Disallow casts between incompatible checked pointer types in checked scopes?

[mattmccutchen-cci]

Something for your future consideration (not urgent):

The ability to cast between incompatible types containing checked pointers, even in a checked scope, is probably the most obvious remaining soundness hole in Checked C. An example (just to make it completely clear what I mean):

#pragma CHECKED_SCOPE on

int main(void) {
  long l = 12345;
  _Ptr<long> pl = &l;
  _Ptr<_Ptr<long>> ppl = (_Ptr<_Ptr<long>>)pl;
  **ppl = 67890;  // SEGV
  return 0;
}

Now that we have a distinction between _Checked and _Checked _Bounds_only scopes and are pursuing full type safety for the former, I think it probably makes sense to just disallow these casts in _Checked scopes. It seems reasonable to require the programmer to put an _Unchecked block around the cast, just as they have to do for many other kinds of unsafe operations.

Of course, this would break existing Checked C code, so we'd have to think about how to manage the compatibility problems. Maybe it's time to introduce a concept of Checked C "language standard" versions, analogous to the existing -std option for C language standard versions, so that users can enable stricter checking when they are ready to update their code.