search

CTSRD-CHERI / cheri-c-programming

CHERI C/C++ Programming Guide
28 stars 3 forks source link

(u)intcap_t integer conversions #14

Closed kevin-brodsky-arm closed 2 years ago

kevin-brodsky-arm commented 3 years ago

The behaviour of CHERI LLVM w.r.t. conversions from (u)intcap_t to standard integer types has changed at some point last year, in such a way that these conversions are now always accepted without a warning, even when a cast is not used. It would be good to document this in the guide.

It would also be helpful if a flag was added to turn this warning back on for "paranoid" codebases; however it should remain disabled by default (even with -Wall and preferably -Wextra) as it is generally a false positive, and code should be able to rely on uintptr_t being implicitly convertible to other integer types.

arichardson commented 3 years ago

There should be a paranoid flag, but I can't trigger it with -Weverything -Wcheri-pedantic anymore.

Looking into the LLVM code it seems I accidentally broke this diagnostic for __(u)intcap here: https://github.com/CTSRD-CHERI/llvm-project/commit/66b79bda88b8d0ae147b9bbde8dae2f0d57cab21#diff-4fdb852060814c1dbd3853b66be7b44af5a3277c51599154ec680437cf328b89R1858

I believe changing the /*IncludeIntCap=*/false to /*IncludeIntCap=*/true should bring back the pedantic warning. Will look into this tomorrow.

arichardson commented 3 years ago

Actually looking at the diff it seems like it was already not working for intcap_t before that commit: There's some code that special-cases (u)intcap_t (// casting to integer from __(u)intcap_t is fine). I recall the warning was extremely noisy so I turned it off by default but I don't recall disabling it for intcap_t.

kevin-brodsky-arm commented 3 years ago

On a related topic I have another suggestion: when casting a capability down to a small integer (less than 64 bits), one gets: error: cast from capability to smaller type 'int' loses information I found this confusing, until I realised that this is in fact the same warning as when casting a 64-bit pointer to a small integer, except that in the error message "pointer" is replaced with "capability". I would suggest restoring the original text in that situation, because really the error is about the fact that the address is truncated, not the capability.

jrtc27 commented 2 years ago

-Wconversion covers implicit __intcap to plain integer conversions as of CTSRD-CHERI/llvm-project#539