Add support for safety checks for pointers from cpp1

filipsajdak · filipsajdak · commit 49ce940db6ec · 2022-11-05T01:43:13.000+01:00
diff --git a/include/cpp2util.h b/include/cpp2util.h
@@ -494,6 +494,129 @@ class out {
 }(PARAM1)
 //--------------------------------------------------------------------
 
+//-----------------------------------------------------------------------
+//
+//  cpp2::safety_check() ensures that cpp1 pointers are also covered by safetychecks
+//
+//-----------------------------------------------------------------------
+//
+template <typename... Ts>
+inline constexpr auto program_violates_lifetime_safety_guarantee = sizeof...(Ts) < 0;
+
+template <typename T>
+    requires std::is_pointer_v<T>
+class safetychecked_pointer {
+    T ptr;
+public:
+
+    constexpr safetychecked_pointer(T ptr) : ptr{ptr} {}
+
+    constexpr operator T&() noexcept { return ptr; }
+
+    template <typename... Ts> void operator+  () const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator-  () const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator+  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator-  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator*  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator/  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator%  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator^  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator&  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X> void operator|  (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+    template <typename... Ts> void operator++ (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator-- (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename... Ts> void operator[] (Ts...) const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator+= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator-= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator*= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X> void operator/= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+
+    template <typename... Ts> void operator~  ()  const {static_assert(program_violates_lifetime_safety_guarantee<Ts...>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator%= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator^= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator&= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator|= (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator<<=(X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator>>=(X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator<< (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename    X > void operator>> (X) const {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+    template <typename X > friend void operator+ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator- (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator* (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator/ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");}
+    template <typename X > friend void operator% (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator^ (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator& (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+    template <typename X > friend void operator| (X, const safetychecked_pointer&)  {static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer bitwise manipulation is illegal - use std::bit_cast to convert to raw bytes first");}
+
+
+    template <typename X>
+        requires (std::is_same_v<T,X> || std::is_base_of_v<T, X>)
+    constexpr safetychecked_pointer& operator=(X lhs) noexcept {
+        ptr = lhs;
+        return *this;
+    }
+
+    template <typename X>
+        requires std::is_same_v<std::nullptr_t,X>
+    constexpr void operator=(X lhs) noexcept { static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer assignment from null is illegal"); }
+
+    template <typename X>
+        requires std::is_integral_v<X>
+    constexpr void operator=(X lhs) noexcept { static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer assignment from integer is illegal"); }
+
+    bool operator!() const { return !ptr; }
+
+    constexpr safetychecked_pointer<T*> operator&() noexcept { return &ptr; }
+
+    constexpr auto operator*() noexcept {
+        if constexpr (std::is_pointer_v<CPP2_TYPEOF(*ptr)>) {
+            return safetychecked_pointer<CPP2_TYPEOF(*ptr)>(*ptr);
+        } else {
+            return *ptr;
+        }
+    }
+
+    constexpr T operator->() const noexcept { return ptr; }
+};
+
+template <typename X>
+    requires ( !std::is_pointer_v<std::remove_cvref_t<X>>
+               && std::is_copy_constructible_v<X> )
+decltype(auto) safety_check(const X& x) {
+    return x;
+}
+
+template <typename X>
+    requires std::is_rvalue_reference_v<X>
+decltype(auto) safety_check(X&& x) {
+    return x;
+}
+
+template <typename X>
+    requires std::is_pointer_v<std::remove_cvref_t<X>>
+auto safety_check(X x) {
+    return safetychecked_pointer(x);
+}
+
+template <typename X>
+    requires (!std::is_pointer_v<std::remove_cvref_t<X>> && !std::is_function_v<X>)
+auto& safety_check(X& x) {
+    return x;
+}
+
+template <typename X>
+    requires (!std::is_copy_constructible_v<X>)
+auto safety_check(X&& x) {
+    return std::forward<X>(x);
+}
+
+template <typename X, std::size_t N>
+decltype(auto) safety_check(X (&x)[N]) {
+    static_assert(program_violates_lifetime_safety_guarantee<X>, "pointer arithmetic is illegal - use std::span or gsl::span instead");
+}
 
 //-----------------------------------------------------------------------
 //
diff --git a/source/cppfront.cpp b/source/cppfront.cpp
@@ -621,6 +621,7 @@ class cppfront
     bool violates_bounds_safety          = false;
     bool violates_initialization_safety  = false;
     bool suppress_move_from_last_use     = false;
+    bool needs_safetycheck               = false;
 
     //  For lowering
     //
@@ -1590,6 +1591,7 @@ class cppfront
     {
         assert(n.expr);
         last_postfix_expr_was_pointer = false;
+        bool add_safetycheck = false;
 
         //  Check that this isn't pointer arithmentic
         //      (initial partial implementation)
@@ -1601,7 +1603,7 @@ class cppfront
             {
                 auto& unqual = std::get<id_expression_node::unqualified>(id->id);
                 assert(unqual);
-                auto decl = sema.get_declaration_of(*unqual->identifier);
+                auto decl = sema.get_declaration_of(*unqual->identifier, true);
 
                 bool is_pointer = false;
                 if (decl && decl->declaration) {
@@ -1612,8 +1614,8 @@ class cppfront
                     }
                 }
 
-                //  TODO: Generalize this -- for now we detect only multi-level cases of the form "p: ***int = ...;"
-                //        We don't recognize pointer types that are deduced or from Cpp1
+                // if initialized by something suspicious (that we have no information about) we need to add cpp1 safety checks
+                add_safetycheck = !decl && needs_safetycheck;
                 if (is_it_pointer_declaration(decl) || !unqual->pointer_declarators.empty() || is_pointer) {
                     if (n.ops.empty()) {
                         last_postfix_expr_was_pointer = true;
@@ -1641,6 +1643,16 @@ class cppfront
             }
         }
 
+        std::shared_ptr<void> _on_return;
+
+        if (add_safetycheck) {
+            needs_safetycheck = false;
+            printer.print_cpp2("cpp2::safety_check(", n.position());
+            _on_return = [](auto l) { return std::shared_ptr<void>(nullptr, l); }([&](auto){
+                printer.print_cpp2(")", n.position());
+            });
+        }
+
         //  Simple case: If there are no .ops, just emit the expression
         if (n.ops.empty()) {
             emit(*n.expr);
@@ -2592,7 +2604,9 @@ class cppfront
 
                 push_need_expression_list_parens(false);
                 assert( n.initializer );
+                needs_safetycheck = n.initializer->suspicious_initialization;
                 emit( *n.initializer, false );
+                needs_safetycheck = false;
                 pop_need_expression_list_parens();
 
                 printer.print_cpp2( " }", n.position() );
diff --git a/source/parse.h b/source/parse.h
@@ -693,6 +693,7 @@ struct statement_node
 {
     token const*                                     let;
     std::unique_ptr<parameter_declaration_list_node> let_params;
+    token const*                                     suspicious_initialization = nullptr;
 
     enum active { expression=0, compound, selection, declaration, return_, iteration, contract, inspect };
     std::variant<
@@ -2876,6 +2877,8 @@ class parser
                 }
             }
 
+            token const* suspicious_initialization  = nullptr;
+
             if (deduced_type) {
                 if (peek(1)->type() == lexeme::Ampersand) {
                     n->address_of  = &curr();
@@ -2885,13 +2888,18 @@ class parser
                     while(peek(n->dereference_cnt+1)->type() == lexeme::Multiply) {
                         n->dereference_cnt += 1;
                     }
+                } else if ((peek(1)->type() == lexeme::LeftParen && curr().type() != lexeme::Colon)
+                            || curr().type() == lexeme::Identifier ) {
+                    suspicious_initialization = &curr();
                 }
             }
 
             if (!(n->initializer = statement(semicolon_required, n->equal_sign))) {
                 error("ill-formed initializer");
                 next();
                 return {};
+            } else {
+                n->initializer->suspicious_initialization = suspicious_initialization;
             }
         }
 
diff --git a/source/sema.h b/source/sema.h
@@ -227,7 +227,7 @@ class sema
     }
 
 
-    auto get_declaration_of(token const& t) -> declaration_sym const*
+    auto get_declaration_of(token const& t, bool look_beyond_current_function = false) -> declaration_sym const*
     {
         //  First find the position the query is coming from
         //  and remember its depth
@@ -250,9 +250,8 @@ class sema
             {
                 auto const& decl = std::get<symbol::active::declaration>(i->sym);
 
-                //  Don't look beyond the current function
                 assert(decl.declaration);
-                if (decl.declaration->type.index() == declaration_node::function) {
+                if (!look_beyond_current_function && decl.declaration->type.index() == declaration_node::function) {
                     return nullptr;
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -693,6 +693,7 @@ struct statement_node`
`693`	`693`	`{`
`694`	`694`	`token const* let;`
`695`	`695`	`std::unique_ptr<parameter_declaration_list_node> let_params;`
	`696`	`+ token const* suspicious_initialization = nullptr;`
`696`	`697`
`697`	`698`	`enum active { expression=0, compound, selection, declaration, return_, iteration, contract, inspect };`
`698`	`699`	`std::variant<`
`@@ -2876,6 +2877,8 @@ class parser`
`2876`	`2877`	`}`
`2877`	`2878`	`}`
`2878`	`2879`
	`2880`	`+ token const* suspicious_initialization = nullptr;`
	`2881`	`+`
`2879`	`2882`	`if (deduced_type) {`
`2880`	`2883`	`if (peek(1)->type() == lexeme::Ampersand) {`
`2881`	`2884`	`n->address_of = &curr();`
`@@ -2885,13 +2888,18 @@ class parser`
`2885`	`2888`	`while(peek(n->dereference_cnt+1)->type() == lexeme::Multiply) {`
`2886`	`2889`	`n->dereference_cnt += 1;`
`2887`	`2890`	`}`
	`2891`	`+ } else if ((peek(1)->type() == lexeme::LeftParen && curr().type() != lexeme::Colon)`
	`2892`	`+ \|\| curr().type() == lexeme::Identifier ) {`
	`2893`	`+ suspicious_initialization = &curr();`
`2888`	`2894`	`}`
`2889`	`2895`	`}`
`2890`	`2896`
`2891`	`2897`	`if (!(n->initializer = statement(semicolon_required, n->equal_sign))) {`
`2892`	`2898`	`error("ill-formed initializer");`
`2893`	`2899`	`next();`
`2894`	`2900`	`return {};`
	`2901`	`+ } else {`
	`2902`	`+ n->initializer->suspicious_initialization = suspicious_initialization;`
`2895`	`2903`	`}`
`2896`	`2904`	`}`
`2897`	`2905`
Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,7 @@ class sema`
`227`	`227`	`}`
`228`	`228`
`229`	`229`
`230`		`- auto get_declaration_of(token const& t) -> declaration_sym const*`
	`230`	`+ auto get_declaration_of(token const& t, bool look_beyond_current_function = false) -> declaration_sym const*`
`231`	`231`	`{`
`232`	`232`	`// First find the position the query is coming from`
`233`	`233`	`// and remember its depth`
`@@ -250,9 +250,8 @@ class sema`
`250`	`250`	`{`
`251`	`251`	`auto const& decl = std::get<symbol::active::declaration>(i->sym);`
`252`	`252`
`253`		`- // Don't look beyond the current function`
`254`	`253`	`assert(decl.declaration);`
`255`		`- if (decl.declaration->type.index() == declaration_node::function) {`
	`254`	`+ if (!look_beyond_current_function && decl.declaration->type.index() == declaration_node::function) {`
`256`	`255`	`return nullptr;`
`257`	`256`	`}`
`258`	`257`