Check that variables and member expressions used in return bounds are unmodified

[kkjeer]

After each assignment expression to a variable or member expression e, this PR checks that e is not used in the declared return bounds (if any) for the enclosing function.

In unchecked scopes, if the enclosing function has a bounds-safe interface, this checking is not performed (regardless of the type of e or the type of the RHS expression that was assigned to e).

[sulekhark]

The name UpdateRetunrBoundsAfterAssignment may be misleading. There is really no "update" happening - my understanding is that this function checks if LValue occurs in ReturnBounds.

[sulekhark]

It looks like the third parameter Src is not used anywhere in this function.

[sulekhark]

Suppose there were multiple program points in a function where a variable or a member expression used in ReturnBounds got modified, then would multiple error messages be emitted?

[kkjeer]

Yes, there would be an error emitted at each assignment to a variable or member expression that is used in ReturnBounds.

[sulekhark]

In unchecked scopes, if the enclosing function has a bounds-safe interface, this checking is not performed (regardless of the type of e or the type of the RHS expression that was assigned to e).

In unchecked scopes, it may probably be more consistent with our discussed policy to perform this check whenever the return bounds are checked (i.e. when the return expression has a checked pointer type, or the return expression has an unchecked pointer type because of implicit casting from checked to unchecked pointer types).

In other words, in unchecked scopes, either:

1. The return bounds are checked and the return bounds expression is checked to ensure that the variables and member expressions occurring in it are unmodified, or
2. Both of the above checks are not done.

[kkjeer]

In unchecked scopes, if the enclosing function has a bounds-safe interface, this checking is not performed (regardless of the type of e or the type of the RHS expression that was assigned to e).

In unchecked scopes, it may probably be more consistent with our discussed policy to perform this check whenever the return bounds are checked (i.e. when the return expression has a checked pointer type, or the return expression has an unchecked pointer type because of implicit casting from checked to unchecked pointer types).

In other words, in unchecked scopes, either:

1. The return bounds are checked and the return bounds expression is checked to ensure that the variables and member expressions occurring in it are unmodified, or
2. Both of the above checks are not done.

In the following example:

int *f(int *p : count(i), _Array_ptr<int> q : count(i), unsigned int i) : count(i) _Unchecked {
  i++;
  if (i > 0) {
    return q; // checked return value
  }
  return p; // unchecked return value
}

The assignment i++ modifies i which is used in the declared return bounds. At this point, the bounds checker has no knowledge of any return expressions and whether or not they are checked pointers.

In an analogous example for checking the bounds of a variable with a bounds-safe interface:

int *f(int *p : count(i), _Array_ptr<int> q : count(i), unsigned int i) : count(i) _Unchecked {
  i++;
  if (i > 0) {
    p = q; // a checked pointer is assigned to p
  }
  p++; // an unchecked pointer is assigned to p
}

The assignment i++ does not result in a bounds checking warning for p. At the assignment p = q, since q is a checked pointer, we check the bounds of p. However, we do not check at this point that the variable i which is used in the bounds of p was modified.

As I understand it, our current policy for checking the bounds of a variable p with a bounds-safe interface in an unchecked scope are: at the end of checking a statement S:

1. If at any point during S, a checked pointer was assigned to p, we check the bounds of p.
2. Otherwise, we do not check the bounds of p.

I would propose the following policy for checking the bounds of a function f with a bounds-safe interface in an unchecked scope: at the end of checking a statement S:

1. If S returns a checked pointer, we check the bounds of f (including checking that S did not modify any variables or member expressions that are used in the bounds of f).
2. Otherwise, we do not check that S did not modify any variables or member expressions that are used in the bounds of f.

I'd like to discuss these policies further.

[sulekhark]

Yes, let's discuss it tomorrow.

[kkjeer]

Per offline discussion, we have the following policy for checking that variable or member expressions used in declared return bounds are unmodified:

1. If an assignment e1 = e2 occurs in an unchecked scope, and the enclosing function f has a bounds-safe interface, then we do not check whether e1 occurs in the declared bounds of f.
2. Otherwise, we do check whether e1 occurs in the declared bounds of f.

This is commented on line 4603 of SemaBounds.cpp in this PR.

[sulekhark]

LGTM! Thank you!