checkedc
checkedc copied to clipboard
microsoft
Checked C is an extension to C that lets programmers write C code that is guaranteed by the compiler to be type-safe. The goal is to let people easily make their existing C code type-safe and elimina...
I noticed a mistake in `threads_checked.h` (the return type of `cnd_init` should be `int`, not `void`) and plan to fix it in #448. I hoped to use the tests in...
I think we should disallow `ptr`. It has been used mainly in bounds-safe interfaces, but those uses were errors. Using `ptr` in a bounds-safe interface provides the illusion that the...
In some of our porting work, we're starting to use system functions that manipulate structs that have pointer members. For example, vsftpd calls `getpwuid` and looks at the `pw_name` field...
In the typechecking/bounds.c test, lines 568-578 involve casting `_Array_ptr` types to integer types. With changes introduced in clang 11, casts to a smaller integer type result in a warning: "cast...
In the Checked C specification, we currently do not provide a way to specify the bounds for an `array_ptr` that is pointed to by another pointer. We don't want checking...
The description of invertible expressions in the spec should include address-of/dereference operators that cancel. `&*e1` and `*&e1` are invertible with respect to a variable `x` if and only if `e1`...
The description of invertible expressions in the spec should include bounds cast expressions. A bounds cast expression `BoundsCast(temp(e1))` is invertible with respect to a variable `x` if and only if...
The current rules for assignment compatibility of expressions involving bounds-safe interfaces are missing two cases. The first case is related to assignments involving nested pointers. An assignment `*p = e`...
Consider the following typedef struct { int a; } *V; int main(int argc, char **argv) { V v; v = malloc(sizeof(V)); v->a = 3; printf("%d\n", v->a); free(v); return 0; }...
Invalid range is a range with `upperBound < lowerBound` and an empty range is a range with `upperBound == lowerBound`. Declaration of both empty and invalid ranges is allowed in...
