Double casts often required when using __cheri_tocap

[brooksdavis]

Current, this code is invalid:

char *astring;
void * __capability acapptr;
acapptr = (__cheri_tocap void * __capability)astring;

You get an error like:

error: invalid __cheri_tocap from 'char *' to unrelated type 'void * __capability

This can be eliminated with something like

acapptr = (__cheri_tocap void * __capability)(void *)astring;

This is really quite intrusive and I'm not convinced it's the right thing. At a minimum, I think casts to void* should just work.

[brooksdavis]

Even the fixup code doesn't think this should be the case. For example, this suggestion results an an error because uiop->uio_iov->iov_base is a void * __capability and thus char * is an unrelated type.

/home/bed22/git/cheribsd/sys/fs/nfsclient/nfs_clcomsubs.c:275:9: error: 
      converting capability type 'void * __capability' to non-capability type
      'char *' without an explicit cast; if this is intended use __cheri_fromcap
                uiocp = uiop->uio_iov->iov_base;
                      ^
                        (__cheri_fromcap char *)

[khilangudka]

Should this still be a warning or should we just allow it?

[arichardson]

I think casts to and from void* are probably fine, but I would really like to keep this behaviour for other incompatible types. I wanted __cheri_cast to only change capability vs mips pointer and not change types as well to be explicit about these operations. C treats void* specially, so I think having it special in __cheri_{from,to}cap should also be fine.

[arichardson]

The fixup code is rather stupid and only prints the target type without checking whether that would be correct.

[khilangudka]

Yes we should add a check on the types themselves. I also agree with special casing void. I guess in this case the fixup code would then be correct but if void was not involved then it would complain about incompatible types.