Add support for safety checks for pointers from cpp1

Author: filipsajdak

include/cpp2util.h

@@ -203,6 +203,7 @@
     #include <cstddef>
     #include <utility>
     #include <cstdio>
+    #include <span>
 
     #if defined(CPP2_USE_SOURCE_LOCATION)
         #include <source_location>
@@ -498,6 +499,135 @@ class out {
 }(PARAM1)
 //--------------------------------------------------------------------
 
+//-----------------------------------------------------------------------
+//
+//  cpp2::safety_check() ensures that cpp1 pointers are also covered by safetychecks
+//
+//-----------------------------------------------------------------------
+//
+template <typename... Ts>
+inline constexpr auto program_violates_lifetime_safety_guarantee = sizeof...(Ts) < 0;
+
+template <typename T>
+    requires std::is_pointer_v<T>
+class safetychecked_pointer {
+    T ptr;
+public:
+
+    constexpr safetychecked_pointer(T ptr) : ptr{ptr} {}
+
+    constexpr operator T&() noexcept { return ptr; }
+
+    template <typename... Ts> void operator+  () const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator-  () const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator+  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator-  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator*  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator/  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator%  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator^  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator&  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator|  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+    template <typename... Ts> void operator++ (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator-- (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator[] (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator+= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator-= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator*= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator/= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+
+    template <typename... Ts> void operator~  ()  const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator%= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator^= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator&= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator|= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator<<=(X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator>>=(X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator<< (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator>> (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+    template <typename X > friend void operator+ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator- (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator* (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator/ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator% (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator^ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator& (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator| (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+
+    template <typename X>
+        requires (std::is_same_v<T,X> || std::is_base_of_v<T, X>)
+    constexpr safetychecked_pointer& operator=(X lhs) noexcept {
+        ptr = lhs;
+        return *this;
+    }
+
+    template <typename X>
+        requires std::is_same_v<std::nullptr_t,X>
+    constexpr void operator=(X lhs) noexcept { static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer assignment from null is illegal"); }
+
+    template <typename X>
+        requires std::is_integral_v<X>
+    constexpr void operator=(X lhs) noexcept { static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer assignment from integer is illegal"); }
+
+    bool operator!() const { return !ptr; }
+
+    constexpr safetychecked_pointer<T*> operator&() noexcept { return &ptr; }
+
+    constexpr auto operator*() noexcept {
+        if constexpr (std::is_pointer_v<CPP2_TYPEOF(*ptr)>) {
+            return safetychecked_pointer<CPP2_TYPEOF(*ptr)>(*ptr);
+        } else {
+            return *ptr;
+        }
+    }
+
+    constexpr T operator->() const noexcept { return ptr; }
+};
+
+template <typename X>
+    requires ( !std::is_pointer_v<std::remove_cvref_t<X>>
+               && std::is_copy_constructible_v<X> )
+inline constexpr auto safety_check(X const& x) {
+    return x;
+}
+
+template <typename R, typename... Args>
+inline constexpr auto safety_check(R (&x)(Args...)) {
+    return x;
+}
+
+template <typename X>
+    requires std::is_rvalue_reference_v<X>
+inline constexpr decltype(auto) safety_check(X&& x) {
+    return std::forward<X>(x);
+}
+
+template <typename X>
+    requires (std::is_pointer_v<std::remove_cvref_t<X>> && !std::is_bounded_array_v<X>)
+inline constexpr auto safety_check(X const& x) {
+    return safetychecked_pointer(x);
+}
+
+template <typename X>
+    requires (!std::is_pointer_v<std::remove_cvref_t<X>> && !std::is_function_v<X> && !std::is_bounded_array_v<X>)
+inline constexpr auto& safety_check(X& x) {
+    return x;
+}
+
+template <typename X>
+    requires (!std::is_copy_constructible_v<X>)
+inline constexpr auto safety_check(X&& x) {
+    return std::forward<X>(x);
+}
+
+template <typename X>
+    requires std::is_bounded_array_v<X>
+inline constexpr auto safety_check(X const& x) {
+    return std::span(x);
+}
 
 //-----------------------------------------------------------------------
 //

regression-tests/test-results/pure2-intro-example-hello-2022.cpp

@@ -19,7 +19,7 @@ auto println(auto const& x, auto const& len) -> void;
     std::span view { vec }; 
 
     for ( auto&& cpp2_range = view;  auto& str : cpp2_range ) {
-        auto len { decorate(str) }; 
+        auto len { cpp2::safety_check(decorate(str)) }; 
         println(str, len);
     }
 }

regression-tests/test-results/pure2-stdio.cpp

@@ -16,7 +16,7 @@
 //
 [[nodiscard]] auto main() -> int{
     std::string s { "Fred" }; 
-    auto myfile { fopen("xyzzy", "w") }; 
+    auto myfile { cpp2::safety_check(fopen("xyzzy", "w")) }; 
     CPP2_UFCS(fprintf, myfile, "Hello %s with UFCS!", CPP2_UFCS_0(c_str, s));
     CPP2_UFCS_0(fclose, myfile);
 }

source/cppfront.cpp

@@ -621,6 +621,7 @@ class cppfront
     bool violates_bounds_safety          = false;
     bool violates_initialization_safety  = false;
     bool suppress_move_from_last_use     = false;
+    bool needs_safetycheck               = false;
 
     //  For lowering
     //
@@ -1091,7 +1092,7 @@ class cppfront
 
         in_definite_init = is_definite_initialization(n.identifier);
         if (!in_definite_init && !in_parameter_list) {
-            if (auto decl = sema.get_local_declaration_of(*n.identifier);
+            if (auto decl = sema.get_declaration_of(*n.identifier);
                 is_local_name &&
                 decl &&
                 //  note pointer equality: if we're not in the actual declaration of n.identifier
@@ -1564,10 +1565,10 @@ class cppfront
             return true;
 
         if (decl->declaration->dereference) {
-            auto deref = sema.get_local_declaration_of(*decl->declaration->dereference);
+            auto deref = sema.get_declaration_of(*decl->declaration->dereference);
             return is_it_pointer_declaration(deref, deref_cnt+decl->declaration->dereference_cnt, addr_cnt);
         } else if (decl->declaration->address_of) {
-            auto addr = sema.get_local_declaration_of(*decl->declaration->address_of);
+            auto addr = sema.get_declaration_of(*decl->declaration->address_of);
             return is_it_pointer_declaration(addr, deref_cnt, addr_cnt+1);
         }
 
@@ -1590,6 +1591,7 @@ class cppfront
     {
         assert(n.expr);
         last_postfix_expr_was_pointer = false;
+        bool add_safetycheck = false;
 
         //  Check that this isn't pointer arithmentic
         //      (initial partial implementation)
@@ -1601,7 +1603,7 @@ class cppfront
             {
                 auto& unqual = std::get<id_expression_node::unqualified>(id->id);
                 assert(unqual);
-                auto decl = sema.get_local_declaration_of(*unqual->identifier);
+                auto decl = sema.get_declaration_of(*unqual->identifier, true);
 
                 bool is_pointer = false;
                 if (decl && decl->declaration) {
@@ -1612,8 +1614,8 @@ class cppfront
                     }
                 }
 
-                //  TODO: Generalize this -- for now we detect only multi-level cases of the form "p: ***int = ...;"
-                //        We don't recognize pointer types that are deduced or from Cpp1
+                // if initialized by something suspicious (that we have no information about) we need to add cpp1 safety checks
+                add_safetycheck = !decl && needs_safetycheck;
                 if (is_it_pointer_declaration(decl) || !unqual->pointer_declarators.empty() || is_pointer) {
                     if (n.ops.empty()) {
                         last_postfix_expr_was_pointer = true;
@@ -1641,6 +1643,16 @@ class cppfront
             }
         }
 
+        std::shared_ptr<void> _on_return;
+
+        if (add_safetycheck) {
+            needs_safetycheck = false;
+            printer.print_cpp2("cpp2::safety_check(", n.position());
+            _on_return = [](auto l) { return std::shared_ptr<void>(nullptr, l); }([&](auto){
+                printer.print_cpp2(")", n.position());
+            });
+        }
+
         //  Simple case: If there are no .ops, just emit the expression
         if (n.ops.empty()) {
             emit(*n.expr);
@@ -2592,7 +2604,9 @@ class cppfront
 
                 push_need_expression_list_parens(false);
                 assert( n.initializer );
+                needs_safetycheck = n.initializer->suspicious_initialization;
                 emit( *n.initializer, false );
+                needs_safetycheck = false;
                 pop_need_expression_list_parens();
 
                 printer.print_cpp2( " }", n.position() );

source/parse.h

@@ -693,6 +693,7 @@ struct statement_node
 {
     token const*                                     let;
     std::unique_ptr<parameter_declaration_list_node> let_params;
+    token const*                                     suspicious_initialization = nullptr;
 
     enum active { expression=0, compound, selection, declaration, return_, iteration, contract, inspect };
     std::variant<
@@ -2880,6 +2881,8 @@ class parser
                 }
             }
 
+            token const* suspicious_initialization  = nullptr;
+
             if (deduced_type) {
                 if (peek(1)->type() == lexeme::Ampersand) {
                     n->address_of  = &curr();
@@ -2890,13 +2893,19 @@ class parser
                     while(peek(n->dereference_cnt+1)->type() == lexeme::Multiply) {
                         n->dereference_cnt += 1;
                     }
+                } 
+                else if ((peek(1)->type() == lexeme::LeftParen && curr().type() != lexeme::Colon)
+                            || curr().type() == lexeme::Identifier ) {
+                    suspicious_initialization = &curr();
                 }
             }
 
             if (!(n->initializer = statement(semicolon_required, n->equal_sign))) {
                 error("ill-formed initializer");
                 next();
                 return {};
+            } else {
+                n->initializer->suspicious_initialization = suspicious_initialization;
             }
         }
 

source/sema.h

@@ -226,9 +226,8 @@ class sema
     {
     }
 
-    //  Get the declaration of t within the same named function
-    //
-    auto get_local_declaration_of(token const& t) -> declaration_sym const*
+
+    auto get_declaration_of(token const& t, bool look_beyond_current_function = false) -> declaration_sym const*
     {
         //  First find the position the query is coming from
         //  and remember its depth
@@ -255,9 +254,11 @@ class sema
                 //  Don't look beyond the start of the current named (has identifier) function
                 //  (an unnamed function is ok to look beyond)
                 assert(decl.declaration);
-                if (decl.declaration->type.index() == declaration_node::function &&
-                    decl.declaration->identifier)
-                {
+                if (
+                    decl.declaration->type.index() == declaration_node::function
+                    && decl.declaration->identifier
+                    && !look_beyond_current_function
+                ) {
                     return nullptr;
                 }
 
@@ -895,7 +896,7 @@ class sema
         {
             //  Put this into the table if it's a use of an object in scope
             //  or it's a 'copy' parameter
-            if (auto decl = get_local_declaration_of(t);
+            if (auto decl = get_declaration_of(t);
                 decl
                 )
             {