-
Notifications
You must be signed in to change notification settings - Fork 19
Missing runtime and static checks
The Checked C clang compiler is still incomplete, with core features under active development. In a few situations, the compiler does not yet insert runtime checks required by the specification. Some important parts of the static checking of bounds declarations are not implemented yet.
Most runtime checks required by the Checked C specification inserted by the compiler. Here are the checks that are not inserted:
- The compiler does not insert a bounds check if the return value of a function is immediately dereferenced or if the value of an array literal is immediately dereferenced.
array_ptr<int> f(void) : count(10);
f()[2]; // bounds check omitted
- The compiler does not insert a null check during pointer arithmetic.
array_ptr<int> x : count(10) = 0;
array_ptr<int> forged_pointer : count(5) = x + 5; // null check on x missing
- Overflow checking on checked pointer arithmetic
The static checking of bounds declarations ensures that bounds that are declared are correct. With the static checking not being fully implemented yet, it is possible for programmers to declare bounds that are wrong or to corrupt bounds information. This could result in missing runtime bounds checks, if the bounds are wider than they should be. The following static checking is not implemented yet:
- Preventing aliasing issues:
- It is illegal for a program to take the address of variables with bounds declarations or used in bounds declarations.
- It is illegal for a program to take the address of members with bounds declarations or used in member bounds declarations.
- Checking modifications to variables used in bounds declarations.
- When a variable used in a bounds declaration is modified, we need to check that declared bounds are valid after the modification.
- Handling nested assignments that modify variables with bounds or used in bounds declarations. The order of evaluation of subexpressions is not specified in C. We need to make sure that the another subexpression does not require a bounds check based on variables that are also being modified.