Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check casts of function names to checked function pointer types. #78

Closed
dtarditi opened this issue Nov 22, 2016 · 3 comments
Closed

Check casts of function names to checked function pointer types. #78

dtarditi opened this issue Nov 22, 2016 · 3 comments
Assignees
@lenary
Milestone
Syntax

Comments

@dtarditi
Copy link
Contributor

dtarditi commented Nov 22, 2016
edited

We added new rules to the Checked C specification that allow a function name to be cast from its unchecked function pointer type to the corresponding checked function pointer type, where the two function types are compatible

The support for casting from an unchecked function pointer type to the corresponding checked function pointer type should already be there, but we do need to add tests for that.

We need to implement a separate test that ensures that the source is actually a function name and not just a variable with an unchecked function pointer type.
@dtarditi dtarditi added this to the Sprint 11 milestone Nov 22, 2016
@dtarditi dtarditi changed the title Add tests for casts applied to function names Check casts of functoni names to checked function pointer types. Dec 8, 2016
@dtarditi dtarditi changed the title Check casts of functoni names to checked function pointer types. Check casts of function names to checked function pointer types. Dec 8, 2016
@dtarditi
Copy link
Contributor Author

Tests of casts from function names with unchecked pointers to checked function pointer types were added as part of pull request #91. We still need to implement a check in the compiler that the source operand for the cast is actually a function name.

@dtarditi dtarditi modified the milestones: Sprint 12, Sprint 11 Dec 20, 2016
@lenary lenary self-assigned this Jan 10, 2017
@lenary
Copy link
Collaborator

lenary commented Jan 10, 2017
edited by dtarditi

From an email from David:

The main motivation for the work is that C converts values with function types to pointers to function types. By default, these are unchecked pointers to function types. We need some way to create checked pointers to function types. Checked C allows implicit conversions from unchecked pointer types to checked pointer types, so we have a way of doing this in the extension already. However, Checked C relies on determining the actual bounds for the unchecked value. Of course, for function types, there is no bounds and no way to determine “the actual bounds”. We need some check to prevent implicit conversion of an unchecked function pointer value that does not match its declared “bounds” for arguments or the return value to a checked function pointer value. The check is to just to make sure that the actual source of the unchecked function pointer is a function name.

In other words, we want to prevent things like:

int bad_convert(int (*f)(int a)) {
  ptr<int (int)> safe_f = f;
}

If the programmer wants to do that, we want to require an explicit (unsafe) cast, not have this conversion happen implicitly.

@lenary
Copy link
Collaborator

lenary commented Jan 14, 2017

So, by staring at some dumped ASTs, we need to do the following:

  • check any ImplicitCasts (specifically, Bitcasts)
  • if they contain another implicitcast (specifically a function to pointer decay) and that contains a declref to a function, then we're all good. This is really the only kind of assignment that's allowed.
  • otherwise, they likely contain an implicitcast (specifically a LValue to RValue cast) and that contains a DeclRef of a ParmVar (or similar, I'm not sure what the ref is like of a local variable), which is explicitly not allowed.

We'll pick this back up when we have a centralized place for doing our bounds checking analysis, which should be in a day or two.

@lenary lenary mentioned this issue Jan 27, 2017
Merged
lenary added a commit that referenced this issue Feb 3, 2017
@lenary
Adds check to ensure function pointer casts are safe (#125)
df1892b 
We check to make sure that any time we're casting to a `_Ptr` to a function, that the thing we are casting is either:
- a top-level function definition (either checked or unchecked)
- a checked local variable/parameter
- a null pointer

Anything else would be unsound. 

Unfortunately, we have to look quite deeply for the thing we're casting to, because you can ref (`&`) and deref (`*`) a function pointer as many times as you want and implicit casts are inserted to make everything work.

Closes #78
dtarditi pushed a commit that referenced this issue Aug 12, 2020
@mwhicks1
Merge pull request #78 from plum-umd/DefDeclRefactor
f101a77 
Fixed issue #75.
dopelsunce pushed a commit to dopelsunce/checkedc-clang that referenced this issue Sep 28, 2020
@dtarditi
Fixes for typos in implicit casting examples. (microsoft#78)
58d7742 
Wonsub Kim found some typos in the examples and non-examples
for implicit casts.  This change incorporates his fixes.
@secure-sw-dev-bot secure-sw-dev-bot mentioned this issue Jan 16, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lenary lenary

Labels
None yet
Projects
None yet
Milestone
Syntax
Development

No branches or pull requests
2 participants
@lenary @dtarditi