[CHERI] Add a sealed type annotation (#109)

This allows us to disallow dereferences and pointer indexing on
sealed capabilities at compile time.

Builtins that introspect capabilities can all work on a sealed or
unsealed capability.

Builtins that mutate capabilities are all disallowed on sealed
capabilities, with the exception of clear-tag (which works on sealed or
unsealed things).

Reinterpret cast and C-style (explicit) casts are allowed.  Anyone who
does an explicit unsafe cast should know what they're doing *anyway*
this is another case of that.

Implicit casts are also permitted to `void*`.  This avoids needing new
overloads for things that treat `void*` as opaque values.  Casting back
from `void*` to something useful already requires a dangerous explicit
cast and you should know what you're doing if you do that.

Also adds a __has_extension check for the sealed type qualifier.

Co-authored-by: Owen Anderson <[email protected]>

Author: davidchisnall

clang/include/clang/AST/Type.h

@@ -1565,6 +1565,9 @@ enum PointerInterpretationKind {
 
   /// The pointer should always be interpreted as an integer.
   PIK_Integer,
+
+  /// The pointer should be interpreted as a sealed capability.
+  PIK_SealedCapability,
 };
 
 /// The base class of the type hierarchy.
@@ -1663,7 +1666,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
 
     /// The interpretation (PointerInterpretationKind) to use for this array.
     /// For function parameters only.
-    unsigned PIK : 1;
+    unsigned PIK : 2;
 
     /// Whether the pointer interpretation for this array is set.
     unsigned HasPIK : 1;
@@ -1672,7 +1675,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
   class ConstantArrayTypeBitfields {
     friend class ConstantArrayType;
 
-    unsigned : NumTypeBits + 3 + 3 + 2;
+    unsigned : NumTypeBits + 3 + 3 + 3;
 
     /// Whether we have a stored size expression.
     unsigned HasStoredSizeExpr : 1;
@@ -1759,7 +1762,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
     unsigned : NumTypeBits;
 
     /// The interpretation (PointerInterpretationKind) to use for this pointer.
-    unsigned PIK : 1;
+    unsigned PIK : 2;
   };
 
   class DependentPointerTypeBitfields {
@@ -1768,7 +1771,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
     unsigned : NumTypeBits;
 
     /// The interpretation (PointerInterpretationKind) to use for this pointer.
-    unsigned PIK : 1;
+    unsigned PIK : 2;
   };
 
   class ReferenceTypeBitfields {
@@ -1778,7 +1781,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
 
     /// The interpretation (PointerInterpretationKind) to use for the pointer
     /// backing this reference type.
-    unsigned PIK : 1;
+    unsigned PIK : 2;
 
     /// True if the type was originally spelled with an lvalue sigil.
     /// This is never true of rvalue references but can also be false
@@ -2239,6 +2242,9 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
   /// pointers.
   bool isCHERICapabilityType(const ASTContext &Context,
                              bool IncludeIntCap = true) const;
+
+  /// Returns true if this type is a Cheriot sealed capability.
+  bool isCHERISealedCapabilityType(const ASTContext &Context) const;
   /// Returns true for __uintcap_t or __intcap_t (and enums/_Atomic with that
   /// underlying type)
   bool isIntCapType() const;
@@ -2898,7 +2904,8 @@ class PointerInterpretationTrait {
 
 public:
   bool isCHERICapability() const {
-    return getPointerInterpretation() == PIK_Capability;
+    return getPointerInterpretation() == PIK_Capability ||
+           getPointerInterpretation() == PIK_SealedCapability;
   }
 
   PointerInterpretationKind getPointerInterpretation() const {
@@ -2914,7 +2921,8 @@ class OptionalPointerInterpretationTrait {
 
 public:
   bool isCHERICapability() const {
-    return getPointerInterpretation() == PIK_Capability;
+    return getPointerInterpretation() == PIK_Capability ||
+           getPointerInterpretation() == PIK_SealedCapability;
   }
 
   std::optional<PointerInterpretationKind> getPointerInterpretation() const {

clang/include/clang/Basic/Attr.td

@@ -873,6 +873,11 @@ def MinimumStack : InheritableAttr, TargetSpecificAttr<TargetRISCV> {
   let Documentation = [Undocumented];
 }
 
+def CHERISealedCapability : TypeAttr {
+  let Spellings = [CustomKeyword<"__sealed_capability">];
+  let Documentation = [Undocumented];
+}
+
 def InterruptState : InheritableAttr, TargetSpecificAttr<TargetRISCV> {
   let Spellings = [CXX11<"cheriot", "interrupt_state">,
                    C2x<"cheriot", "interrupt_state">,

clang/include/clang/Basic/Builtins.def

@@ -72,6 +72,7 @@
 // D -> volatile
 // R -> restrict
 // m -> memory capability
+// l -> sealed capability
 
 // The third value provided to the macro specifies information about attributes
 // of the function.  These must be kept in sync with the predicates in the
@@ -1699,17 +1700,17 @@ BUILTIN(__builtin_cheri_offset_set, "v*mvC*mY", "nct")
 BUILTIN(__builtin_cheri_perms_and, "v*mvC*mz", "nct")
 BUILTIN(__builtin_cheri_perms_check, "vvC*mCz", "nct")
 BUILTIN(__builtin_cheri_perms_get, "zvC*m", "nct")
-BUILTIN(__builtin_cheri_seal, "v*mvC*mvC*m", "nct")
-BUILTIN(__builtin_cheri_seal_entry, "v*mvC*m", "nct")
-BUILTIN(__builtin_cheri_sealed_get, "bvC*m", "nct")
+BUILTIN(__builtin_cheri_seal, "v*lvC*mvC*m", "nct")
+BUILTIN(__builtin_cheri_seal_entry, "v*lvC*m", "nct")
+BUILTIN(__builtin_cheri_sealed_get, "bvC*l", "nct")
 BUILTIN(__builtin_cheri_subset_test, "bvC*mvC*m", "nct")
 BUILTIN(__builtin_cheri_tag_clear, "v*mvC*m", "nct")
 BUILTIN(__builtin_cheri_tag_get, "bvC*m", "nct")
 BUILTIN(__builtin_cheri_tag_get_temporal, "bvC*m", "nct")
 BUILTIN(__builtin_cheri_top_get, "zvC*m", "nct")
 BUILTIN(__builtin_cheri_type_check, "vvC*mvC*m", "nct")
 BUILTIN(__builtin_cheri_type_get, "YvC*m", "nct")
-BUILTIN(__builtin_cheri_unseal, "v*mvC*mvC*m", "nct")
+BUILTIN(__builtin_cheri_unseal, "v*mvC*lvC*m", "nct")
 
 BUILTIN(__builtin_cheri_callback_create, "v.", "nct")
 

clang/include/clang/Basic/DiagnosticParseKinds.td

@@ -319,8 +319,8 @@ def err_expected_selector_for_method : Error<
   "expected selector for Objective-C method">;
 def err_expected_property_name : Error<"expected property name">;
 
-def warn_cheri_capability_qualifier_location : Warning<
-  "use of __capability before the pointer type is deprecated">,
+def warn_cheri_qualifier_location : Warning<
+  "use of %0 before the pointer type is deprecated">,
   InGroup<DeprecatedDeclarations>;
 
 def err_unexpected_at : Error<"unexpected '@' in program">;

clang/include/clang/Basic/DiagnosticSemaKinds.td

@@ -1336,10 +1336,22 @@ def note_cheri_func_decl_add_types : Note<
 def err_cheri_capability_qualifier_not_supported : Error<
   "use of __capability is not supported without CHERI; "
   "specify an appropriate -march= or -mcpu=">;
-def err_cheri_capability_qualifier_ambiguous : Error<
-  "use of __capability is ambiguous">;
-def err_cheri_capability_qualifier_pointers_only : Error<
-  "__capability only applies to pointers; type here is %0">;
+def err_cheri_sealed_qualifier_not_supported : Error<
+  "use of __sealed_capability is not supported without CHERI; "
+  "specify an appropriate -march= or -mcpu=">;
+def err_cheri_qualifier_ambiguous : Error<
+  "use of %0 is ambiguous">;
+def err_cheri_qualifier_pointers_only : Error<
+  "%0 only applies to pointers; type here is %1">;
+def err_bad_cxx_cast_sealed_qualifier : Error<
+  "%select{const_cast|static_cast|reinterpret_cast|dynamic_cast|C-style cast|"
+  "functional-style cast|addrspace_cast}0 from %1 to %2 changes sealed qualifier">;
+def err_sealed_pointer_cast : Error<
+  "cast from  %0 to %1 changes sealed qualifier">;
+def err_typecheck_expect_sealed_operand : Error<
+  "operand of type %0 where sealed capability is required">;
+def err_typecheck_expect_unsealed_operand : Error<
+  "operand of type %0 where unsealed capability is required">;
 
 def err_objc_var_decl_inclass :
     Error<"cannot declare variable inside @interface or @protocol">;
@@ -7306,6 +7318,20 @@ def err_typecheck_convert_ptr_to_cap_unrelated_type: Error<"cannot implicitly "
   "or explicitly convert non-capability%select{| reference to}2 type %0 to "
   "unrelated capability type %1">;
 
+def err_typecheck_convert_sealed_to_ptr: Error<"converting sealed"
+  "%select{| reference to}2 type %0 to non-sealed type %1 without "
+  "an explicit unsealing">;
+def err_typecheck_convert_ptr_to_sealed: Error<"converting unsealed"
+  "%select{| reference to}2 type %0 to sealed type %1 without "
+  "an explicit sealing">;
+def err_sealed_reference: Error<"reference type %0 cannot be sealed">;
+def err_sealed_bad_operator: Error<"invalid operator applied to sealed type %0">;
+def err_sealed_this_pointer: Error<"sealed type %0 cannot be used as 'this' pointer for non-static method calls">;
+def err_sealed_func_pointer: Error<"sealed type %0 cannot be called">;
+def err_sealed_member_access: Error<"cannot access members of sealed type %0">;
+
+
+
 def warn_uintcap_bitwise_and : Warning<
   "using bitwise and on a capability type may give surprising results; "
   "if this is an alignment check use __builtin_{is_aligned,align_up,align_down}(); "

clang/include/clang/Basic/Features.def

@@ -242,6 +242,8 @@ FEATURE(experimental_library, LangOpts.ExperimentalLibrary)
 FEATURE(capabilities, PP.getTargetInfo().SupportsCapabilities())
 FEATURE(pointer_interpretation, PP.getTargetInfo().SupportsCapabilities())
 FEATURE(cheri_casts, PP.getTargetInfo().SupportsCapabilities())
+// CHERI typed sealed pointers
+EXTENSION(cheri_sealed_pointers, PP.getTargetInfo().SupportsCapabilities())
 
 // C11 features supported by other languages as extensions.
 EXTENSION(c_alignas, true)

clang/include/clang/Basic/TokenKinds.def

@@ -341,6 +341,9 @@ KEYWORD(__cheri_input               , KEYALL)
 // CHERIoT Predefine Expr
 KEYWORD(__cheriot_minimum_stack__   , KEYALL)
 
+// Cheriot Qualifiers
+KEYWORD(__sealed_capability         , KEYALL)
+
 // C++ 2.11p1: Keywords.
 KEYWORD(asm                         , KEYCXX|KEYGNU)
 KEYWORD(bool                        , BOOLSUPPORT|KEYC2X)

clang/include/clang/Parse/Parser.h

@@ -2976,6 +2976,7 @@ class Parser : public CodeCompletionHandler {
   void ParseOpenCLQualifiers(ParsedAttributes &Attrs);
   void ParseNullabilityTypeSpecifiers(ParsedAttributes &attrs);
   void ParseCapabilityQualifier(ParsedAttributes &Attrs);
+  void ParseCheriotSealedQualifier(ParsedAttributes &Attrs);
   void ParseCUDAFunctionAttributes(ParsedAttributes &attrs);
   bool isHLSLQualifier(const Token &Tok) const;
   void ParseHLSLQualifiers(ParsedAttributes &Attrs);

clang/lib/AST/ASTContext.cpp

@@ -11768,14 +11768,15 @@ static QualType DecodeTypeFromStr(const char *&Str, const ASTContext &Context,
     case 'R':
       Type = Type.withRestrict();
       break;
+    case 'l':
     case 'm': {
       Qualifiers Qs = Type.getQualifiers();
       if (const auto *PT = Type->getAs<PointerType>())
         Type = Context.getPointerType(PT->getPointeeType(), PIK_Capability);
       else if (const auto *LRT = Type->getAs<LValueReferenceType>())
-        Type = Context.getLValueReferenceType(LRT->getPointeeTypeAsWritten(),
-                                              LRT->isSpelledAsLValue(),
-                                              PIK_Capability);
+        Type = Context.getLValueReferenceType(
+            LRT->getPointeeTypeAsWritten(), LRT->isSpelledAsLValue(),
+            c == 'l' ? PIK_SealedCapability : PIK_Capability);
       else {
         const auto *BT = Type->getAs<BuiltinType>();
         assert(BT &&

clang/lib/AST/ItaniumMangle.cpp

@@ -3594,7 +3594,10 @@ void CXXNameMangler::mangleType(const SubstTemplateTypeParmPackType *T) {
 
 // <type> ::= P <type>   # pointer-to
 void CXXNameMangler::mangleType(const PointerType *T) {
-  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability())
+  if (T->getPointerInterpretation() == PIK_SealedCapability)
+    Out << "U19__sealed_capability";
+  else if (Context.shouldMangleCapabilityQualifier() &&
+           T->getPointerInterpretation() == PIK_Capability)
     Out << "U12__capability";
   Out << 'P';
   mangleType(T->getPointeeType());
@@ -3606,16 +3609,21 @@ void CXXNameMangler::mangleType(const ObjCObjectPointerType *T) {
 
 // <type> ::= R <type>   # reference-to
 void CXXNameMangler::mangleType(const LValueReferenceType *T) {
-  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability())
+  if (T->getPointerInterpretation() == PIK_SealedCapability)
+    Out << "U19__sealed_capability";
+  else if (Context.shouldMangleCapabilityQualifier() &&
+           T->getPointerInterpretation() == PIK_Capability)
     Out << "U12__capability";
   Out << 'R';
   mangleType(T->getPointeeType());
 }
 
 // <type> ::= O <type>   # rvalue reference-to (C++0x)
 void CXXNameMangler::mangleType(const RValueReferenceType *T) {
-  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability())
+  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability()) {
+    assert(T->getPointerInterpretation() != PIK_SealedCapability);
     Out << "U12__capability";
+  }
   Out << 'O';
   mangleType(T->getPointeeType());
 }
@@ -4057,7 +4065,10 @@ void CXXNameMangler::mangleType(const DependentAddressSpaceType *T) {
 }
 
 void CXXNameMangler::mangleType(const DependentPointerType *T) {
-  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability())
+  if (T->getPointerInterpretation() == PIK_SealedCapability)
+    Out << "U19__sealed_capability";
+  else if (Context.shouldMangleCapabilityQualifier() &&
+           T->getPointerInterpretation() == PIK_Capability)
     Out << "U12__capability";
   mangleType(T->getPointerType());
 }

clang/lib/AST/QualTypeNames.cpp

@@ -379,12 +379,11 @@ QualType getFullyQualifiedType(QualType QT, const ASTContext &Ctx,
                                bool WithGlobalNsPrefix) {
   // In case of myType* we need to strip the pointer first, fully
   // qualify and attach the pointer once again.
-  if (isa<PointerType>(QT.getTypePtr())) {
+  if (const auto *PT = dyn_cast<PointerType>(QT.getTypePtr())) {
     // Get the qualifiers.
     Qualifiers Quals = QT.getQualifiers();
     QT = getFullyQualifiedType(QT->getPointeeType(), Ctx, WithGlobalNsPrefix);
-    QT = Ctx.getPointerType(QT, QT->isCHERICapabilityType(Ctx)
-                                    ? PIK_Capability : PIK_Integer);
+    QT = Ctx.getPointerType(QT, PT->getPointerInterpretation());
     // Add back the qualifiers.
     QT = Ctx.getQualifiedType(QT, Quals);
     return QT;

clang/lib/AST/Type.cpp

@@ -650,6 +650,17 @@ bool Type::isCHERICapabilityType(const ASTContext &Context,
   return false;
 }
 
+bool Type::isCHERISealedCapabilityType(const ASTContext &Context) const {
+  if (!isCHERICapabilityType(Context, false))
+    return false;
+
+  const PointerType *PT = getAs<PointerType>();
+  if (!PT)
+    return false;
+
+  return PT->getPointerInterpretation() == PIK_SealedCapability;
+}
+
 bool Type::isIntCapType() const {
   if (const BuiltinType *BT = dyn_cast<BuiltinType>(CanonicalType))
     return BT->getKind() == BuiltinType::IntCap ||

clang/lib/AST/TypePrinter.cpp

@@ -353,20 +353,27 @@ void TypePrinter::printBefore(const Type *T,Qualifiers Quals, raw_ostream &OS) {
   }
 
   // Print __capability
-  if (!Policy.SuppressCapabilityQualifier) {
-    if (const PointerType *PTy = dyn_cast<PointerType>(T)) {
-      if (PTy->getPointerInterpretation() == PIK_Capability) {
-        OS << " __capability";
-        if (hasAfterQuals || !PrevPHIsEmpty.get())
-          OS << " ";
-      }
+  if (const PointerType *PTy = dyn_cast<PointerType>(T)) {
+    if (PTy->getPointerInterpretation() == PIK_Capability &&
+        !Policy.SuppressCapabilityQualifier) {
+      OS << " __capability";
+      if (hasAfterQuals || !PrevPHIsEmpty.get())
+        OS << " ";
+    } else if (PTy->getPointerInterpretation() == PIK_SealedCapability) {
+      OS << " __sealed_capability";
+      if (hasAfterQuals || !PrevPHIsEmpty.get())
+        OS << " ";
     }
-    else if (const ReferenceType *RTy = dyn_cast<ReferenceType>(T)) {
-      if (RTy->getPointerInterpretation() == PIK_Capability) {
-        OS << " __capability";
-        if (hasAfterQuals || !PrevPHIsEmpty.get())
-          OS << " ";
-      }
+  } else if (const ReferenceType *RTy = dyn_cast<ReferenceType>(T)) {
+    if (RTy->getPointerInterpretation() == PIK_Capability &&
+        !Policy.SuppressCapabilityQualifier) {
+      OS << " __capability";
+      if (hasAfterQuals || !PrevPHIsEmpty.get())
+        OS << " ";
+    } else if (RTy->getPointerInterpretation() == PIK_SealedCapability) {
+      OS << " __sealed_capability";
+      if (hasAfterQuals || !PrevPHIsEmpty.get())
+        OS << " ";
     }
   }
 
@@ -651,10 +658,11 @@ void TypePrinter::printDependentPointerBefore(
 
 void TypePrinter::printDependentPointerAfter(
     const DependentPointerType *T, raw_ostream &OS) {
-  if (!Policy.SuppressCapabilityQualifier) {
-    if (T->getPointerInterpretation() == PIK_Capability) {
-      OS << " __capability";
-    }
+  if (T->getPointerInterpretation() == PIK_Capability &&
+      !Policy.SuppressCapabilityQualifier) {
+    OS << " __capability";
+  } else if (T->getPointerInterpretation() == PIK_SealedCapability) {
+    OS << " __sealed_capability";
   }
   printAfter(T->getPointerType(), OS);
 }
@@ -1858,6 +1866,7 @@ void TypePrinter::printAttributedAfter(const AttributedType *T,
   case attr::SPtr:
   case attr::UPtr:
   case attr::CHERICapability:
+  case attr::CHERISealedCapability:
   case attr::AddressSpace:
   case attr::CmseNSCall:
   case attr::AnnotateType:

clang/lib/Format/Format.cpp

@@ -1419,6 +1419,7 @@ FormatStyle getLLVMStyle(FormatStyle::LanguageKind Language) {
   LLVMStyle.AlwaysBreakBeforeMultilineStrings = false;
   LLVMStyle.AlwaysBreakTemplateDeclarations = FormatStyle::BTDS_MultiLine;
   LLVMStyle.AttributeMacros.push_back("__capability");
+  LLVMStyle.AttributeMacros.push_back("__sealed_capability");
   LLVMStyle.BitFieldColonSpacing = FormatStyle::BFCS_Both;
   LLVMStyle.BinPackArguments = true;
   LLVMStyle.BinPackParameters = true;

clang/lib/Format/FormatToken.h

@@ -628,7 +628,8 @@ struct FormatToken {
     return isOneOf(tok::kw_const, tok::kw_restrict, tok::kw_volatile,
                    tok::kw___attribute, tok::kw__Nonnull, tok::kw__Nullable,
                    tok::kw__Null_unspecified, tok::kw___ptr32, tok::kw___ptr64,
-                   tok::kw___capability, tok::kw___funcref, TT_AttributeMacro);
+                   tok::kw___capability, tok::kw___funcref, TT_AttributeMacro,
+                   tok::kw___sealed_capability);
   }
 
   /// Determine whether the token is a simple-type-specifier.