Description
Currently, given a double pointer such as int **ppi;, 3C generates a constraint that if the outer pointer is wild, the inner pointer is also wild; that is, 3C will never convert this code to something like _Ptr<int> *ppi;. However, the Checked C compiler allows _Ptr<int> *ppi;, and neither John nor I can think of a purpose that 3C's constraint serves now; our best guess is that it was copied from CCured at some point in the past, but its rationale in the context of CCured does not apply to Checked C. We should consider removing the constraint and seeing if that helps (or hurts!) anything in example codebases or porting scenarios.
One potential problem we're aware of is that PointerVariableConstraint::mkString is buggy on types like _Ptr<int> *. In the current version of 3C, I haven't been able to trigger the bug except in very contrived examples such as the following:
_Itype_for_any(T) void *getT(void) : itype(_Ptr<T>);
void test_malloc() {
_Ptr<_Ptr<int> *> x = getT();
// Converts to:
// _Ptr<_Ptr<int> *> x = getT<int *_Ptr<int>>();
// ^^^^^^^^^^^^^^
*x = (_Ptr<int> *)1;
}But the bug would likely be triggered more often if we remove the constraint. The mkString bug is now one of the items in #703.