[libc++][hardening] Constrain construction for __{(static_)bounded,wrap}_iter (#115271)

This PR restricts construction to cases where reference types of
source/destination iterators are (`T&`, `T&`) or (`T&`, `const T&`) (
where `T` can be const).

Fixes #50058.

Author: frederick-vs-ja

libcxx/include/__iterator/bounded_iter.h

@@ -16,9 +16,13 @@
 #include <__config>
 #include <__iterator/iterator_traits.h>
 #include <__memory/pointer_traits.h>
+#include <__type_traits/conjunction.h>
+#include <__type_traits/disjunction.h>
 #include <__type_traits/enable_if.h>
 #include <__type_traits/integral_constant.h>
 #include <__type_traits/is_convertible.h>
+#include <__type_traits/is_same.h>
+#include <__type_traits/make_const_lvalue_ref.h>
 #include <__utility/move.h>
 
 #if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER)
@@ -70,7 +74,12 @@ struct __bounded_iter {
   _LIBCPP_HIDE_FROM_ABI __bounded_iter(__bounded_iter const&) = default;
   _LIBCPP_HIDE_FROM_ABI __bounded_iter(__bounded_iter&&)      = default;
 
-  template <class _OtherIterator, __enable_if_t< is_convertible<_OtherIterator, _Iterator>::value, int> = 0>
+  template < class _OtherIterator,
+             __enable_if_t<
+                 _And< is_convertible<const _OtherIterator&, _Iterator>,
+                       _Or<is_same<reference, __iter_reference<_OtherIterator> >,
+                           is_same<reference, __make_const_lvalue_ref<__iter_reference<_OtherIterator> > > > >::value,
+                 int> = 0>
   _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR __bounded_iter(__bounded_iter<_OtherIterator> const& __other) _NOEXCEPT
       : __current_(__other.__current_),
         __begin_(__other.__begin_),

libcxx/include/__iterator/static_bounded_iter.h

@@ -17,9 +17,13 @@
 #include <__cstddef/size_t.h>
 #include <__iterator/iterator_traits.h>
 #include <__memory/pointer_traits.h>
+#include <__type_traits/conjunction.h>
+#include <__type_traits/disjunction.h>
 #include <__type_traits/enable_if.h>
 #include <__type_traits/integral_constant.h>
 #include <__type_traits/is_convertible.h>
+#include <__type_traits/is_same.h>
+#include <__type_traits/make_const_lvalue_ref.h>
 #include <__utility/move.h>
 
 #if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER)
@@ -93,7 +97,12 @@ struct __static_bounded_iter {
   _LIBCPP_HIDE_FROM_ABI __static_bounded_iter(__static_bounded_iter const&) = default;
   _LIBCPP_HIDE_FROM_ABI __static_bounded_iter(__static_bounded_iter&&)      = default;
 
-  template <class _OtherIterator, __enable_if_t<is_convertible<_OtherIterator, _Iterator>::value, int> = 0>
+  template <class _OtherIterator,
+            __enable_if_t<
+                _And< is_convertible<const _OtherIterator&, _Iterator>,
+                      _Or<is_same<reference, __iter_reference<_OtherIterator> >,
+                          is_same<reference, __make_const_lvalue_ref<__iter_reference<_OtherIterator> > > > >::value,
+                int> = 0>
   _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR
   __static_bounded_iter(__static_bounded_iter<_OtherIterator, _Size> const& __other) _NOEXCEPT
       : __storage_(__other.__storage_.__current(), __other.__storage_.__begin()) {}
@@ -264,7 +273,7 @@ struct __static_bounded_iter {
 private:
   template <class>
   friend struct pointer_traits;
-  template <class, size_t, class>
+  template <class, size_t>
   friend struct __static_bounded_iter;
   __static_bounded_iter_storage<_Iterator, _Size> __storage_;
 

libcxx/include/__iterator/wrap_iter.h

@@ -17,9 +17,13 @@
 #include <__iterator/iterator_traits.h>
 #include <__memory/addressof.h>
 #include <__memory/pointer_traits.h>
+#include <__type_traits/conjunction.h>
+#include <__type_traits/disjunction.h>
 #include <__type_traits/enable_if.h>
 #include <__type_traits/integral_constant.h>
 #include <__type_traits/is_convertible.h>
+#include <__type_traits/is_same.h>
+#include <__type_traits/make_const_lvalue_ref.h>
 
 #if !defined(_LIBCPP_HAS_NO_PRAGMA_SYSTEM_HEADER)
 #  pragma GCC system_header
@@ -45,9 +49,14 @@ class __wrap_iter {
 
 public:
   _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX14 __wrap_iter() _NOEXCEPT : __i_() {}
-  template <class _Up, __enable_if_t<is_convertible<_Up, iterator_type>::value, int> = 0>
-  _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX14 __wrap_iter(const __wrap_iter<_Up>& __u) _NOEXCEPT
-      : __i_(__u.base()) {}
+  template <
+      class _OtherIter,
+      __enable_if_t< _And< is_convertible<const _OtherIter&, _Iter>,
+                           _Or<is_same<reference, __iter_reference<_OtherIter> >,
+                               is_same<reference, __make_const_lvalue_ref<__iter_reference<_OtherIter> > > > >::value,
+                     int> = 0>
+  _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX14 __wrap_iter(const __wrap_iter<_OtherIter>& __u) _NOEXCEPT
+      : __i_(__u.__i_) {}
   _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX14 reference operator*() const _NOEXCEPT { return *__i_; }
   _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX14 pointer operator->() const _NOEXCEPT {
     return std::__to_address(__i_);

libcxx/test/libcxx/iterators/contiguous_iterators.conv.compile.pass.cpp

@@ -0,0 +1,63 @@
+//===----------------------------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+
+// <iterator>
+
+// __bounded_iter<_Iter>
+// __static_bounded_iter<_Iter>
+// __wrap_iter<_Iter>
+
+// Verify that libc++-wrapped iterators do not permit slicing conversion or construction.
+
+#include <array>
+#include <span>
+#include <type_traits>
+#include <vector>
+
+#include "test_macros.h"
+
+struct Base {};
+struct Derived : Base {};
+
+template <class B, class D, bool = std::is_pointer<typename std::array<B, 1>::iterator>::value>
+struct test_array_helper : std::true_type {
+  typedef typename std::array<B, 1>::iterator BaseIter;
+  typedef typename std::array<D, 1>::iterator DerivedIter;
+  typedef typename std::array<B, 1>::const_iterator BaseConstIter;
+  typedef typename std::array<D, 1>::const_iterator DerivedConstIter;
+
+  static_assert(!std::is_convertible<DerivedIter, BaseIter>::value, "");
+  static_assert(!std::is_convertible<DerivedIter, BaseConstIter>::value, "");
+  static_assert(!std::is_convertible<DerivedConstIter, BaseConstIter>::value, "");
+  static_assert(!std::is_constructible<BaseIter, DerivedIter>::value, "");
+  static_assert(!std::is_constructible<BaseConstIter, DerivedIter>::value, "");
+  static_assert(!std::is_constructible<BaseConstIter, DerivedConstIter>::value, "");
+};
+
+template <class B, class D>
+struct test_array_helper<B, D, true> : std::true_type {};
+
+static_assert(test_array_helper<Base, Derived>::value, "");
+
+static_assert(!std::is_convertible<std::vector<Derived>::iterator, std::vector<Base>::iterator>::value, "");
+static_assert(!std::is_convertible<std::vector<Derived>::iterator, std::vector<Base>::const_iterator>::value, "");
+static_assert(!std::is_convertible<std::vector<Derived>::const_iterator, std::vector<Base>::const_iterator>::value, "");
+static_assert(!std::is_constructible<std::vector<Base>::iterator, std::vector<Derived>::iterator>::value, "");
+static_assert(!std::is_constructible<std::vector<Base>::const_iterator, std::vector<Derived>::iterator>::value, "");
+static_assert(!std::is_constructible<std::vector<Base>::const_iterator, std::vector<Derived>::const_iterator>::value,
+              "");
+
+#if TEST_STD_VER >= 20
+static_assert(!std::is_convertible_v<std::span<Derived>::iterator, std::span<Base>::iterator>);
+static_assert(!std::is_convertible_v<std::span<Derived>::iterator, std::span<const Base>::iterator>);
+static_assert(!std::is_convertible_v<std::span<const Derived>::iterator, std::span<Base>::iterator>);
+static_assert(!std::is_constructible_v<std::span<Base>::iterator, std::span<Derived>::iterator>);
+static_assert(!std::is_constructible_v<std::span<Base>::iterator, std::span<const Derived>::iterator>);
+static_assert(!std::is_constructible_v<std::span<const Base>::iterator, std::span<const Derived>::iterator>);
+#endif