Add rules for checking that variables and members with checked pointer types are initialized before use.

[secure-sw-dev-bot]

This issue was copied from https://github.com/microsoft/checkedc/issues/2

---

We need to write rules for making sure that checked pointer variables are definitely initialized before use. Use includes taking the address of a checked pointer variable. Also need to make sure that structure members with checked pointer types are initialized before use.

[secure-sw-dev-bot]

Comment from @dtarditi:

Instead of requiring programmers to definitely initialize ptr and span variables before use, we could require that they be zeroed by the compiler. With advances in compiler optimization, it is probably no longer necessary for performance for automatic variables to be uninitialized by default, as they were when C was originally designed.

The advantage of the approach of requiring the compiler to do it is that we don't have to complicate the language with the description of a dataflow analysis for determining definite initialization. Instead, we can rely on compilers to eliminate unnecessary zero initializations. I believe there is not likely to be a difference between the two approaches. The dataflow analyses employed by good optimizing compilers are likely to eliminate at least as much zeroing initialization as can be omitted under language rules for definite assignment. The compilers can employ sophisticated aliasing analyses that you might not want to incorporate into language rules.

We could optionally allow a programmer to annotate variables or structures that are or contain ptrs/spans to be uninitialized at definition, and require that they be initialized before any use. We already have a mechanism (suspends/holds) for tracking information about the state of array_ptr members of structure variables. We could extend this to track ptrs/spans and variables that contain ptrs/spans. This seems like a promising direction to pursue because the problem of making sure that something is initialized is largely similar. In fact, it would be helpful to have a unified approach. Besides annotating with a pointer is initialized, programmers might also have to annotate the initialization state of the memory referred to by the pointer.

Another approach might be to treat all variables as uninitialized and require programmers to annotate when the data has become initialized. This seems likely to lead to a lot of annotations, since programmers should always initialize data before use. This makes this approach less promising.

[secure-sw-dev-bot]

Comment from @dtarditi:

We have decided to just require the use of initializers for these variables for now. PR #252 added this to the specification. It also updated the future work section to include using definite assignment rules in the style of Java or C#.