This is an archive of the discontinued LLVM Phabricator instance.

Differential D67865

[clang-tidy] Finds uses of OSRead* calls on macOS that may mask unexpected behavior due to unaligned reads
Needs ReviewPublic

Authored by dmaclach on Sep 20 2019, 2:40 PM.

Details

Reviewers
gribozavr
Summary

We ran into a problem in protocol buffers recently when compiling with Xcode 11 that caused crashes on 32 bit ARM architectures due to undefined behavior caused by OSRead* calls in OSByteOrder.h when reading unaligned addresses.

These potential errors can easily be fixed by replacing the OSRead* call with a memcpy and then a OSSwap{Big|Little}ToHostInt{16|32|64}.

Diff Detail

Event Timeline

dmaclach created this revision.Sep 20 2019, 2:40 PM
Herald added a project: Restricted Project. · View Herald TranscriptSep 20 2019, 2:40 PM
Herald added subscribers: cfe-commits, kristof.beyls, xazax.hun, mgorny. · View Herald Transcript
Eugene.Zelenko added a subscriber: Eugene.Zelenko.Sep 20 2019, 5:09 PM
Eugene.Zelenko added inline comments.
clang-tidy/objc/AvoidOSReadCheck.cpp
22

Please add check if language is Objective-C.

docs/ReleaseNotes.rst
103

Please enclose OSRead* in double back-ticks.

docs/clang-tidy/checks/objc-avoid-osread.rst
7

Please synchronize with sentence in Release Notes.

30

Please separate with empty line.

Eugene.Zelenko added inline comments.Sep 20 2019, 5:10 PM
clang-tidy/objc/AvoidOSReadCheck.h
6

License was changed this year. Same in source file.

dmaclach updated this revision to Diff 221420.Sep 23 2019, 3:07 PM

Fixed up review comments.

dmaclach marked 5 inline comments as done.Sep 23 2019, 3:10 PM
dmaclach added inline comments.
clang-tidy/objc/AvoidOSReadCheck.cpp
22

So this isn't specific to Objective C, and applies to all C based languages. This is more Darwin specific. I based this CL on the AvoidSpinlockCheck which is very similar in this respect. If we want to do clean up on this later we should probably do them together.

docs/clang-tidy/checks/objc-avoid-osread.rst
7

Done. I coped this version into the release notes.

Eugene.Zelenko added inline comments.Sep 23 2019, 3:31 PM
docs/clang-tidy/checks/objc-avoid-osread.rst
27

Please highlight OSRead* and libkern/OSByteOrder.h with double back-ticks. Please also make lines no more then 80 characters long.

dmaclach updated this revision to Diff 221433.Sep 23 2019, 4:25 PM

Updated based on review

dmaclach marked an inline comment as done.Sep 23 2019, 4:25 PM
stephanemoore added a subscriber: stephanemoore.Sep 23 2019, 5:25 PM
dmaclach added a comment.Sep 25 2019, 4:50 PM

Any other comments on this?

alexfh edited reviewers, added: gribozavr; removed: alexfh.Sep 26 2019, 2:07 AM
gribozavr added a comment.Sep 26 2019, 3:41 AM

What is the expected contract of the functions that this checker flags? Are they supposed to perform unaligned reads correctly, and we have just an implementation bug in these functions, or is it the caller's fault if they pass an unaligned address?

clang-tidy/objc/ObjCTidyModule.cpp
30

Maybe a better place for this checker is the new "darwin" module? It is being added in https://reviews.llvm.org/D67567.

test/clang-tidy/objc-avoid-osread.m
5

Please add declarations for these functions. It is strange that this test even works without them...

Revision Contents

PathSize
clang-tidy/
objc/
35 lines
40 lines
clang-tools-extra/
clang-tidy/
objc/
1 line
3 lines
docs/
6 lines
clang-tidy/
checks/
1 line
docs/
clang-tidy/
checks/
40 lines
test/
clang-tidy/
35 lines

Diff 221433

clang-tidy/objc/AvoidOSReadCheck.h

  • This file was added.
//===--- AvoidOSReadCheck.h - clang-tidy ------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

License was changed this year. Same in source file.

Eugene.Zelenko: License was changed this year. Same in source file.
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_OBJC_AVOIDOSREADCHECK_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_OBJC_AVOIDOSREADCHECK_H
#include "../ClangTidy.h"
namespace clang {
namespace tidy {
namespace objc {
/// Finds usages of OSRead{Big|Little}Int{16|32|64} and suggests using memcpy
/// instead due to potential misaligned read problems with the API.
///
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/objc-avoid-osread.html
class AvoidOSReadCheck : public ClangTidyCheck {
public:
AvoidOSReadCheck(StringRef Name, ClangTidyContext *Context)
: ClangTidyCheck(Name, Context) {}
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
};
} // namespace objc
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_OBJC_AVOIDOSREADCHECK_H

clang-tidy/objc/AvoidOSReadCheck.cpp

  • This file was added.
//===--- AvoidOSReadCheck.cpp - clang-tidy --------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "AvoidOSReadCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace objc {
void AvoidOSReadCheck::registerMatchers(MatchFinder *Finder) {
Finder->addMatcher(
callExpr(callee((functionDecl(hasAnyName(
"OSReadBigInt", "OSReadLittleInt",
Eugene.ZelenkoUnsubmitted
Not Done
ReplyInline Actions

Please add check if language is Objective-C.

Eugene.Zelenko: Please add check if language is Objective-C.
dmaclachAuthorUnsubmitted
Not Done
ReplyInline Actions

So this isn't specific to Objective C, and applies to all C based languages. This is more Darwin specific. I based this CL on the AvoidSpinlockCheck which is very similar in this respect. If we want to do clean up on this later we should probably do them together.

dmaclach: So this isn't specific to Objective C, and applies to all C based languages. This is more…
"OSReadBigInt16", "OSReadBigInt32", "OSReadBigInt64",
"OSReadLittleInt16", "OSReadLittleInt32", "OSReadLittleInt64",
"OSReadSwapInt16", "OSReadSwapInt32", "OSReadSwapInt64",
"_OSReadInt16", "_OSReadInt32", "_OSReadInt64")))))
.bind("osreadcall"),
this);
}
void AvoidOSReadCheck::check(const MatchFinder::MatchResult &Result) {
const auto *MatchedExpr = Result.Nodes.getNodeAs<CallExpr>("osreadcall");
diag(MatchedExpr->getBeginLoc(),
"use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of "
"OSRead* calls to avoid potential unaligned read issues");
}
} // namespace objc
} // namespace tidy
} // namespace clang

clang-tidy/objc/CMakeLists.txt

set(LLVM_LINK_COMPONENTS support) set(LLVM_LINK_COMPONENTS support)
add_clang_library(clangTidyObjCModule add_clang_library(clangTidyObjCModule
AvoidNSErrorInitCheck.cpp AvoidNSErrorInitCheck.cpp
AvoidOSReadCheck.cpp
AvoidSpinlockCheck.cpp AvoidSpinlockCheck.cpp
ForbiddenSubclassingCheck.cpp ForbiddenSubclassingCheck.cpp
ObjCTidyModule.cpp ObjCTidyModule.cpp
PropertyDeclarationCheck.cpp PropertyDeclarationCheck.cpp
SuperSelfCheck.cpp SuperSelfCheck.cpp
LINK_LIBS LINK_LIBS
clangAST clangAST
clangASTMatchers clangASTMatchers
clangBasic clangBasic
clangLex clangLex
clangTidy clangTidy
clangTidyUtils clangTidyUtils
) )

clang-tidy/objc/ObjCTidyModule.cpp

//===--- ObjCTidyModule.cpp - clang-tidy --------------------------------===// //===--- ObjCTidyModule.cpp - clang-tidy --------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "../ClangTidy.h" #include "../ClangTidy.h"
#include "../ClangTidyModule.h" #include "../ClangTidyModule.h"
#include "../ClangTidyModuleRegistry.h" #include "../ClangTidyModuleRegistry.h"
#include "AvoidNSErrorInitCheck.h" #include "AvoidNSErrorInitCheck.h"
#include "AvoidOSReadCheck.h"
#include "AvoidSpinlockCheck.h" #include "AvoidSpinlockCheck.h"
#include "ForbiddenSubclassingCheck.h" #include "ForbiddenSubclassingCheck.h"
#include "PropertyDeclarationCheck.h" #include "PropertyDeclarationCheck.h"
#include "SuperSelfCheck.h" #include "SuperSelfCheck.h"
using namespace clang::ast_matchers; using namespace clang::ast_matchers;
namespace clang { namespace clang {
namespace tidy { namespace tidy {
namespace objc { namespace objc {
class ObjCModule : public ClangTidyModule { class ObjCModule : public ClangTidyModule {
public: public:
void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override { void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
CheckFactories.registerCheck<AvoidNSErrorInitCheck>( CheckFactories.registerCheck<AvoidNSErrorInitCheck>(
"objc-avoid-nserror-init"); "objc-avoid-nserror-init");
CheckFactories.registerCheck<AvoidOSReadCheck>(
gribozavrUnsubmitted
Not Done
ReplyInline Actions

Maybe a better place for this checker is the new "darwin" module? It is being added in https://reviews.llvm.org/D67567.

gribozavr: Maybe a better place for this checker is the new "darwin" module? It is being added in https…
"objc-avoid-osread");
CheckFactories.registerCheck<AvoidSpinlockCheck>( CheckFactories.registerCheck<AvoidSpinlockCheck>(
"objc-avoid-spinlock"); "objc-avoid-spinlock");
CheckFactories.registerCheck<ForbiddenSubclassingCheck>( CheckFactories.registerCheck<ForbiddenSubclassingCheck>(
"objc-forbidden-subclassing"); "objc-forbidden-subclassing");
CheckFactories.registerCheck<PropertyDeclarationCheck>( CheckFactories.registerCheck<PropertyDeclarationCheck>(
"objc-property-declaration"); "objc-property-declaration");
CheckFactories.registerCheck<SuperSelfCheck>( CheckFactories.registerCheck<SuperSelfCheck>(
"objc-super-self"); "objc-super-self");
Show All 16 Lines

docs/ReleaseNotes.rst

Show First 20 LinesShow All 91 Lines▼ Show 20 Lines- New :doc:`llvm-prefer-register-over-unsigned
them to use ``Register`` them to use ``Register``
- Improved :doc:`bugprone-posix-return - Improved :doc:`bugprone-posix-return
<clang-tidy/checks/bugprone-posix-return>` check. <clang-tidy/checks/bugprone-posix-return>` check.
Now also checks if any calls to ``pthread_*`` functions expect negative return Now also checks if any calls to ``pthread_*`` functions expect negative return
values. values.
- New :doc:`objc-avoid-osread
<clang-tidy/checks/objc-avoid-osread>` check.
Finds uses of ``OSRead{Big|Little}Int{16|32|64}`` calls on Apple platforms that may mask
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Please enclose OSRead* in double back-ticks.

Eugene.Zelenko: Please enclose OSRead* in double back-ticks.
unexpected behavior due to unaligned reads.
Improvements to include-fixer Improvements to include-fixer
----------------------------- -----------------------------
The improvements are... The improvements are...
Improvements to clang-include-fixer Improvements to clang-include-fixer
----------------------------------- -----------------------------------
Show All 19 Lines

docs/clang-tidy/checks/list.rst

Show First 20 LinesShow All 317 Lines▼ Show 20 Lines.. toctree::
modernize-use-override modernize-use-override
modernize-use-trailing-return-type modernize-use-trailing-return-type
modernize-use-transparent-functors modernize-use-transparent-functors
modernize-use-uncaught-exceptions modernize-use-uncaught-exceptions
modernize-use-using modernize-use-using
mpi-buffer-deref mpi-buffer-deref
mpi-type-mismatch mpi-type-mismatch
objc-avoid-nserror-init objc-avoid-nserror-init
objc-avoid-osread
objc-avoid-spinlock objc-avoid-spinlock
objc-forbidden-subclassing objc-forbidden-subclassing
objc-property-declaration objc-property-declaration
objc-super-self objc-super-self
openmp-exception-escape openmp-exception-escape
openmp-use-default-none openmp-use-default-none
performance-faster-string-find performance-faster-string-find
performance-for-range-copy performance-for-range-copy
▲ Show 20 LinesShow All 45 LinesShow Last 20 Lines

docs/clang-tidy/checks/objc-avoid-osread.rst

  • This file was added.
.. title:: clang-tidy - objc-avoid-osread
objc-avoid-osread
=================
Finds usages of ``OSRead{Big|Little}Int{16|32|64}`` and associated functions which
should be avoided due to potential unaligned read problems.
Eugene.ZelenkoUnsubmitted
Not Done
ReplyInline Actions

Please synchronize with sentence in Release Notes.

Eugene.Zelenko: Please synchronize with sentence in Release Notes.
dmaclachAuthorUnsubmitted
Done
ReplyInline Actions

Done. I coped this version into the release notes.

dmaclach: Done. I coped this version into the release notes.
This check will detect following function invocations:
- ``OSReadBigInt``
- ``OSReadLittleInt``
- ``OSReadBigInt16``
- ``OSReadBigInt32``
- ``OSReadBigInt64``
- ``OSReadLittleInt16``
- ``OSReadLittleInt32``
- ``OSReadLittleInt64``
- ``OSReadSwapInt16``
- ``OSReadSwapInt3``
- ``OSReadSwapInt64``
- ``_OSReadInt16``
- ``_OSReadInt32``
- ``_OSReadInt64``
The ``OSRead{Big|Little}Int{16|32|64}`` functions from ``libkern/OSByteOrder.h`` have
undocumented dependencies on aligned reads due to type punning by casting through a
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Please highlight OSRead* and libkern/OSByteOrder.h with double back-ticks. Please also make lines no more then 80 characters long.

Eugene.Zelenko: Please highlight OSRead* and libkern/OSByteOrder.h with double back-ticks. Please also make…
pointer:
.. code:: c
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Please separate with empty line.

Eugene.Zelenko: Please separate with empty line.
OS_INLINE uint64_t _OSReadInt64(const volatile void *base, uintptr_t byteOffset)
{
return *(volatile uint64_t *)((uintptr_t)base + byteOffset);
}
This is undefined behavior for unaligned accesses and can cause crashes on architectures
that don't handle unaligned accesses well like ARMv7.
https://gist.github.com/dmaclach/b10b0a71ae614d304c067cb9bd264336 shows the problem.

test/clang-tidy/objc-avoid-osread.m

  • This file was added.
// RUN: %check_clang_tidy %s objc-avoid-osread %t
void f() {
const char *buff = "";
OSReadBigInt(buff, 0);
gribozavrUnsubmitted
Not Done
ReplyInline Actions

Please add declarations for these functions. It is strange that this test even works without them...

gribozavr: Please add declarations for these functions. It is strange that this test even works without…
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadBigInt(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadLittleInt(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadBigInt16(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadBigInt32(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadBigInt64(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadLittleInt16(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadLittleInt32(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadLittleInt64(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadSwapInt16(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadSwapInt32(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
OSReadSwapInt64(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
_OSReadInt16(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
_OSReadInt32(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
_OSReadInt64(buff, 0);
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: use memcpy and OSSwap{Big|Little}ToHostInt{16|32|64} instead of OSRead* calls to avoid potential unaligned read issues [objc-avoid-osread]
}