#189) & BOUNDS_CHECKED pragma (checkedc-clang/#247, checkedc/#135) & variable arguments type (checkedc-clang/#251) + test code is updated to simplify & fortify test cases + code clean-up for checked_scope.c + remove useless codes + modify test cases for type restrictions on expression + modify test cases to check if expression has an use with unchecked type + modify test cases to check if there is a C-style type casts to unchecked/variadic type + add test code for BOUNDS_CHECKED pragma + modify BOUNDS_CHECKED pragma test code within struct/union body + code clean-up for variable arguments checking + remove useless codes * + simpify code by removing useless/redundant code
For constructed pointer type, it is required to have same referent type. |
Compatibility in C has a very specific meaning. It means that one type can be substituted or is equivalent to another type. We have a notion of assignment compatibility that is used when implicit conversions happen. Even with assignment compatibility, we really can't say that a The problem is that we'd have to constrain the size of the referent type in some way, which we don't have a way to do. As an example, suppose we allowed:
Then a user could write code that breaks the Checked C type system:
Even if we checked length, it would still get tricky. We allow a longer array to be substituted for a shorter array:
However, we can't apply that same rule when we have a pointer to p:
It would mean that we could substitute a pointer to a 1-element array in a context where a pointer to a 10-element array is expected.
affects the result of reading:
|
Thanks for your comments. |
I think the specification is fine here. It is a good idea to not allow checked pointers to unchecked pointers in checked scopes. It is potentially confusing and more complicated to explain. Until we have a compelling example, I think we should leave the spec "as is". |
We need to decide what to do about constructed types that contain unchecked pointer types in checked scopes. Currently we say in the spec that checked scope cannot have unchecked pointer types occurring in them. An example of such a pointer is something like:
However, we could allow a checked scope to have a checked pointer to an unchecked pointer. The code in a checked scope could pass around this pointer, but never dereference it. This seems problematic, though, as it could mask "unsafe behavior"
For example, should we allow
I think it is important to make a decision about this and update the spec to be clearer about what is allowed.
The text was updated successfully, but these errors were encountered: