Description
Something for your future consideration (not urgent):
The ability to cast between incompatible types containing checked pointers, even in a checked scope, is probably the most obvious remaining soundness hole in Checked C. An example (just to make it completely clear what I mean):
#pragma CHECKED_SCOPE on
int main(void) {
long l = 12345;
_Ptr<long> pl = &l;
_Ptr<_Ptr<long>> ppl = (_Ptr<_Ptr<long>>)pl;
**ppl = 67890; // SEGV
return 0;
}Now that we have a distinction between _Checked and _Checked _Bounds_only scopes and are pursuing full type safety for the former, I think it probably makes sense to just disallow these casts in _Checked scopes. It seems reasonable to require the programmer to put an _Unchecked block around the cast, just as they have to do for many other kinds of unsafe operations.
Of course, this would break existing Checked C code, so we'd have to think about how to manage the compatibility problems. Maybe it's time to introduce a concept of Checked C "language standard" versions, analogous to the existing -std option for C language standard versions, so that users can enable stricter checking when they are ready to update their code.