Summary
This is a developer build of the Checked C clang compiler. It is for use by developers who want to try out the Checked C extension while it is being implemented.
Installation Notes
Clang expects an existing C/C++ compiler before running the installer. If installing on a fresh machine, first install the C/C++ compiler. We recommend using Visual Studio 2017, which has a free Community version available. Use Visual Studio 2017's installer to ensure a C/C++ compiler and runtime are present before installing Checked C clang.
- The binaries are installers for 32-bit and 64-bit Windows versions of the compiler
- The compiler will be installed in a separate directory from your existing clang install. If you are also using the production version of clang, do not add the Checked C version to your path.
Using the compiler
See the Checked C clang users manual for directions on how to use the compiler.
To change the compiler to Checked C clang in a Visual Studio project, open the project Properties and set "Platform Toolset" to one of the "CheckedC-LLVM" versions in the drop-down. (If there are no CheckedC-LLVM options in the "Platform Toolset" dropdown, try reinstalling Checked C clang.)
Change notes
Void pointers are a feature in C that can lead to type confusion. Any pointer type can be converted implicitly to a void pointer and a void pointer can be converted implicitly to any pointer types. We took our first steps in this release toward eliminating unsafe uses of void pointers in checked scopes.
We now support declaring existing library functions to have generic bounds-safe interfaces. This causes those functions to be treated as generic functions in checked scopes (or when type arguments are supplied in unchecked scopes). This eliminate the possibility of type confusion errors at calls to those functions.
- Implemented support for redeclaring existing functions to have generic bounds-safe interfaces (PR #546)
- Fixed bugs in the implementation (PR #581).
We updated the Checked C header files to provide generic bound-safe interfaces for memcpy
, bsearch
,
calloc
, malloc
, realloc
, free
, and thrd_create
(PR #315), This means that type arguments must be supplied at calls to those functions in checked scopes.
We improved the Checked C header files. We added bounds-safe interfaces for:
- assert.h
- errno.h
- POSIX socket header functions in sys/socket_checked.h.
- Unistd file commands in unitsd.h
inet_addr
function in arpa\inet.h
We now have two kinds of checked scopes: memory-safe checked scopes (assuming there are no memory management errors) and bounds-only checked scopes. Memory-safe checked scopes will enforce memory safety be requiring bounds-safety and disallowing some kinds of pointer casts. Bounds-only checked scope only enforce that memory accesses are bounds checked. They allow potentially unsafe pointer casts.
In memory-safe checked scopes, we no longer allow implicit conversions to or from void pointers when the non-void pointer type points to data that contains a checked pointer.
We added support for saving/restoring pragma CHECKED_SCOPE
state, using #pragma CHECKED_SCOPE push
, and #pragma CHECKED_SCOPE pop
. This is useful for placing header file declarations in checked scopes, regardless of whether the header file is included in a checked scope or an unchecked scope.
We now insert bounds checks for subscript and pointer dereference operations where the pointer-typed expression is a string or array literal or a pointer derived from a string or array literal (for example, "abcde"[index]
, where index is an integer variable) (PR #561).
Add support for parsing and representing the Return_value
expression (PR #544). We still need to extend inference of bounds and checking of bounds declarations to handle this expression.
Add support for using expression temporaries to track bounds during expression evaluation,. The specification proposes the idea of _Current_expr_value
, but that requires adjustments to recompute a value that was already computed to a temporary (PR #561).
We fixed the following bugs:
- Issue #484, where the compiler would complain about converting a checked function pointer to a fully checked type (fixed by PR #576).
- Fixed wrong use of assert (PR #568).
- Fixed duplicate messages about illegal void pointer arithmetic (PR #563).
Extension features implemented
See the implementation roadmap and status. Some runtime checks and a lot of the static checking is not implemented yet.