BoundsSafety.rst - OpenGrok cross reference for /llvm-project/clang/docs/BoundsSafety.rst

Lines Matching refs:pointers
20 use to attach bounds to pointers. For example, programmers can add the
36 boundaries with the use of implicit wide pointers (a.k.a. "fat" pointers) that
69 ``-fbounds-safety`` ensures that pointers are not used to access memory beyond
115 The requirement to annotate all pointers with explicit bounds information could
119 wide pointers can potentially reduce the adoption burden, as it contains bounds
121 However, wide pointers differ from standard C pointers in their data layout,
128 model, local variables of pointer type are implicitly treated as wide pointers,
134 pointers from silently breaking the ABI (see `ABI implications of default bounds
136 parameters, are treated as single object pointers (i.e., ``__single``), ensuring
150 Annotation for pointers to a single object
153 The C language allows pointer arithmetic on arbitrary pointers and this has been
154 a source of many bounds safety issues. In practice, many pointers are merely
158 arithmetic on annotated pointers to be a compile time error.
161   object or null. Hence, pointers with ``__single`` do not permit pointer
167 ``__single`` is the default annotation for ABI-visible pointers. This
168 gives strong security guarantees in that these pointers cannot be incremented or
174 to pointers. In the following example, the pointer on parameter p is
215   ``__counted_by`` annotation cannot apply to pointers to incomplete types or
222   pointers to incomplete types or types without size such as ``void *``.
264 require additional storage space making wide pointers larger than normal
265 pointers, hence the name "wide pointer". The memory layout of a wide pointer is
279 Even with this representational change, wide pointers act syntactically as
280 normal pointers to allow standard pointer operations, such as pointer
284 ``-fbounds-safety`` has a set of "internal" bounds annotations to turn pointers
285 into wide pointers. These are ``__bidi_indexable`` and ``__indexable``. When a
294   name indicates, pointers with this annotation are "bidirectionally indexable",
296   and the pointers can be incremented or decremented using pointer arithmetic. A
308   pointers do not have a separate lower bound, the pointer value itself acts as
322   annotations in this model, as ``__bidi_indexable`` pointers can be used for
329 ``__bidi_indexable`` is the default annotation for non-ABI visible pointers,
332 ``__bidi_indexable``. Since ``__bidi_indexable`` pointers automatically carry
334 can be used with these pointers, most code inside a function works as is without
357 generalized form ``__terminated_by(T)`` to annotate pointers and arrays with an
362 hit, the model puts some restrictions on how these pointers can be used.
363 ``__terminated_by`` pointers cannot be indexed and can only be incremented one
364 element at a time. To allow these operations, the pointers must be explicitly
365 converted to ``__indexable`` pointers using the intrinsic function
386 ``__unsafe_indexable`` can be used to mark pointers from system headers or
387 pointers from code that has not adopted -fbounds safety. This enables
396 Requiring ``-fbounds-safety`` adopters to add bounds annotations to all pointers
398 secure all pointers by default, ``-fbounds-safety`` applies default bounds
406 in a function parameter will affect the ABI and thus pointers used in function
407 parameters are ABI-visible pointers. On the other hand, changing the types of
410 rest of the pointers such as nested pointer types, pointer types of global
413 All ABI-visible pointers are treated as ``__single`` by default unless annotated
414 otherwise. This default both preserves ABI and makes these pointers safe by
417 ABI-visible pointers to be either ``__single``, ``__bidi_indexable``,
419 ``__ptrcheck_abi_assume_unsafe_indexable()`` will make all ABI-visible pointers
420 be ``__unsafe_indexable``. Non-ABI visible pointers — the outermost pointer
422 pointers have the bounds information necessary to perform bounds checks without
423 the need for a manual annotation. All ``const char`` pointers or any typedefs
424 equivalent to ``const char`` pointers are ``__null_terminated`` by default. This
429 use ``__null_terminated`` in any other pointers, e.g., ``char8_t
433 In system headers, the default pointer attribute for ABI-visible pointers is set
466 pointers whose elements have incompatible pointer attributes. This way,
467 ``-fbounds-safety`` prevents pointers that are implicitly ``__bidi_indexable``
631 in more detail what kinds of casts are allowed between pointers with different
665 decayed to pointers, but with the addition of an implicit bounds annotation,
668 pointers.
678 This means the array parameters are treated as `__counted_by` pointers within
680 `__counted_by` pointers.
706 pointers which contain the upper and lower bounds of the array, with the
732 bounds checked in ``-fbounds-safety``, just as ``__bidi_indexable`` pointers
830 Two pointers that have different bounds annotations on their nested pointer
990 `__single`` pointers of different pointee types (e.g., ``char *__single`` →