Open secure-sw-dev-bot opened 2 years ago
Comment from @dtarditi:
This is due to missing functionality when comparing bounds expressions for equivalence. We check that the subexpressions of the bounds expressions are equivalence. When checking pointer arithmetic expressions for equivalence, we check that the types of arguments are identical and that the corresponding operands are equivalent. The check on types is too strict. For the pointer-typed operands, we only need to check that the referent types of the pointer types have the same size . For the integer-typed operands, we only need to check that they have the same signedness.
This issue was copied from https://github.com/microsoft/checkedc-clang/issues/540
When calling memset on an array_ptr, the checkedc-clang will be unable to "prove argument meets declared bounds", saying that:
needs to be explicitly cast to an array_ptr. Our bounds safe interface uses array_ptr in its description of the bounds for memset (since pointer arithmetic on void pointers doesn't make sense), but it seems a bit confusing to force an equivalently sized type to cast to char in order to compile memset.
expected bounds: bounds((array_ptr<char>)dst, (array_ptr<char>)dst + len)
andinferred bounds: bounds(dst, dst + len)
. To remove the warning, the array_ptrAccording to the internet, the signedness of char isn't properly specified in c but char is treated as signed by default by gcc and MSVC (but unsigned in at least some versions of Android). Therefore I'm not sure whether the comment above applies in this case; however it still seems that memset should not require the explicit cast to array_ptr.