Add support for safety checks for pointers from cpp1

Author: filipsajdak

include/cpp2util.h

@@ -494,6 +494,129 @@ class out {
 }(PARAM1)
 //--------------------------------------------------------------------
 
+//-----------------------------------------------------------------------
+//
+//  cpp2::safety_check() ensures that cpp1 pointers are also covered by safetychecks
+//
+//-----------------------------------------------------------------------
+//
+template <typename... Ts>
+inline constexpr auto program_violates_lifetime_safety_guarantee = sizeof...(Ts) < 0;
+
+template <typename T>
+    requires std::is_pointer_v<T>
+class safetychecked_pointer {
+    T ptr;
+public:
+
+    constexpr safetychecked_pointer(T ptr) : ptr{ptr} {}
+
+    constexpr operator T&() noexcept { return ptr; }
+
+    template <typename... Ts> void operator+  () const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator-  () const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator+  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator-  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator*  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator/  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator%  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator^  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator&  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator|  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+    template <typename... Ts> void operator++ (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator-- (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator[] (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator+= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator-= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator*= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator/= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+
+    template <typename... Ts> void operator~  ()  const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator%= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator^= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator&= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator|= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator<<=(X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator>>=(X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator<< (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator>> (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+    template <typename X > friend void operator+ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator- (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator* (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator/ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator% (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator^ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator& (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator| (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+
+    template <typename X>
+        requires (std::is_same_v<T,X> || std::is_base_of_v<T, X>)
+    constexpr safetychecked_pointer& operator=(X lhs) noexcept {
+        ptr = lhs;
+        return *this;
+    }
+
+    template <typename X>
+        requires std::is_same_v<std::nullptr_t,X>
+    constexpr void operator=(X lhs) noexcept { static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer assignment from null is illegal"); }
+
+    template <typename X>
+        requires std::is_integral_v<X>
+    constexpr void operator=(X lhs) noexcept { static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer assignment from integer is illegal"); }
+
+    bool operator!() const { return !ptr; }
+
+    constexpr safetychecked_pointer<T*> operator&() noexcept { return &ptr; }
+
+    constexpr auto operator*() noexcept {
+        if constexpr (std::is_pointer_v<CPP2_TYPEOF(*ptr)>) {
+            return safetychecked_pointer<CPP2_TYPEOF(*ptr)>(*ptr);
+        } else {
+            return *ptr;
+        }
+    }
+
+    constexpr T operator->() const noexcept { return ptr; }
+};
+
+template <typename X>
+    requires ( !std::is_pointer_v<std::remove_cvref_t<X>>
+               && std::is_copy_constructible_v<X> )
+decltype(auto) safety_check(const X& x) {
+    return x;
+}
+
+template <typename X>
+    requires std::is_rvalue_reference_v<X>
+decltype(auto) safety_check(X&& x) {
+    return x;
+}
+
+template <typename X>
+    requires std::is_pointer_v<std::remove_cvref_t<X>>
+auto safety_check(X x) {
+    return safetychecked_pointer(x);
+}
+
+template <typename X>
+    requires (!std::is_pointer_v<std::remove_cvref_t<X>> && !std::is_function_v<X>)
+auto& safety_check(X& x) {
+    return x;
+}
+
+template <typename X>
+    requires (!std::is_copy_constructible_v<X>)
+auto safety_check(X&& x) {
+    return std::forward<X>(x);
+}
+
+template <typename X, std::size_t N>
+decltype(auto) safety_check(X (&x)[N]) {
+    static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");
+}
 
 //-----------------------------------------------------------------------
 //

source/cppfront.cpp

@@ -621,6 +621,7 @@ class cppfront
     bool violates_bounds_safety          = false;
     bool violates_initialization_safety  = false;
     bool suppress_move_from_last_use     = false;
+    bool needs_safetycheck               = false;
 
     //  For lowering
     //
@@ -1579,6 +1580,7 @@ class cppfront
     {
         assert(n.expr);
         last_postfix_expr_was_pointer = false;
+        bool add_safetycheck = false;
 
         //  Check that this isn't pointer arithmentic
         //      (initial partial implementation)
@@ -1590,9 +1592,10 @@ class cppfront
             {
                 auto& unqual = std::get<id_expression_node::unqualified>(id->id);
                 assert(unqual);
-                auto decl = sema.get_declaration_of(*unqual->identifier);
-                //  TODO: Generalize this -- for now we detect only multi-level cases of the form "p: ***int = ...;"
-                //        We don't recognize pointer types from Cpp1
+                auto decl = sema.get_declaration_of(*unqual->identifier, true);
+
+                // if initialized by something suspicious (that we have no information about) we need to add cpp1 safety checks
+                add_safetycheck = !decl && needs_safetycheck;
                 if (is_it_pointer_declaration(decl)) {
                     if (n.ops.empty()) {
                         last_postfix_expr_was_pointer = true;
@@ -1620,6 +1623,16 @@ class cppfront
             }
         }
 
+        std::shared_ptr<void> _on_return;
+
+        if (add_safetycheck) {
+            needs_safetycheck = false;
+            printer.print_cpp2("cpp2::safety_check(", n.position());
+            _on_return = [](auto l) { return std::shared_ptr<void>(nullptr, l); }([&](auto){
+                printer.print_cpp2(")", n.position());
+            });
+        }
+
         //  Simple case: If there are no .ops, just emit the expression
         if (n.ops.empty()) {
             emit(*n.expr);
@@ -2578,6 +2591,7 @@ class cppfront
 
                 push_need_expression_list_parens(false);
                 assert( n.initializer );
+                needs_safetycheck = n.initializer->suspicious_initialization;
                 emit( *n.initializer, false );
                 pop_need_expression_list_parens();
 

source/parse.h

@@ -692,6 +692,7 @@ struct statement_node
 {
     token const*                                     let;
     std::unique_ptr<parameter_declaration_list_node> let_params;
+    token const*                                     suspicious_initialization = nullptr;
 
     enum active { expression=0, compound, selection, declaration, return_, iteration, contract, inspect };
     std::variant<
@@ -2883,6 +2884,8 @@ class parser
                 }
             }
 
+            token const* suspicious_initialization  = nullptr;
+
             if (deduced_type) {
                 if (peek(1)->type() == lexeme::Ampersand) {
                     n->address_of  = &curr();
@@ -2892,13 +2895,18 @@ class parser
                     while(peek(n->dereference_cnt+1)->type() == lexeme::Multiply) {
                         n->dereference_cnt += 1;
                     }
+                } else if ((peek(1)->type() == lexeme::LeftParen && curr().type() != lexeme::Colon)
+                            || curr().type() == lexeme::Identifier ) {
+                    suspicious_initialization = &curr();
                 }
             }
 
             if (!(n->initializer = statement(semicolon_required, n->equal_sign))) {
                 error("ill-formed initializer");
                 next();
                 return {};
+            } else {
+                n->initializer->suspicious_initialization = suspicious_initialization;
             }
         }
 

source/sema.h

@@ -227,7 +227,7 @@ class sema
     }
 
 
-    auto get_declaration_of(token const& t) -> declaration_sym const*
+    auto get_declaration_of(token const& t, bool look_beyond_current_function = false) -> declaration_sym const*
     {
         //  First find the position the query is coming from
         //  and remember its depth
@@ -250,9 +250,8 @@ class sema
             {
                 auto const& decl = std::get<symbol::active::declaration>(i->sym);
 
-                //  Don't look beyond the current function
                 assert(decl.declaration);
-                if (decl.declaration->type.index() == declaration_node::function) {
+                if (!look_beyond_current_function && decl.declaration->type.index() == declaration_node::function) {
                     return nullptr;
                 }