[clang] [BoundsSafety] Allow 'counted_by' attribute on pointers in structs in C (PR #90786)

[via cfe-commits]

apple-fcloutier wrote:

I think that there's room to allow `__counted_by` on incomplete types so that a TU where it's complete could use it (and we have use cases where that would be handy), but our implementation doesn't support it at this time. This can be added without disruptions at a later time. FWIW, the point of bounds-checking an index is moot at least while the type is incomplete, since it's an error to dereference a pointer to an incomplete type. Aside from indexing, operations that would cast the pointer (such as `memset(x->foo, 0, some_value)`, assuming `memset(void *__sized_by(n), int, size_t n)`) would still have to be illegal when `struct foo` is incomplete because there's no way to know how many bytes we have at x->foo without `sizeof(struct foo)`.

`void *__counted_by` could be made legal because clang defines `sizeof(void) == 1` in C mode, as an extension to the C standard. I think it's still best avoided: "how many voids do I have at p?" is not a great question to ask, whereas the same with `__sized_by` just makes sense. It's also a little bit easier to filter out `void` with the rest of the incomplete types.

For structs with a flexible array member, the reason is that `sizeof(struct bar)` is a lie. How would we reconcile, for instance, a count of 1 (implying there's like 4 bytes at `x->bar`) with a `x->bar->a` of 10 (implying that `x->bar->fam[8]` is in bounds)? How do we feel that `x->bar[0]->fam[0]` aliases with `x->bar[1]->a`?

https://github.com/llvm/llvm-project/pull/90786