Open mattmccutchen-cci opened 3 years ago
For whatever reason, I thought more about this issue this morning. I'm just recording my thoughts and not asking to change the prioritization of this issue.
If we want 3C to be able to process programs that #include <sys/socket.h>
and set _GNU_SOURCE
(such as Icecast and ImageMagick in their original form, which would be really nice), I propose that we proceed as follows:
sys/socket_checked.h
as described in microsoft/checkedc#441.foo
has a declaration that uses a transparent union, that declaration is completely ignored by 3C and any other declarations of foo
are treated as unwritable and constrained accordingly. That does mean that if foo
has no declaration that doesn't use a transparent union, then 3C will treat it having no declaration at all, but for the socket functions, we should normally always be implicitly including the checked declarations that don't use transparent unions. Hopefully this workaround will be simple to implement now that the declaration merging process has been cleaned up in #463 and will have very little risk of breaking anything else. If we want, 3C could issue an error or warning if any declaration of foo
is actually in a writable file; otherwise we might have to add new root-cause diagnostics for this situation. There are various ways we could make the workaround more narrowly targeted (and probably more complex to implement), but the above is probably enough for the socket functions, so I wouldn't bother with anything more complex.Hopefully things would work at that point. However, since we know Microsoft hasn't tested _GNU_SOURCE
at all, I wouldn't be surprised if there are remaining glitches that require minor changes to the Checked C compiler, for instance.
The following code (a simplified version of what is currently happening in
sys/socket_checked.h
) is valid C and Checked C:but produces the following error from 3C (I presume because
struct sockaddr1 *
has a pointer at the top level butunion sockaddr_p_tu
doesn't):If the Checked C compiler isn't changed to outright reject this code as part of microsoft/checkedc#441, then ideally 3C should reject it with an error message clear enough for end users to quickly identify the problem.