Skip to content

2020-02-28 Developer Build of Checked C clang compiler

Compare
Choose a tag to compare
@kkjeer kkjeer released this 29 Feb 00:45
f9bb238

Summary

This is a developer build of the Checked C clang compiler. It is for use by developers who want to try out the Checked C extension while it is being implemented.

Installation Notes

Clang expects an existing C/C++ compiler before running the installer. If installing on a fresh machine, first install the C/C++ compiler. We recommend Visual Studio 2019, which has a free Community version available. Use Visual Studio 2019's installer to ensure a C/C++ compiler and runtime are present before installing Checked C clang.

  • The binaries are installers for 32-bit and 64-bit Windows versions of the compiler
  • The compiler will be installed in a separate directory from your existing clang install. If you are also using the production version of clang, do not add the Checked C version to your path.

Using the compiler

See the Checked C clang users manual for directions on how to use the compiler.

There are now two ways to use the Checked C clang compiler in Visual Studio. The LLVM project has created a Visual Studio extension. You can use a property page for your project to directly choose the Checked C clang compiler binary.

Visual Studio 2019 also now directly supports clang/LLVM. This blog post describes the support for CMake projects. This blog post describes support for MSBuild projects. If you installed the Checked C clang compiler and added it to your PATH variable, Visual Studio should directly pick it up. Otherwise, you can follow the directions to use a custom installation of clang.

Change notes

Clang source update

We have upgraded to the sources for clang version 9.0.0.

Core features

  • PR #663: Add a dynamic check for pointer arithmetic of null pointers.
  • PR #626: Disallow explicit cast to nt_array_ptr in checked scopes. These casts are disallowed since the source of the cast may not point to a null-terminated array.
  • PR #718: Prevent static variables declarations from using free type variables. These uses are disallowed since the storage of static variables in generic functions persists, and different generic type instantiations could be used to overwrite memory (see issue #684).
  • PR #673: Correctly determine bounds for predefined literals. The compiler can now determine bounds for preprocessor constants (see issue #650).

Dataflow analysis for bounds checking

The static checking of bounds declarations now makes use of facts from conditional statements, such as i < j (PR #657). This results in fewer warnings during bounds declaration checking. See the wiki for more information.

Generic structs and existential structs

Checked C now supports generic structs and existential structs (PR #683).

A generic struct can be created using an underlying representation type:

struct IntSet _For_any(T) {
  T *rep;
  void (*add)(T *rep, int x);
  void (*rem)(T *rep, int x);
  int (*find)(T *rep, int x);
}

The new builtin pack function can be used to create a existential struct using a generic struct:

exist_type e = _Pack(expr, exist_type, subst_type);

where expr is an instance of a generic struct.

This work is still missing support for the sizeof(T) constraints, which would allow us to do pointer arithmetic on pointers to T. See the wiki for more information.

(Experimental) Static analyzer with Z3

We have added a clang static analyzer (SimpleBounds) to check whether the memory accesses within unchecked code are following the bounds-safe interface. This experimental checker uses the Z3 theorem prover to analyze Checked C bounds expressions and verify memory accesses within unchecked code. See the wiki for more information.

Bug fixes

  • Issue #704: Add checked information for function declarations to AST reading/writing (fixed by PR #723).
  • Issue #419: Add checked information for compound blocks to AST reading/writer (fixed by PR #716).
  • Introduce temporary bindings to bounds cast expression (PR #694). This allows modifying expressions to be used as the subexpression of a bounds cast (_Dynamic_bounds_cast or _Assume_bounds_cast).
  • Issue #331: Relative alignment information missing from statement profiling (fixed by PR #692).

Extension features implemented

See the implementation roadmap and status. Some runtime checks and a lot of the static checking is not implemented yet.