Support to disable Checked C type checking (checkedc#874)

The Checked C conversion tool is built using clang as a library.  We want the Checked C conversion tool to be usable interactively.  In this scenario, the conversion tool will be run and introduce some annotations.  The programmer may then introduce additional annotations and re-run the tool.  This means that the conversion tool needs to support partially annotated code. However, partially annotated code could fail type-checking and consequently, the generated clang AST might not be complete, impeding the tool.  This changes adds a new flag -fcheckedc-convert-tool to the Checked C clang compiler that suppresses diagnostics due to partially annotated Checked C code.  This includes includes type checking errors cause by checked and unchecked pointers mismatches, missing initializers, and missing bounds annotations.

As an example, suppose want to convert the following code:

void foo(_Ptr<int> z) {
  int *x = z;
}

Current clang emits an error:

error: initializing 'int *' with an expression of an incompatible type

      '_Ptr<int>'
  int *x = z;

and the AST produced is incomplete:

./clang -cc1 -ast-dump foo.c:

`-FunctionDecl 0x10f2fbd0 </home/machiry/checkedc/dd.c:1:1, line:3:1> line:1:6 foo 'void (_Ptr<int>)'
  |-ParmVarDecl 0x10f2faf8 <col:10, col:20> col:20 used z '_Ptr<int>'
  `-CompoundStmt 0x10f301c8 <col:23, line:3:1>
    `-DeclStmt 0x10f301b0 <line:2:3, col:13>
      `-VarDecl 0x10f2fd08 <col:3, col:8> col:8 invalid x 'int *'
1 error generated.

When the flag is turned on, diagnostics that might be caused by partially annotated programs are suppressed at the point of diagnostic message generation.  clang doesn't really differentiate whether the cause of an error is syntactic, type checking, or some other semantic checking problem.  It throws away expressions when errors are found, to avoid spurious or confusing error messages. This means that suppressing the errors at the point of generation is the best way to present a complete AST to the conversion tool.

The flag should not be turned on for code generation because the resulting code may be incorrect.   It is only meant to be turned on when ASTs are being created.

Author: Machiry

clang/include/clang/Basic/LangOptions.def

@@ -94,6 +94,7 @@ LANGOPT(CPlusPlus17       , 1, 0, "C++17")
 LANGOPT(CPlusPlus2a       , 1, 0, "C++2a")
 LANGOPT(ObjC              , 1, 0, "Objective-C")
 LANGOPT(CheckedC          , 1, 0, "Checked C extension")
+LANGOPT(CheckedCConverter , 1, 0, "Automated Checked C converter mode")
 BENIGN_LANGOPT(ObjCDefaultSynthProperties , 1, 0,
                "Objective-C auto-synthesized properties")
 BENIGN_LANGOPT(EncodeExtendedBlockSig , 1, 0,

clang/include/clang/Driver/Options.td

@@ -800,7 +800,9 @@ def fbuiltin_module_map : Flag <["-"], "fbuiltin-module-map">, Group<f_Group>,
 def fcheckedc_extension : Flag<["-"], "fcheckedc-extension">, Group<f_Group>, Flags<[CC1Option]>,
   HelpText<"Accept Checked C extension">;
 def fno_checkedc_extension : Flag<["-"], "fno-checkedc-extension">, Group<f_Group>, Flags<[CC1Option]>,
-  HelpText<"Do ont accept Checked C extension">;
+  HelpText<"Do not accept Checked C extension">;
+def fcheckedc_convert_tool : Flag<["-"], "fcheckedc-convert-tool">, Group<f_Group>, Flags<[CC1Option]>,
+  HelpText<"Enable Checked C converter tool mode (supposed to be run by tools that needs only AST)">;
 def fdump_extracted_comparison_facts : Flag<["-"], "fdump-extracted-comparison-facts">, Group<f_Group>, Flags<[CC1Option]>,
   HelpText<"Dump extracted comparison facts">;
 def fdump_widened_bounds : Flag<["-"], "fdump-widened-bounds">, Group<f_Group>, Flags<[CC1Option]>,

clang/lib/AST/ASTContext.cpp

@@ -8804,7 +8804,9 @@ QualType ASTContext::mergeFunctionTypes(QualType lhs, QualType rhs,
         // For unchecked return types, a return with
         // bounds is compatible with a return without bounds.
         // The merged type includes the bounds.
-        if (!retType->isUncheckedPointerType())
+        // Ignore the error if we do not want to consider checked pointers.
+        if (!retType->isUncheckedPointerType() &&
+            !getLangOpts().CheckedCConverter)
           return QualType();
         if (!lReturnAnnots.IsEmpty() && rReturnAnnots.IsEmpty()) {
           ReturnAnnots = lReturnAnnots;
@@ -8858,7 +8860,9 @@ QualType ASTContext::mergeFunctionTypes(QualType lhs, QualType rhs,
           // For unchecked parameter types, a parameter with
           // bounds is compatible with a parameter without bounds.
           // The merged type includes the bounds.
-          if (!paramType->isUncheckedPointerType())
+          // Ignored the error if we do not want to consider checked pointers.
+          if (!paramType->isUncheckedPointerType() &&
+              !getLangOpts().CheckedCConverter)
             return QualType();
           if (!lBounds.IsEmpty() && rBounds.IsEmpty()) {
             bounds.push_back(lBounds);

clang/lib/Driver/ToolChains/Clang.cpp

@@ -4816,6 +4816,7 @@ void Clang::ConstructJob(Compilation &C, const JobAction &JA,
   Args.AddLastArg(CmdArgs, options::OPT_fcheckedc_extension);
   Args.AddLastArg(CmdArgs, options::OPT_fno_checkedc_extension);
   Args.AddLastArg(CmdArgs, options::OPT_fdump_inferred_bounds);
+  Args.AddLastArg(CmdArgs, options::OPT_fcheckedc_convert_tool);
   Args.AddLastArg(CmdArgs, options::OPT_finject_verifier_calls);
   Args.AddLastArg(CmdArgs, options::OPT_funchecked_pointers_dynamic_check);
 

clang/lib/Frontend/CompilerInvocation.cpp

@@ -2634,6 +2634,10 @@ static void ParseLangArgs(LangOptions &Opts, ArgList &Args, InputKind IK,
     } else
       Opts.CheckedC = true;
   }
+
+  if (Args.hasArg(OPT_fcheckedc_convert_tool))
+    Opts.CheckedCConverter = true;
+
   if (Args.hasArg(OPT_fno_checkedc_extension))
     Opts.CheckedC = false;
 

clang/lib/Sema/SemaBounds.cpp

@@ -2093,6 +2093,12 @@ namespace {
                                    BoundsCheckKind CheckKind,
                                    CheckedScopeSpecifier CSS,
                                    EquivExprSets *EquivExprs) {
+
+      // If we are running to Checked C converter (AST only) tool, then disable
+      // bounds checking.
+      if (S.getLangOpts().CheckedCConverter)
+        return;
+
       ProofFailure Cause;
       ProofResult Result;
       ProofStmtKind ProofKind;
@@ -5385,6 +5391,9 @@ namespace {
         !ToType->isFunctionPointerType())
         return;
 
+      if (S.getLangOpts().CheckedCConverter)
+        return;
+
       // Skip lvalue-to-rvalue casts because they preserve types (except that
       // qualifers are removed).  The lvalue type should be a checked pointer
       // type too.

clang/lib/Sema/SemaDecl.cpp

@@ -12656,31 +12656,33 @@ void Sema::ActOnUninitializedDecl(Decl *RealDecl) {
       if (InCheckedScope && Var->hasInteropTypeExpr())
         Ty = Var->getInteropType();
 
-      if (Ty->isCheckedPointerPtrType())
+      if (Ty->isCheckedPointerPtrType() && !getLangOpts().CheckedCConverter)
         Diag(Var->getLocation(), diag::err_initializer_expected_for_ptr)
           << Var;
-      else if (B && !B->isInvalid() && !B->isUnknown() && !Ty->isArrayType())
+      else if (B && !B->isInvalid() && !B->isUnknown() &&
+               !Ty->isArrayType() && !getLangOpts().CheckedCConverter)
         Diag(Var->getLocation(), diag::err_initializer_expected_with_bounds)
           << Var;
 
       // An unchecked pointer in a checked scope with a bounds expression must
       // be initialized
       if (Ty->isUncheckedPointerType() && InCheckedScope &&
-          Var->hasBoundsExpr())
+          Var->hasBoundsExpr() && !getLangOpts().CheckedCConverter)
         Diag(Var->getLocation(),
              diag::err_initializer_expected_for_unchecked_pointer)
           << Var;
 
       // An integer with a bounds expression must be initialized
-      if (Ty->isIntegerType() && Var->hasBoundsExpr())
+      if (Ty->isIntegerType() && Var->hasBoundsExpr() &&
+          !getLangOpts().CheckedCConverter)
         Diag(Var->getLocation(),
               diag::err_initializer_expected_for_integer)
           << Var;
 
       // struct/union and array with checked pointer members must have
       // initializers.
       // array with checked ptr element
-      if (Ty->isArrayType()) {
+      if (Ty->isArrayType() && !getLangOpts().CheckedCConverter) {
         // if this is an array type, check the element type of the array,
         // potentially with type qualifiers missing
         if (Type::HasCheckedValue == Ty->getPointeeOrArrayElementType()->
@@ -12689,7 +12691,7 @@ void Sema::ActOnUninitializedDecl(Decl *RealDecl) {
           << Var;
       }
       // RecordType(struct/union) with checked pointer member
-      if (Ty->isRecordType()) {
+      if (Ty->isRecordType() && !getLangOpts().CheckedCConverter) {
         const RecordType *RT = Ty->getAs<RecordType>();
         switch (RT->containsCheckedValue(InCheckedScope)) {
           default:
@@ -13094,7 +13096,7 @@ void Sema::CheckCompleteVariableDeclaration(VarDecl *var) {
                                                CurInitSegLoc));
   }
 
-  if (getLangOpts().CheckedC)
+  if (getLangOpts().CheckedC && !getLangOpts().CheckedCConverter)
     CheckTopLevelBoundsDecls(var);
 
   // All the following checks are C++ only.
@@ -14855,7 +14857,7 @@ Decl *Sema::ActOnFinishFunctionBody(Decl *dcl, Stmt *Body,
   // meant to pop the context added in ActOnStartOfFunctionDef().
   ExitFunctionBodyRAII ExitRAII(*this, isLambdaCallOperator(FD));
 
-  if (getLangOpts().CheckedC)
+  if (getLangOpts().CheckedC && !getLangOpts().CheckedCConverter)
     CheckFunctionBodyBoundsDecls(FD, Body);
 
   if (FD) {

clang/lib/Sema/SemaExpr.cpp

@@ -4786,7 +4786,8 @@ Sema::CreateBuiltinArraySubscriptExpr(Expr *Base, SourceLocation LLoc,
     BaseExpr = LHSExp;
     IndexExpr = RHSExp;
     // Array subscripting not allowed on ptr<T> values
-    if (PTy->getKind() == CheckedPointerKind::Ptr) {
+    if (PTy->getKind() == CheckedPointerKind::Ptr &&
+        !getLangOpts().CheckedCConverter) {
         return ExprError(Diag(LLoc, diag::err_typecheck_ptr_subscript)
             << LHSTy << LHSExp->getSourceRange() << RHSExp->getSourceRange());
     }
@@ -4808,7 +4809,8 @@ Sema::CreateBuiltinArraySubscriptExpr(Expr *Base, SourceLocation LLoc,
     BaseExpr = RHSExp;
     IndexExpr = LHSExp;
     // Array subscripting not allowed on ptr<T> values
-    if (PTy->getKind() == CheckedPointerKind::Ptr) {
+    if (PTy->getKind() == CheckedPointerKind::Ptr &&
+        !getLangOpts().CheckedCConverter) {
         return ExprError(Diag(LLoc, diag::err_typecheck_ptr_subscript)
             << RHSTy << LHSExp->getSourceRange() << RHSExp->getSourceRange());
     }
@@ -7161,7 +7163,7 @@ static QualType checkConditionalPointerCompatibility(Sema &S, ExprResult &LHS,
        incompatibleCheckedPointer = resultKind != CheckedPointerKind::Unchecked && CompositeTy.isNull();
      }
      else if (lhsKind == CheckedPointerKind::Unchecked) {
-       // The rhs must be a checked ponter type. The least upper bound is determined
+       // The rhs must be a checked pointer type. The least upper bound is determined
        // as follows:
        //    Unchecked ^ Array =  Array
        //    Unchecked ^ NtArray = Array
@@ -7199,7 +7201,7 @@ static QualType checkConditionalPointerCompatibility(Sema &S, ExprResult &LHS,
        // Must have different kinds of checked pointers (_Ptr vs.
        // _Array_ptr or _Nt_Array_ptr). Implicit conversions between these
        // kinds of pointers are not allowed.
-       incompatibleCheckedPointer = true;
+       incompatibleCheckedPointer = !S.getLangOpts().CheckedCConverter;
        // _Array_ptr is less likely to cause spurious downstream warnings.
        resultKind = CheckedPointerKind::Array;
      }
@@ -7363,7 +7365,7 @@ static bool checkUncheckedPointerIntegerMismatch(Sema &S, ExprResult &Int,
     return false;
 
   const PointerType *ptrTy = PointerExpr->getType()->getAs<PointerType>();
-  if (ptrTy->isChecked()) {
+  if (ptrTy->isChecked() && !S.getLangOpts().CheckedCConverter) {
      return false;
   }
 
@@ -8263,22 +8265,29 @@ checkPointerTypesForAssignment(Sema &S, QualType LHSType, QualType RHSType) {
   // - Allow implicit conversions from any kind of pointer to _Ptr 
   //   or _Array_ptr
 
-  if (rhkind != CheckedPointerKind::Unchecked &&
-      lhkind == CheckedPointerKind::Unchecked)
-    return Sema::Incompatible;
+  if (!S.getLangOpts().CheckedCConverter) {
+    if (rhkind != CheckedPointerKind::Unchecked &&
+        lhkind == CheckedPointerKind::Unchecked)
+      return Sema::Incompatible;
 
-  if (lhkind == CheckedPointerKind::NtArray &&
-      rhkind != CheckedPointerKind::NtArray)
-    return Sema::Incompatible;
+    if (lhkind == CheckedPointerKind::NtArray &&
+        rhkind != CheckedPointerKind::NtArray)
+      return Sema::Incompatible;
+  }
 
   // C99 6.5.16.1p1 (constraint 3): both operands are pointers to qualified or
   // unqualified versions of compatible types, ...
   QualType ltrans = QualType(lhptee, 0), rtrans = QualType(rhptee, 0);
   if (!S.Context.pointeeTypesAreAssignable(ltrans, rtrans)) {
      // None of the language extensions below are allowed for pointers
      // that are checked pointers or that contain checked types.
-     if (LHSType->isOrContainsCheckedType() || RHSType->isOrContainsCheckedType())
-         return Sema::Incompatible;
+     if (LHSType->isOrContainsCheckedType() ||
+         RHSType->isOrContainsCheckedType()) {
+       // If ignoring checked pointers are enabled then assignments containing
+       // checked pointers is always compatible.
+       return S.getLangOpts().CheckedCConverter ? Sema::Compatible :
+                                                  Sema::Incompatible;
+     }
 
     // Check if the pointee types are compatible ignoring the sign.
     // We explicitly check for char so that we catch "char" vs
@@ -9772,19 +9781,21 @@ QualType Sema::CheckRemainderOperands(
 /// Diagnose invalid arithmetic on two void pointers.
 static void diagnoseArithmeticOnTwoVoidPointers(Sema &S, SourceLocation Loc,
                                                 Expr *LHSExpr, Expr *RHSExpr) {
-  bool isCheckedPointerType = LHSExpr->getType()->isCheckedPointerType() ||
-    RHSExpr->getType()->isCheckedPointerType();
-  S.Diag(Loc, S.getLangOpts().CPlusPlus || isCheckedPointerType
-                ? diag::err_typecheck_pointer_arith_void_type
-                : diag::ext_gnu_void_ptr)
-    << 1 /* two pointers */ << LHSExpr->getSourceRange()
-                            << RHSExpr->getSourceRange();
+  bool isCheckedPointerType = (LHSExpr->getType()->isCheckedPointerType() ||
+                               RHSExpr->getType()->isCheckedPointerType()) &&
+                              !S.getLangOpts().CheckedCConverter;
+    S.Diag(Loc, S.getLangOpts().CPlusPlus || isCheckedPointerType
+                    ? diag::err_typecheck_pointer_arith_void_type
+                    : diag::ext_gnu_void_ptr)
+        << 1 /* two pointers */ << LHSExpr->getSourceRange()
+        << RHSExpr->getSourceRange();
 }
 
 /// Diagnose invalid arithmetic on a void pointer.
 static void diagnoseArithmeticOnVoidPointer(Sema &S, SourceLocation Loc,
                                             Expr *Pointer) {
-  bool isCheckedPointerType = Pointer->getType()->isCheckedPointerType();
+  bool isCheckedPointerType = Pointer->getType()->isCheckedPointerType() &&
+                              !S.getLangOpts().CheckedCConverter;
   S.Diag(Loc, S.getLangOpts().CPlusPlus || isCheckedPointerType
                 ? diag::err_typecheck_pointer_arith_void_type
                 : diag::ext_gnu_void_ptr)
@@ -9880,7 +9891,7 @@ static bool checkArithmeticOpPointerOperand(Sema &S, SourceLocation Loc,
 
   if (!ResType->isAnyPointerType()) return true;
 
-  if (ResType->isCheckedPointerPtrType()) {
+  if (ResType->isCheckedPointerPtrType() && !S.getLangOpts().CheckedCConverter) {
      diagnoseArithmeticOnPtrPointerType(S, Loc, Operand);
      return false;
   }
@@ -9942,8 +9953,9 @@ static bool checkArithmeticBinOpPointerOperands(Sema &S, SourceLocation Loc,
     else diagnoseArithmeticOnTwoVoidPointers(S, Loc, LHSExpr, RHSExpr);
 
     return !(S.getLangOpts().CPlusPlus ||
-             LHSExpr->getType()->isCheckedPointerType() ||
-             RHSExpr->getType()->isCheckedPointerType());
+            ((LHSExpr->getType()->isCheckedPointerType() ||
+             RHSExpr->getType()->isCheckedPointerType()) &&
+             !S.getLangOpts().CheckedCConverter));
   }
 
   bool isLHSFuncPtr = isLHSPointer && LHSPointeeTy->isFunctionType();
@@ -9955,7 +9967,7 @@ static bool checkArithmeticBinOpPointerOperands(Sema &S, SourceLocation Loc,
     else diagnoseArithmeticOnTwoFunctionPointers(S, Loc, LHSExpr, RHSExpr);
 
     // We don't have to check if the function pointers are checked. Only _Ptrs to
-    // function types are allowd and arithmetic on _Ptrs is covered by another
+    // function types are allowed and arithmetic on _Ptrs is covered by another
     // diagnostic.
     return !S.getLangOpts().CPlusPlus;
   }

clang/test/CheckedC/regression-cases/ignore_checkedc_pointers.c

@@ -0,0 +1,78 @@
+// This is a test case to check support for AST generation in
+// the presence of invalid checked pointer usage.
+// https://github.com/microsoft/checkedc-clang/pull/847#issuecomment-652375065
+//
+// This test checks that the compiler does not generate any error while trying
+// to generate AST for programs even when the Checked C type checking fails.
+//
+// RUN: %clang -cc1 -verify -fcheckedc-convert-tool %s
+// expected-no-diagnostics
+
+struct st1 {
+    _Array_ptr<int> q;
+};
+
+int bar(_Array_ptr<int> q : count(l), unsigned l) {
+    unsigned i;
+    for (i=0; i<l; i++) {
+      q[i] = 0;
+    }
+    return 0;
+}
+
+_Array_ptr<int> baz(_Ptr<int> q, unsigned z) : count(5) {
+    int *p;
+    return p;
+}
+
+int zzz(int *o, unsigned l) {
+    return 0;
+}
+
+void fpt(_Ptr<int(_Array_ptr<int> arr : count(i), int i)> j) {
+    return;
+}
+
+int foo(void) {
+    // No initializer.
+   _Array_ptr<int> r : count(5);
+   _Nt_array_ptr<char> z;
+   _Array_ptr<_Ptr<int>> n;
+   struct st1 o;
+   char *l; 
+   _Ptr<int> q;
+   _Ptr<int(_Array_ptr<int> arr : count(i), int i)> j;
+   int *p;
+   void *v;
+   // different types of assignments.
+   q = p;
+   r = p;
+   p = r;
+   q = p;
+   r = p;
+   l = z;
+   z = l;
+   r = z;
+   n = p !=0 ? p : q;
+   n = p;
+   p = n;
+   v = n;
+   n = v;
+   *n = v;
+   *n = p;
+   *n = q;
+   *n = r;
+   r = *n;
+   o.q = p;
+   n = o.q;
+   // assigning ptr to array.
+   p = baz(q, 0);
+   // assigning unchecked pointer to checked ptr.
+   p = baz(p, 0);
+   // Function pointers.
+   fpt(&bar);
+   fpt(&zzz);
+   fpt(&baz);
+   j = baz;
+   return 0;
+}