Disallow some implicit void pointer conversions in checked scopes (#590)

dtarditi · web-flow · commit 02aeff268c04 · 2018-11-21T14:48:57.000-08:00
In memory-safe checked scopes, disallow implicit conversions to and from void pointer types when the non-void pointer type points to data that contains a checked pointer. Disallow these conversions at assignments, call arguments, return statements, and arms of conditional expressions. Memory-safe checked scopes are currently the default kind of checked scopes. This addresses part of Github issue #571. Also do some cleanup within the compiler. Rename the checked scope specifier for the default checked scope from "BoundsAndTypes" to "Memory". The original name is incorrect for the kind of safety that will be provided. Testing: - Add new tests to the Checked C repo for these cases. - Passed automated testing on Windows and Linux.
diff --git a/include/clang/Basic/DiagnosticSemaKinds.td b/include/clang/Basic/DiagnosticSemaKinds.td
@@ -9412,6 +9412,14 @@ def err_bounds_safe_interface_type_annotation_local_variable : Error<
 def err_typecheck_ptr_subscript : Error<
   "subscript of %0">;
 
+def err_checkedc_void_pointer_assign : Error<
+  "implicit conversion between %0 and %1 is not allowed in a checked scope "
+  "because %2 contains or is a checked pointer">;
+
+def err_checkedc_void_pointer_cond : Error<
+  "implicit conversion from %0 to %1 not allowed in a checked scope "
+  "because %2 contains or is a checked pointer">;
+
 def err_typecheck_cond_incompatible_checked_pointer : Error<
   "pointer type mismatch%diff{ ($ and $)|}0,1">;
 
@@ -9465,7 +9473,6 @@ def err_typecheck_void_pointer_count_bounds_cast : Error<
 
 def err_typecheck_non_count_bounds_decl : Error<
   "expected %0 to have a pointer, array, or integer type">;
-
 def err_typecheck_non_count_return_bounds : Error<
   "bounds declaration only allowed for a pointer or integer return type">;
 
diff --git a/include/clang/Basic/Specifiers.h b/include/clang/Basic/Specifiers.h
@@ -335,7 +335,7 @@ namespace clang {
 
     /// Check properties for bounds safety and preventing type confusion.
     /// Corresponds to _Bounds
-    CSS_BoundsAndTypes = 0x3
+    CSS_Memory = 0x3
   };
 
 } // end namespace clang
diff --git a/include/clang/Sema/DeclSpec.h b/include/clang/Sema/DeclSpec.h
@@ -335,7 +335,7 @@ class DeclSpec {
   static const CSS CSS_None = clang::CSS_None;
   static const CSS CSS_Unchecked = clang::CSS_Unchecked;
   static const CSS CSS_Bounds = clang::CSS_Bounds;
-  static const CSS CSS_BoundsAndTypes = clang::CSS_BoundsAndTypes;
+  static const CSS CSS_Memory = clang::CSS_Memory;
 
 
 private:
diff --git a/include/clang/Sema/Sema.h b/include/clang/Sema/Sema.h
@@ -9901,6 +9901,11 @@ class Sema {
     /// object with __weak qualifier.
     IncompatibleObjCWeakRef,
 
+    /// IncompatibleCheckedCVoid - Assignments to/from void pointers to pointers
+    /// to data containing checked pointers is not allowed in regular checked
+    /// scopes. It is allowed only in unchecked and checked bounds_only scopes.
+    IncompatibleCheckedCVoid,
+
     /// Incompatible - We reject this conversion outright, it is invalid to
     /// represent it in the AST.
     Incompatible
diff --git a/lib/AST/ASTDumper.cpp b/lib/AST/ASTDumper.cpp
@@ -1204,7 +1204,7 @@ void ASTDumper::VisitFunctionDecl(const FunctionDecl *D) {
   switch (D->getWrittenCheckedSpecifier()) {
     case CSS_None: break;
     case CSS_Bounds: OS << " checked bounds_only"; break;
-    case CSS_BoundsAndTypes: OS << " checked"; break;
+    case CSS_Memory: OS << " checked"; break;
     case CSS_Unchecked: OS << " unchecked"; break;
   }
 
@@ -2056,7 +2056,7 @@ void ASTDumper::VisitCompoundStmt(const CompoundStmt *Node) {
     case CSS_None: break;
     case CSS_Unchecked: OS << " _Unchecked "; break;
     case CSS_Bounds: OS <<  " _Checked _Bounds_only "; break;
-    case CSS_BoundsAndTypes: OS << " _Checked "; break;
+    case CSS_Memory: OS << " _Checked "; break;
   }
 
 
diff --git a/lib/AST/DeclPrinter.cpp b/lib/AST/DeclPrinter.cpp
@@ -503,7 +503,7 @@ void DeclPrinter::VisitFunctionDecl(FunctionDecl *D) {
       case CSS_None: break;
       case CSS_Unchecked: Out << "_Unchecked "; break;
       case CSS_Bounds: Out << "_Checked _Bounds_only"; break;
-      case CSS_BoundsAndTypes: Out << "_Checked "; break;
+      case CSS_Memory: Out << "_Checked "; break;
     }
     if (D->isInlineSpecified())  Out << "inline ";
     if (D->isVirtualAsWritten()) Out << "virtual ";
diff --git a/lib/AST/StmtPrinter.cpp b/lib/AST/StmtPrinter.cpp
@@ -122,7 +122,7 @@ void StmtPrinter::PrintRawCompoundStmt(CompoundStmt *Node) {
       case CSS_None: break;
       case CSS_Unchecked: OS << "_Unchecked "; break;
       case CSS_Bounds: OS << "_Checked _Bounds_only "; break;
-      case CSS_BoundsAndTypes: OS << "_Checked "; break;
+      case CSS_Memory: OS << "_Checked "; break;
   }
   OS << "{\n";
   for (auto *I : Node->body())
diff --git a/lib/Parse/ParseDecl.cpp b/lib/Parse/ParseDecl.cpp
@@ -3080,7 +3080,7 @@ void Parser::ParseDeclarationSpecifiers(DeclSpec &DS,
             CSS = CSS_Bounds;
             ConsumeToken();
            } else
-            CSS = CSS_BoundsAndTypes;
+            CSS = CSS_Memory;
         }
         isInvalid = DS.setFunctionSpecChecked(Loc, CSS, PrevSpec, DiagID);
         break;
diff --git a/lib/Parse/ParseDeclCXX.cpp b/lib/Parse/ParseDeclCXX.cpp
@@ -1625,7 +1625,7 @@ void Parser::ParseClassSpecifier(tok::TokenKind TagTokKind,
   // keywords.
   CheckedScopeSpecifier CSS = CSS_None;
   if (Tok.is(tok::kw__Checked) && NextToken().is(tok::l_brace)) {
-    CSS = CSS_BoundsAndTypes;
+    CSS = CSS_Memory;
     ConsumeToken();
   } else if (Tok.is(tok::kw__Checked) && NextToken().is(tok::kw__Bounds_only) &&
     GetLookAheadToken(2).is(tok::l_brace)) {
diff --git a/lib/Parse/ParseStmt.cpp b/lib/Parse/ParseStmt.cpp
@@ -894,7 +894,7 @@ StmtResult Parser::ParseCompoundStatement(bool isStmtExpr, unsigned ScopeFlags)
   SourceLocation CSSLoc;
   SourceLocation CSMLoc;
   if (Tok.is(tok::kw__Checked)) {
-    CSS = CSS_BoundsAndTypes;
+    CSS = CSS_Memory;
     CSSLoc = ConsumeToken();
     if (Tok.is(tok::kw__Bounds_only)) {
       CSS = CSS_Bounds;
diff --git a/lib/Parse/Parser.cpp b/lib/Parse/Parser.cpp
@@ -1089,7 +1089,7 @@ Decl *Parser::ParseFunctionDefinition(ParsingDeclarator &D,
 
   CheckedScopeSpecifier CSS = CSS_None;
   if (Tok.is(tok::kw__Checked) && NextToken().is(tok::l_brace)) {
-    CSS = CSS_BoundsAndTypes;
+    CSS = CSS_Memory;
     ConsumeToken();
   } else if (Tok.is(tok::kw__Checked) && NextToken().is(tok::kw__Bounds_only) &&
     GetLookAheadToken(2).is(tok::l_brace)) {
diff --git a/lib/Sema/DeclSpec.cpp b/lib/Sema/DeclSpec.cpp
@@ -961,7 +961,7 @@ bool DeclSpec::setFunctionSpecChecked(SourceLocation Loc,
       case CSS_None: PrevSpec = ""; break;
       case CSS_Unchecked: PrevSpec = "_Unchecked"; break;
       case CSS_Bounds: PrevSpec = "_Checked _Bounds_only"; break;
-      case CSS_BoundsAndTypes: PrevSpec = "_Checked"; break;
+      case CSS_Memory: PrevSpec = "_Checked"; break;
     }
     return true;
   }
diff --git a/lib/Sema/SemaAttr.cpp b/lib/Sema/SemaAttr.cpp
@@ -690,7 +690,7 @@ void Sema::ActOnPragmaOptimize(bool On, SourceLocation PragmaLoc) {
 void Sema::ActOnPragmaCheckedScope(PragmaCheckedScopeKind Kind,
                                    SourceLocation Loc) {
   switch (Kind) {
-    case PCSK_On: SetCheckedScopeInfo(CSS_BoundsAndTypes); break;
+    case PCSK_On: SetCheckedScopeInfo(CSS_Memory); break;
     case PCSK_BoundsOnly: SetCheckedScopeInfo(CSS_Bounds); break;
     case PCSK_Off: SetCheckedScopeInfo(CSS_Unchecked); break;
     case PCSK_Push: PushCheckedScopeInfo(Loc); break;
diff --git a/lib/Sema/SemaExpr.cpp b/lib/Sema/SemaExpr.cpp
@@ -5487,7 +5487,7 @@ ExprResult Sema::ActOnCallExpr(Scope *Scope, Expr *Fn, SourceLocation LParenLoc,
     if (Fn->getType()->isItypeGenericFunctionType()) {
        // It is an error in a checked scope.
       CheckedScopeSpecifier CSS = GetCheckedScopeInfo();
-      if (CSS == CSS_BoundsAndTypes || CSS == CSS_Bounds) {
+      if (CSS == CSS_Memory || CSS == CSS_Bounds) {
         Diag(Fn->getLocEnd(),
               diag::err_expected_type_argument_list_for_itype_generic_call);
         return ExprError();
@@ -6816,7 +6816,15 @@ checkConditionalObjectPointersCompatibility(Sema &S, ExprResult &LHS,
       (lhkind == rhkind || rhkind == CheckedPointerKind::Unchecked)) {
     // Null-terminated void pointers are illegal, so we don't have to worry
     // about that case.
-    assert(lhkind != CheckedPointerKind::NtArray); 
+    assert(lhkind != CheckedPointerKind::NtArray);
+    // In checked scopes, casting one arm to void pointer to match
+    // the other arm is not allowed.
+    if (S.GetCheckedScopeInfo() == CheckedScopeSpecifier::CSS_Memory &&
+        rhptee->containsCheckedValue(true) != Type::NoCheckedValue) {
+      S.Diag(Loc, diag::err_checkedc_void_pointer_cond) << RHSTy << LHSTy <<
+        rhptee << RHS.get()->getSourceRange();
+      return QualType();
+    }
     // Figure out necessary qualifiers (C99 6.5.15p6)
     QualType destPointee
       = S.Context.getQualifiedType(lhptee, rhptee.getQualifiers());
@@ -6832,6 +6840,12 @@ checkConditionalObjectPointersCompatibility(Sema &S, ExprResult &LHS,
     // Null-terminated void pointers are illegal, so we don't have to worry
     // about that case.
     assert(rhkind != CheckedPointerKind::NtArray);
+    if (S.GetCheckedScopeInfo() == CheckedScopeSpecifier::CSS_Memory &&
+        lhptee->containsCheckedValue(true) != Type::NoCheckedValue) {
+      S.Diag(Loc, diag::err_checkedc_void_pointer_cond) << LHSTy << RHSTy <<
+        lhptee << LHS.get()->getSourceRange();
+      return QualType();
+    }
     QualType destPointee
       = S.Context.getQualifiedType(rhptee, lhptee.getQualifiers());
     QualType destType = S.Context.getPointerType(destPointee, rhkind);
@@ -7699,30 +7713,43 @@ checkPointerTypesForAssignment(Sema &S, QualType LHSType, QualType RHSType) {
   // Handle Checked C cases (where one pointer is checked).
   if (lhkind != CheckedPointerKind::Unchecked ||
       rhkind != CheckedPointerKind::Unchecked) {
-    // Implicit conversions to checked void pointers:
-    // - Allow conversions from any pointer to a _Ptr or _Array_ptr void
-    // pointer.
+    // Implicit conversions to checked void pointers.
+    // - In unchecked scopes and bounds-safe checked scopes, allow conversions
+    // from any pointer to a _Ptr or _Array_ptr void type.
+    // - In memory-safe checked scopes, allow conversions from pointers to data
+    // that doesn't contain a checked pointer.
     // - Note that Nt_array_ptr<void> is not a legal type. This
     // code would not allow conversions to it, if it were.
     // - Do not have an extension allowing casts from checked function
     // pointers to checked void pointers.
     if (lhptee->isVoidType() && (lhkind == CheckedPointerKind::Ptr ||
                                  lhkind == CheckedPointerKind::Array) &&
         rhptee->isIncompleteOrObjectType()) {
+      if (S.GetCheckedScopeInfo() == CheckedScopeSpecifier::CSS_Memory
+          && rhptee->containsCheckedValue(true) != Type::NoCheckedValue)
+        return Sema::IncompatibleCheckedCVoid;
       return ConvTy;
     }
 
     // Implicit conversions from void pointers to checked pointers.
-    // - Allow any void pointer except _Ptr to be converted to a _Ptr or
-    // _Array_ptr type (the void pointer must still have  appropriate bounds).
+    // - In unchecked scopes and bounds-safe checked scopes, allow any void
+    // pointer to be converted to a _Ptr or _Array_ptr type
+    // (the void pointer must still have  appropriate bounds).
+    // - In memory-safe checked scopes, allow any void pointer to be
+    // converted to a _Ptr or _Array_ptr to data that doesn't
+    // contain a checked pointer.
     // - Do not allow conversions to Nt_array_ptr types.
     // - Do not have an extension allowing casts from checked void pointers
     // to checked function pointers.
     if (rhptee->isVoidType() && lhptee->isIncompleteOrObjectType()) {
       if (rhkind != CheckedPointerKind::Ptr &&
           (lhkind == CheckedPointerKind::Ptr ||
-           lhkind == CheckedPointerKind::Array))
+           lhkind == CheckedPointerKind::Array)) {
+        if (S.GetCheckedScopeInfo() == CheckedScopeSpecifier::CSS_Memory
+            && lhptee->containsCheckedValue(true) != Type::NoCheckedValue)
+          return Sema::IncompatibleCheckedCVoid;
         return ConvTy;
+      }
     }
   }
 
@@ -8466,7 +8493,8 @@ Sema::CheckSingleAssignmentConstraints(QualType LHSType, ExprResult &CallerRHS,
   // so that we can use references in built-in functions even in C.
   // The getNonReferenceType() call makes sure that the resulting expression
   // does not have reference type.
-  if (result != Incompatible && RHS.get()->getType() != LHSType) {
+  if (result != Incompatible && result != IncompatibleCheckedCVoid &&
+      RHS.get()->getType() != LHSType) {
     QualType Ty = LHSType.getNonLValueExprType(Context);
     Expr *E = RHS.get();
 
@@ -8497,9 +8525,10 @@ Sema::CheckSingleAssignmentConstraints(QualType LHSType, ExprResult &CallerRHS,
 
   // If we can't convert to the LHS type, try the LHS interop type instead.
   // Note that we have to insert a cast that "downgrades" the checkedness.
-  if (result == Incompatible && !LHSInteropType.isNull()) {
+  if ((result == Incompatible || result == IncompatibleCheckedCVoid) &&
+      !LHSInteropType.isNull()) {
     result = CheckAssignmentConstraints(LHSInteropType, RHS, Kind, ConvertRHS);
-    if (result != Incompatible) {
+    if (result != Incompatible && result != IncompatibleCheckedCVoid) {
       assert(!LHSType->isReferenceType());
       assert(!LHSInteropType->isReferenceType());
       if (ConvertRHS) {
@@ -14194,6 +14223,21 @@ bool Sema::DiagnoseAssignmentResult(AssignConvertType ConvTy,
   case IncompatibleObjCWeakRef:
     DiagKind = diag::err_arc_weak_unavailable_assign;
     break;
+  case IncompatibleCheckedCVoid: {
+    QualType VoidType;
+    QualType NonVoidType;
+    if (SrcType->isVoidPointerType()) {
+      VoidType = SrcType;
+      NonVoidType = DstType;
+    } else {
+      VoidType = DstType;
+      NonVoidType = SrcType;
+    }
+    Diag(Loc, diag::err_checkedc_void_pointer_assign) << VoidType << NonVoidType <<
+      (QualType(NonVoidType->getPointeeOrArrayElementType(), 0));
+    *Complained = true;
+    return true;
+  }
   case Incompatible:
     if (maybeDiagnoseAssignmentToFunction(*this, DstType, SrcExpr)) {
       if (Complained)

Original file line number	Diff line number	Diff line change
`@@ -1204,7 +1204,7 @@ void ASTDumper::VisitFunctionDecl(const FunctionDecl *D) {`
`1204`	`1204`	`switch (D->getWrittenCheckedSpecifier()) {`
`1205`	`1205`	`case CSS_None: break;`
`1206`	`1206`	`case CSS_Bounds: OS << " checked bounds_only"; break;`
`1207`		`- case CSS_BoundsAndTypes: OS << " checked"; break;`
	`1207`	`+ case CSS_Memory: OS << " checked"; break;`
`1208`	`1208`	`case CSS_Unchecked: OS << " unchecked"; break;`
`1209`	`1209`	`}`
`1210`	`1210`
`@@ -2056,7 +2056,7 @@ void ASTDumper::VisitCompoundStmt(const CompoundStmt *Node) {`
`2056`	`2056`	`case CSS_None: break;`
`2057`	`2057`	`case CSS_Unchecked: OS << " _Unchecked "; break;`
`2058`	`2058`	`case CSS_Bounds: OS << " _Checked _Bounds_only "; break;`
`2059`		`- case CSS_BoundsAndTypes: OS << " _Checked "; break;`
	`2059`	`+ case CSS_Memory: OS << " _Checked "; break;`
`2060`	`2060`	`}`
`2061`	`2061`
`2062`	`2062`
Original file line number	Diff line number	Diff line change
`@@ -503,7 +503,7 @@ void DeclPrinter::VisitFunctionDecl(FunctionDecl *D) {`
`503`	`503`	`case CSS_None: break;`
`504`	`504`	`case CSS_Unchecked: Out << "_Unchecked "; break;`
`505`	`505`	`case CSS_Bounds: Out << "_Checked _Bounds_only"; break;`
`506`		`- case CSS_BoundsAndTypes: Out << "_Checked "; break;`
	`506`	`+ case CSS_Memory: Out << "_Checked "; break;`
`507`	`507`	`}`
`508`	`508`	`if (D->isInlineSpecified()) Out << "inline ";`
`509`	`509`	`if (D->isVirtualAsWritten()) Out << "virtual ";`
Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@ void StmtPrinter::PrintRawCompoundStmt(CompoundStmt *Node) {`
`122`	`122`	`case CSS_None: break;`
`123`	`123`	`case CSS_Unchecked: OS << "_Unchecked "; break;`
`124`	`124`	`case CSS_Bounds: OS << "_Checked _Bounds_only "; break;`
`125`		`- case CSS_BoundsAndTypes: OS << "_Checked "; break;`
	`125`	`+ case CSS_Memory: OS << "_Checked "; break;`
`126`	`126`	`}`
`127`	`127`	`OS << "{\n";`
`128`	`128`	`for (auto *I : Node->body())`
Original file line number	Diff line number	Diff line change
`@@ -3080,7 +3080,7 @@ void Parser::ParseDeclarationSpecifiers(DeclSpec &DS,`
`3080`	`3080`	`CSS = CSS_Bounds;`
`3081`	`3081`	`ConsumeToken();`
`3082`	`3082`	`} else`
`3083`		`- CSS = CSS_BoundsAndTypes;`
	`3083`	`+ CSS = CSS_Memory;`
`3084`	`3084`	`}`
`3085`	`3085`	`isInvalid = DS.setFunctionSpecChecked(Loc, CSS, PrevSpec, DiagID);`
`3086`	`3086`	`break;`