search

correctcomputation / checkedc-clang

This is the primary development repository for 3C, a tool for automatically converting legacy C code to the Checked C extension of C, which aims to enforce spatial memory safety. This repository is a fork of Checked C's.
14 stars 5 forks source link

Swap -alltypes for -noalltypes #288

Open mwhicks1 opened 4 years ago

mwhicks1 commented 4 years ago

Support for array pointer and bounds inference has improved to the point that it should be the rule, rather than the exception. As such, it makes sense to swap the -alltypes flag for -noalltypes.

This should be easy to do in the code: The CConv.cpp flag Alltypes can stay as it is, we just need to change the code in CConvStandalone.cpp so that the default for this boolean is true, not false, i.e., something like

static cl::opt<bool> OptAllTypes("noalltypes",
                              cl::desc("Do not consider all Checked C types for "
                                       "conversion"),
                              cl::init(false),
                              cl::cat(ConvertCategory));

and then later

  CcOptions.EnableAllTypes = !OptAllTypes;
mattmccutchen-cci commented 3 years ago

FTR: As of the October 2020 milestone, we generally recommend -alltypes but haven't yet made it the default because it breaks some things (TBD who has the details on this) and will say so in the readme.

kyleheadley commented 3 years ago

To add information: the output of 3c without -alltypes should always compile in checkedc clang, while the output with it has no such guarantee. Array bounds, for example on _Array_ptr's , are not always inferred, but clang requires them for dereferences.

I'm adding label "won't fix" but leaving this open for when we change our minds.

mattmccutchen-cci commented 3 years ago

In terms of choosing the default, are we sure that a guarantee of successful compilation is still more important than inserting more annotations? Remember, users can always override the flag.

If we switch the default: Should we keep -alltypes as a no-op for compatibility with existing scripts? (Or even fancier, make -alltypes later on the command line override -noalltypes earlier, a common behavior in other command-line programs? Some option parsing libraries make this easy; LLVM's may not.) If we don't keep it, how much work will it be to coordinate the flip across all our repositories, and are we assuming no outsiders are depending on this yet?

mwhicks1 commented 3 years ago

Even if -alltypes doesn't produce compilable code, I would suggest that it's the right default for a serious project, i.e., one for which you have the goal of eventually porting most/all of it to Checked C. That's why I suggested this change (to -noalltypes rather than -alltypes). I don't care too much, but I still feel like making this change is the right thing to do.

kyleheadley commented 3 years ago

I believe @jackastner was the hold-out in our meeting. Do you still have a strong opinion, John?