Restrict taking addresses of variables that have bounds expressions.

[dtarditi]

This is described in the last paragraph of Section 3.1 of version 0.6 of the Checked C specification. We need to enforce this restriction.

We do allow the addresses of variables to be taken in bounds expressions. However, the address cannot be used to access memory in the bounds expression. It would be sufficient for now to not allow any dereference operators in the bounds expression. We also need to enforce this ussue.

[dtarditi]

We should relax or clarify the requirements in the specification. The specific requirement is that pointer created by an address-taken expression cannot be used to modify or read memory. So using the resulting address only in a comparison or a bounds expression is OK.

[mattmccutchen-cci]

It looks like the compiler still doesn't enforce the restriction on taking the address of a variable used in a bounds declaration. Example:

#pragma CHECKED_SCOPE on

#include <stdlib.h>

int main(void) {
  size_t len = 1000;
  _Array_ptr<char> p : count(len) = malloc<char>(1000);
  _Ptr<size_t> plen = &len;
  *plen = 100000000;
  for (size_t i = 0; i < len; i++)
    p[i]++;  // SIGSEGV
  return 0;
}

Based on the description of #490, I'm assuming that case still falls under this issue. David, would you be willing to update the issue title to make this clearer?