1. CHERI C/C++ Programming Guide
2. 1. Introduction
3. 1. 1.1. Definitions
   2. 1.2. Version history
4. 2. Background
5. 1. 2.1. CHERI capabilities
   2. 2.2. Architectural rules for capability use
6. 3. CHERI C/C++
7. 1. 3.1. The CHERI C/C++ run-time environment
   2. 3.2. Referential, spatial, and temporal safety
   3. 3.3. Non-aliasing vs trapping memory safety
8. 4. Impact on the C/C++ programming model
9. 1. 4.1. Capability-related faults
   2. 4.2. Pointer provenance validity
   3. 1. 4.2.1. Recommended use of C-language types
      2. 4.2.2. Capability alignment in memory
      3. 4.2.3. Single-origin provenance
   4. 4.3. Bounds
   5. 1. 4.3.1. Bounds from the compiler and linker
      2. 4.3.2. Bounds from the heap allocator
      3. 4.3.3. Subobject bounds
      4. 4.3.4. Other sources of bounds
      5. 4.3.5. Out-of-bounds pointers
   6. 4.4. Pointer comparison
   7. 4.5. Implications of capability revocation for temporal safety
   8. 4.6. Bitwise operations on capability types
   9. 4.7. Function prototypes and calling conventions
   10. 4.8. Data-structure and memory-allocation alignment
   11. 1. 4.8.1. Restrictions in capability locations in memory
10. 5. CHERI compiler warnings and errors
11. 1. 5.1. Loss of provenance
    2. 5.2. Ambiguous provenance
    3. 5.3. Underaligned capabilities
12. 6. C APIs to get and set capability properties
13. 1. 6.1. CHERI-related header files
    2. 6.2. Retrieving capability properties
    3. 6.3. Modifying or restricting capability properties
    4. 6.4. Capability permissions
    5. 6.5. Bounds alignment due to compression
    6. 6.6. Implications for memory-allocator design
14. 7. Printing capabilities from C
15. 1. 7.1. Generating string representations of capabilities
    2. 7.2. Printing capabilities with the printf(3) API family
16. 8. The CheriABI POSIX process environment
17. 1. 8.1. POSIX API changes
    2. 8.2. Handling capability-related signals
    3. 8.3. Revocation APIs
18. 9. Further reading
19. 10. Acknowledgements