- CHERI C/C++ Programming Guide
- 1. Introduction
- 1.1. Definitions
- 1.2. Version history
- 2. Background
- 2.1. CHERI capabilities
- 2.2. Architectural rules for capability use
- 3. CHERI C/C++
- 3.1. The CHERI C/C++ run-time environment
- 3.2. Referential, spatial, and temporal safety
- 3.3. Non-aliasing vs trapping memory safety
- 4. Impact on the C/C++ programming model
- 4.1. Capability-related faults
- 4.2. Pointer provenance validity
- 4.2.1. Recommended use of C-language types
- 4.2.2. Capability alignment in memory
- 4.2.3. Single-origin provenance
- 4.3. Capability representation in memory
- 4.4. Bounds
- 4.4.1. Bounds from the compiler and linker
- 4.4.2. Bounds from the heap allocator
- 4.4.3. Subobject bounds
- 4.4.4. Other sources of bounds
- 4.4.5. Out-of-bounds pointers
- 4.5. Pointer comparison
- 4.6. Implications of capability revocation for temporal safety
- 4.7. Bitwise operations on capability types
- 4.8. Function prototypes and calling conventions
- 4.9. Data-structure and memory-allocation alignment
- 4.9.1. Restrictions in capability locations in memory
- 5. CHERI compiler warnings and errors
- 5.1. Loss of provenance
- 5.2. Ambiguous provenance
- 5.3. Underaligned capabilities
- 6. C APIs to get and set capability properties
- 6.1. CHERI-related header files
- 6.2. Retrieving capability properties
- 6.3. Modifying or restricting capability properties
- 6.4. Capability permissions
- 6.5. Bounds alignment due to compression
- 6.6. Implications for memory-allocator design
- 7. Printing capabilities from C
- 7.1. Generating string representations of capabilities
- 7.2. Printing capabilities with the printf(3) API family
- 8. The CheriABI POSIX process environment
- 8.1. POSIX API changes
- 8.2. Handling capability-related signals
- 8.3. Revocation APIs
- 9. Further reading
- 10. Acknowledgements