[CHERI] Add a sealed type annotation (#109)

This allows us to disallow dereferences and pointer indexing on
sealed capabilities at compile time.

Builtins that introspect capabilities can all work on a sealed or
unsealed capability.

Builtins that mutate capabilities are all disallowed on sealed
capabilities, with the exception of clear-tag (which works on sealed or
unsealed things).

Reinterpret cast and C-style (explicit) casts are allowed.  Anyone who
does an explicit unsafe cast should know what they're doing *anyway*
this is another case of that.

Implicit casts are also permitted to `void*`.  This avoids needing new
overloads for things that treat `void*` as opaque values.  Casting back
from `void*` to something useful already requires a dangerous explicit
cast and you should know what you're doing if you do that.

Also adds a __has_extension check for the sealed type qualifier.

Co-authored-by: Owen Anderson <[email protected]>

Author: davidchisnall

clang/include/clang/AST/Type.h

@@ -1565,6 +1565,9 @@ enum PointerInterpretationKind {
 
   /// The pointer should always be interpreted as an integer.
   PIK_Integer,
+
+  /// The pointer should be interpreted as a sealed capability.
+  PIK_SealedCapability,
 };
 
 /// The base class of the type hierarchy.
@@ -1663,7 +1666,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
 
     /// The interpretation (PointerInterpretationKind) to use for this array.
     /// For function parameters only.
-    unsigned PIK : 1;
+    unsigned PIK : 2;
 
     /// Whether the pointer interpretation for this array is set.
     unsigned HasPIK : 1;
@@ -1672,7 +1675,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
   class ConstantArrayTypeBitfields {
     friend class ConstantArrayType;
 
-    unsigned : NumTypeBits + 3 + 3 + 2;
+    unsigned : NumTypeBits + 3 + 3 + 3;
 
     /// Whether we have a stored size expression.
     unsigned HasStoredSizeExpr : 1;
@@ -1759,7 +1762,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
     unsigned : NumTypeBits;
 
     /// The interpretation (PointerInterpretationKind) to use for this pointer.
-    unsigned PIK : 1;
+    unsigned PIK : 2;
   };
 
   class DependentPointerTypeBitfields {
@@ -1768,7 +1771,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
     unsigned : NumTypeBits;
 
     /// The interpretation (PointerInterpretationKind) to use for this pointer.
-    unsigned PIK : 1;
+    unsigned PIK : 2;
   };
 
   class ReferenceTypeBitfields {
@@ -1778,7 +1781,7 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
 
     /// The interpretation (PointerInterpretationKind) to use for the pointer
     /// backing this reference type.
-    unsigned PIK : 1;
+    unsigned PIK : 2;
 
     /// True if the type was originally spelled with an lvalue sigil.
     /// This is never true of rvalue references but can also be false
@@ -2239,6 +2242,9 @@ class alignas(8) Type : public ExtQualsTypeCommonBase {
   /// pointers.
   bool isCHERICapabilityType(const ASTContext &Context,
                              bool IncludeIntCap = true) const;
+
+  /// Returns true if this type is a Cheriot sealed capability.
+  bool isCHERISealedCapabilityType(const ASTContext &Context) const;
   /// Returns true for __uintcap_t or __intcap_t (and enums/_Atomic with that
   /// underlying type)
   bool isIntCapType() const;
@@ -2898,7 +2904,8 @@ class PointerInterpretationTrait {
 
 public:
   bool isCHERICapability() const {
-    return getPointerInterpretation() == PIK_Capability;
+    return getPointerInterpretation() == PIK_Capability ||
+           getPointerInterpretation() == PIK_SealedCapability;
   }
 
   PointerInterpretationKind getPointerInterpretation() const {
@@ -2914,7 +2921,8 @@ class OptionalPointerInterpretationTrait {
 
 public:
   bool isCHERICapability() const {
-    return getPointerInterpretation() == PIK_Capability;
+    return getPointerInterpretation() == PIK_Capability ||
+           getPointerInterpretation() == PIK_SealedCapability;
   }
 
   std::optional<PointerInterpretationKind> getPointerInterpretation() const {

clang/include/clang/Basic/Attr.td

@@ -873,6 +873,11 @@ def MinimumStack : InheritableAttr, TargetSpecificAttr<TargetRISCV> {
   let Documentation = [Undocumented];
 }
 
+def CHERISealedCapability : TypeAttr {
+  let Spellings = [CustomKeyword<"__sealed_capability">];
+  let Documentation = [Undocumented];
+}
+
 def InterruptState : InheritableAttr, TargetSpecificAttr<TargetRISCV> {
   let Spellings = [CXX11<"cheriot", "interrupt_state">,
                    C2x<"cheriot", "interrupt_state">,

clang/include/clang/Basic/Builtins.def

@@ -72,6 +72,7 @@
 // D -> volatile
 // R -> restrict
 // m -> memory capability
+// l -> sealed capability
 
 // The third value provided to the macro specifies information about attributes
 // of the function.  These must be kept in sync with the predicates in the
@@ -1699,17 +1700,17 @@ BUILTIN(__builtin_cheri_offset_set, "v*mvC*mY", "nct")
 BUILTIN(__builtin_cheri_perms_and, "v*mvC*mz", "nct")
 BUILTIN(__builtin_cheri_perms_check, "vvC*mCz", "nct")
 BUILTIN(__builtin_cheri_perms_get, "zvC*m", "nct")
-BUILTIN(__builtin_cheri_seal, "v*mvC*mvC*m", "nct")
-BUILTIN(__builtin_cheri_seal_entry, "v*mvC*m", "nct")
-BUILTIN(__builtin_cheri_sealed_get, "bvC*m", "nct")
+BUILTIN(__builtin_cheri_seal, "v*lvC*mvC*m", "nct")
+BUILTIN(__builtin_cheri_seal_entry, "v*lvC*m", "nct")
+BUILTIN(__builtin_cheri_sealed_get, "bvC*l", "nct")
 BUILTIN(__builtin_cheri_subset_test, "bvC*mvC*m", "nct")
 BUILTIN(__builtin_cheri_tag_clear, "v*mvC*m", "nct")
 BUILTIN(__builtin_cheri_tag_get, "bvC*m", "nct")
 BUILTIN(__builtin_cheri_tag_get_temporal, "bvC*m", "nct")
 BUILTIN(__builtin_cheri_top_get, "zvC*m", "nct")
 BUILTIN(__builtin_cheri_type_check, "vvC*mvC*m", "nct")
 BUILTIN(__builtin_cheri_type_get, "YvC*m", "nct")
-BUILTIN(__builtin_cheri_unseal, "v*mvC*mvC*m", "nct")
+BUILTIN(__builtin_cheri_unseal, "v*mvC*lvC*m", "nct")
 
 BUILTIN(__builtin_cheri_callback_create, "v.", "nct")
 

clang/include/clang/Basic/DiagnosticParseKinds.td

@@ -319,8 +319,8 @@ def err_expected_selector_for_method : Error<
   "expected selector for Objective-C method">;
 def err_expected_property_name : Error<"expected property name">;
 
-def warn_cheri_capability_qualifier_location : Warning<
-  "use of __capability before the pointer type is deprecated">,
+def warn_cheri_qualifier_location : Warning<
+  "use of %0 before the pointer type is deprecated">,
   InGroup<DeprecatedDeclarations>;
 
 def err_unexpected_at : Error<"unexpected '@' in program">;

clang/include/clang/Basic/DiagnosticSemaKinds.td

@@ -1336,10 +1336,22 @@ def note_cheri_func_decl_add_types : Note<
 def err_cheri_capability_qualifier_not_supported : Error<
   "use of __capability is not supported without CHERI; "
   "specify an appropriate -march= or -mcpu=">;
-def err_cheri_capability_qualifier_ambiguous : Error<
-  "use of __capability is ambiguous">;
-def err_cheri_capability_qualifier_pointers_only : Error<
-  "__capability only applies to pointers; type here is %0">;
+def err_cheri_sealed_qualifier_not_supported : Error<
+  "use of __sealed_capability is not supported without CHERI; "
+  "specify an appropriate -march= or -mcpu=">;
+def err_cheri_qualifier_ambiguous : Error<
+  "use of %0 is ambiguous">;
+def err_cheri_qualifier_pointers_only : Error<
+  "%0 only applies to pointers; type here is %1">;
+def err_bad_cxx_cast_sealed_qualifier : Error<
+  "%select{const_cast|static_cast|reinterpret_cast|dynamic_cast|C-style cast|"
+  "functional-style cast|addrspace_cast}0 from %1 to %2 changes sealed qualifier">;
+def err_sealed_pointer_cast : Error<
+  "cast from  %0 to %1 changes sealed qualifier">;
+def err_typecheck_expect_sealed_operand : Error<
+  "operand of type %0 where sealed capability is required">;
+def err_typecheck_expect_unsealed_operand : Error<
+  "operand of type %0 where unsealed capability is required">;
 
 def err_objc_var_decl_inclass :
     Error<"cannot declare variable inside @interface or @protocol">;
@@ -7306,6 +7318,20 @@ def err_typecheck_convert_ptr_to_cap_unrelated_type: Error<"cannot implicitly "
   "or explicitly convert non-capability%select{| reference to}2 type %0 to "
   "unrelated capability type %1">;
 
+def err_typecheck_convert_sealed_to_ptr: Error<"converting sealed"
+  "%select{| reference to}2 type %0 to non-sealed type %1 without "
+  "an explicit unsealing">;
+def err_typecheck_convert_ptr_to_sealed: Error<"converting unsealed"
+  "%select{| reference to}2 type %0 to sealed type %1 without "
+  "an explicit sealing">;
+def err_sealed_reference: Error<"reference type %0 cannot be sealed">;
+def err_sealed_bad_operator: Error<"invalid operator applied to sealed type %0">;
+def err_sealed_this_pointer: Error<"sealed type %0 cannot be used as 'this' pointer for non-static method calls">;
+def err_sealed_func_pointer: Error<"sealed type %0 cannot be called">;
+def err_sealed_member_access: Error<"cannot access members of sealed type %0">;
+
+
+
 def warn_uintcap_bitwise_and : Warning<
   "using bitwise and on a capability type may give surprising results; "
   "if this is an alignment check use __builtin_{is_aligned,align_up,align_down}(); "

clang/include/clang/Basic/Features.def

@@ -242,6 +242,8 @@ FEATURE(experimental_library, LangOpts.ExperimentalLibrary)
 FEATURE(capabilities, PP.getTargetInfo().SupportsCapabilities())
 FEATURE(pointer_interpretation, PP.getTargetInfo().SupportsCapabilities())
 FEATURE(cheri_casts, PP.getTargetInfo().SupportsCapabilities())
+// CHERI typed sealed pointers
+EXTENSION(cheri_sealed_pointers, PP.getTargetInfo().SupportsCapabilities())
 
 // C11 features supported by other languages as extensions.
 EXTENSION(c_alignas, true)

clang/include/clang/Basic/TokenKinds.def

@@ -341,6 +341,9 @@ KEYWORD(__cheri_input               , KEYALL)
 // CHERIoT Predefine Expr
 KEYWORD(__cheriot_minimum_stack__   , KEYALL)
 
+// Cheriot Qualifiers
+KEYWORD(__sealed_capability         , KEYALL)
+
 // C++ 2.11p1: Keywords.
 KEYWORD(asm                         , KEYCXX|KEYGNU)
 KEYWORD(bool                        , BOOLSUPPORT|KEYC2X)

clang/include/clang/Parse/Parser.h

@@ -2976,6 +2976,7 @@ class Parser : public CodeCompletionHandler {
   void ParseOpenCLQualifiers(ParsedAttributes &Attrs);
   void ParseNullabilityTypeSpecifiers(ParsedAttributes &attrs);
   void ParseCapabilityQualifier(ParsedAttributes &Attrs);
+  void ParseCheriotSealedQualifier(ParsedAttributes &Attrs);
   void ParseCUDAFunctionAttributes(ParsedAttributes &attrs);
   bool isHLSLQualifier(const Token &Tok) const;
   void ParseHLSLQualifiers(ParsedAttributes &Attrs);

clang/lib/AST/ASTContext.cpp

@@ -11768,14 +11768,15 @@ static QualType DecodeTypeFromStr(const char *&Str, const ASTContext &Context,
     case 'R':
       Type = Type.withRestrict();
       break;
+    case 'l':
     case 'm': {
       Qualifiers Qs = Type.getQualifiers();
       if (const auto *PT = Type->getAs<PointerType>())
         Type = Context.getPointerType(PT->getPointeeType(), PIK_Capability);
       else if (const auto *LRT = Type->getAs<LValueReferenceType>())
-        Type = Context.getLValueReferenceType(LRT->getPointeeTypeAsWritten(),
-                                              LRT->isSpelledAsLValue(),
-                                              PIK_Capability);
+        Type = Context.getLValueReferenceType(
+            LRT->getPointeeTypeAsWritten(), LRT->isSpelledAsLValue(),
+            c == 'l' ? PIK_SealedCapability : PIK_Capability);
       else {
         const auto *BT = Type->getAs<BuiltinType>();
         assert(BT &&

clang/lib/AST/ItaniumMangle.cpp

@@ -3594,7 +3594,10 @@ void CXXNameMangler::mangleType(const SubstTemplateTypeParmPackType *T) {
 
 // <type> ::= P <type>   # pointer-to
 void CXXNameMangler::mangleType(const PointerType *T) {
-  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability())
+  if (T->getPointerInterpretation() == PIK_SealedCapability)
+    Out << "U19__sealed_capability";
+  else if (Context.shouldMangleCapabilityQualifier() &&
+           T->getPointerInterpretation() == PIK_Capability)
     Out << "U12__capability";
   Out << 'P';
   mangleType(T->getPointeeType());
@@ -3606,16 +3609,21 @@ void CXXNameMangler::mangleType(const ObjCObjectPointerType *T) {
 
 // <type> ::= R <type>   # reference-to
 void CXXNameMangler::mangleType(const LValueReferenceType *T) {
-  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability())
+  if (T->getPointerInterpretation() == PIK_SealedCapability)
+    Out << "U19__sealed_capability";
+  else if (Context.shouldMangleCapabilityQualifier() &&
+           T->getPointerInterpretation() == PIK_Capability)
     Out << "U12__capability";
   Out << 'R';
   mangleType(T->getPointeeType());
 }
 
 // <type> ::= O <type>   # rvalue reference-to (C++0x)
 void CXXNameMangler::mangleType(const RValueReferenceType *T) {
-  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability())
+  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability()) {
+    assert(T->getPointerInterpretation() != PIK_SealedCapability);
     Out << "U12__capability";
+  }
   Out << 'O';
   mangleType(T->getPointeeType());
 }
@@ -4057,7 +4065,10 @@ void CXXNameMangler::mangleType(const DependentAddressSpaceType *T) {
 }
 
 void CXXNameMangler::mangleType(const DependentPointerType *T) {
-  if (Context.shouldMangleCapabilityQualifier() && T->isCHERICapability())
+  if (T->getPointerInterpretation() == PIK_SealedCapability)
+    Out << "U19__sealed_capability";
+  else if (Context.shouldMangleCapabilityQualifier() &&
+           T->getPointerInterpretation() == PIK_Capability)
     Out << "U12__capability";
   mangleType(T->getPointerType());
 }