This is an archive of the discontinued LLVM Phabricator instance.

Differential D35372

[clang-tidy] Refactor the code and add a close-on-exec check on memfd_create() in Android module.
ClosedPublic

Authored by yawanng on Jul 13 2017, 10:50 AM.

Details

Reviewers
alexfh
aaron.ballman
hokein
Commits
rGb21739f9881d: [clang-tidy] Fix for buildbot.
rGd61c2a18cb98: [clang-tidy] Refactor the code and add a close-on-exec check on memfd_create()…
rCTE310669: [clang-tidy] Fix for buildbot.
rCTE310630: [clang-tidy] Refactor the code and add a close-on-exec check on memfd_create()…
rL310669: [clang-tidy] Fix for buildbot.
rL310630: [clang-tidy] Refactor the code and add a close-on-exec check on memfd_create()…
Summary
  1. Refactor the structure of the code by adding a base class for all close-on-exec checks, which implements most of the needed functions.
  2. memfd_create() is better to set MFD_CLOEXEC flag to avoid file descriptor leakage.

Diff Detail

Event Timeline

yawanng created this revision.Jul 13 2017, 10:50 AM
Herald added subscribers: xazax.hun, JDevlieghere, mgorny, srhines. · View Herald TranscriptJul 13 2017, 10:50 AM
yawanng edited the summary of this revision. (Show Details)Jul 13 2017, 10:53 AM
yawanng edited the summary of this revision. (Show Details)Jul 13 2017, 11:00 AM
Eugene.Zelenko edited reviewers, added: alexfh, aaron.ballman, hokein; removed: chh.Jul 13 2017, 11:22 AM
Eugene.Zelenko set the repository for this revision to rL LLVM.
Eugene.Zelenko added a subscriber: cfe-commits.
chh added a subscriber: chh.Jul 13 2017, 12:01 PM
Eugene.Zelenko added a subscriber: Eugene.Zelenko.Jul 13 2017, 1:36 PM
Eugene.Zelenko added inline comments.
docs/ReleaseNotes.rst
60

Please sort checks in alphabetical order.

yawanng updated this revision to Diff 106515.Jul 13 2017, 1:41 PM
yawanng marked an inline comment as done.
alexfh edited edge metadata.Jul 15 2017, 1:15 AM

I have deja vu ;)

Should we make a single check for all CLOEXEC and friends with a single configurable list of (function name, flag name) pairs?

alexfh requested changes to this revision.Jul 15 2017, 1:18 AM
This revision now requires changes to proceed.Jul 15 2017, 1:18 AM
alexfh mentioned this in D35370: [clang-tidy] Add a close-on-exec check on inotify_init() in Android module..Jul 15 2017, 1:22 AM
alexfh mentioned this in D35367: [clang-tidy] Add a close-on-exec check on epoll_create() in Android module..
alexfh mentioned this in D35368: [clang-tidy] Add a close-on-exec check on inotify_init1() in Android module..Jul 15 2017, 1:26 AM
alexfh mentioned this in D35365: [clang-tidy] Add a close-on-exec check on epoll_create1() in Android module..Jul 15 2017, 1:28 AM
alexfh mentioned this in D35364: [clang-tidy] Add a close-on-exec check on dup() in Android module..
alexfh mentioned this in D35363: [clang-tidy] Add a close-on-exec check on accept4() in Android module..Jul 15 2017, 1:31 AM
alexfh mentioned this in D35362: [clang-tidy] Add a close-on-exec check on accept() in Android module..
alexfh added a comment.Jul 15 2017, 2:11 AM
In D35372#810457, @alexfh wrote:

I have deja vu ;)

Should we make a single check for all CLOEXEC and friends with a single configurable list of (function name, flag name) pairs?

Okay, it may be a bit more complicated than just a list of function name -> flag name mappings, since we have to take in account the argument position as well. We also might want to check the signature to a certain degree to avoid matching wrong function. There are multiple approaches possible to rule out incorrect functions with the same name:

  1. just look at the number of arguments - this might well be enough, since for a certain codebase I wouldn't expect multiple memfd_create's etc. It would allow user configurability of the function -> flag mappings.
  2. encode the types of arguments as strings and have a small dictionary of matchers in the check (e.g. "const char*" -> pointerType(pointee(isAnyCharacter()))) - that will be more precise and still quite flexible and also allow user-configurable function -> flag mappings. But this mechanism may be an overkill, if we don't anticipate user-configurable functions. I don't know how complex the resulting code turns out to be.
  3. Add a matcher for each function statically. This would obviously allow for arbitrarily complex matchers, but won't be extensible via configuration options.
yawanng added a comment.EditedJul 17 2017, 10:51 AM
In D35372#810525, @alexfh wrote:
In D35372#810457, @alexfh wrote:

I have deja vu ;)

Should we make a single check for all CLOEXEC and friends with a single configurable list of (function name, flag name) pairs?

Okay, it may be a bit more complicated than just a list of function name -> flag name mappings, since we have to take in account the argument position as well. We also might want to check the signature to a certain degree to avoid matching wrong function. There are multiple approaches possible to rule out incorrect functions with the same name:

  1. just look at the number of arguments - this might well be enough, since for a certain codebase I wouldn't expect multiple memfd_create's etc. It would allow user configurability of the function -> flag mappings.
  2. encode the types of arguments as strings and have a small dictionary of matchers in the check (e.g. "const char*" -> pointerType(pointee(isAnyCharacter()))) - that will be more precise and still quite flexible and also allow user-configurable function -> flag mappings. But this mechanism may be an overkill, if we don't anticipate user-configurable functions. I don't know how complex the resulting code turns out to be.
  3. Add a matcher for each function statically. This would obviously allow for arbitrarily complex matchers, but won't be extensible via configuration options.

Great idea. But we may prefer separate checks, because each API can be controlled independently. To reduce the code duplication, what about a base class for all of them and try to share as much code as possible? The base class may be complex due to handling different numbers of arguments and types as well as the different fix suggestions and etc, the gain is that each separate checks is relatively simple :-)

chh added a comment.Jul 17 2017, 11:09 AM

If most code can be shared in a common base class like CloexecCheck,
maybe all 8 "Add a close-on-exec check" CLs can be combined into 1 or 2 CLs
to consolidate all review efforts.
I also prefer a separate check name for each function,
so users can enable/disable each check.

yawanng updated this revision to Diff 107557.EditedJul 20 2017, 10:59 AM
yawanng edited edge metadata.

Refactor the check, add a base class for it, which can facilitate all other similar checks. Basically, all checks in the same category will have only one or two lines code in both "check" and "registerMatcher" by inheriting the base class. If this looks good, I will modify all other similar ones. Thank you :-)

yawanng added a comment.Jul 24 2017, 9:52 AM

Ping

yawanng retitled this revision from [clang-tidy] Add a close-on-exec check on memfd_create() in Android module. to [clang-tidy] Refactor the code and add a close-on-exec check on memfd_create() in Android module..Jul 28 2017, 4:04 PM
yawanng edited the summary of this revision. (Show Details)
yawanng added a comment.Jul 31 2017, 3:29 PM

Ping.

hokein edited edge metadata.Aug 3 2017, 2:02 AM

Sorry for the delay, and thanks for refining it.

In general, I'm fine with the current design, a few comments below.

clang-tidy/android/CloexecCheck.cpp
63

Use const auto*, obviously indicates this is a pointer, the same to other places.

95

I think there will be a use-after-free issue here.

The method returns a StringRef (which doesn't own the "std::string"), the temporary std::string will be destructed after the method finished.

clang-tidy/android/CloexecCheck.h
19

This base class will be used in a bunch of cloase-on-exec checks.
It deserves a better and more detailed documentation (e.g. the intended usage).

27

I think we can drop the do for most methods, how about

doRegisterMatchers => registerMatchers
doMacroFlagInsertion => insertMacroFlag
doFuncReplacement => replaceFunc
doStringFlagInsertion => insertStringFlag?

31

Instead of using the magic string funDecl anywhere, I would define a static const member for it. The same to func.

36

It is unclear to me what the "issue" means here? I assume there are three types of fixes?

37

Deserve a document on the behavior of the method, would be better to give an example. The same below.

Is Flag required to be a macro flag? looks like it could be any string.

54

Maybe getSpellingArg which sounds more natural?

55

s/n/N

76

should we put this method and below in the base class? They seem to be check-specific, I think?

yawanng updated this revision to Diff 109589.Aug 3 2017, 10:26 AM
yawanng marked 9 inline comments as done.
yawanng added inline comments.
clang-tidy/android/CloexecCheck.h
36

Yes. It means three types of fixes :-)

37

Yes, the flag is expected to be a string of the required macro name.

76

Only the 'mode_t' one is currently only used by one check. The reason for putting them all together here is to be kind of uniform and maybe facilitate possible future checks that may contain this type.

hokein added inline comments.Aug 4 2017, 9:29 AM
clang-tidy/android/CloexecCheck.cpp
67

const auto*

clang-tidy/android/CloexecCheck.h
12

A blank line here.

24

Normally, the style should like:

class Foo {
public:
  ...
protected:
  ...
privated:
  ...
};

BTW, in C++11 these are declarations, you still need to define them in the .cc file like

const static constexpr char* CloexecCheck::FuncDeclBindingStr;
33

I think this method (and below) can be protected member.

52

I'd name it MacroFlag.

60

It is not obvious to see what these parameter mean. Msg is a message for warning, maybe WarningMsg?

I'd suggest using the formal documentation for this class (https://llvm.org/docs/CodingStandards.html#doxygen-use-in-documentation-comments).

64

e is not a string, is a char.

65

s/fpen/fopen.

69

Is char for Mode sufficient? Seems to me that only fopen check is using it, or there will be more checks using this in the future?

73

n should be capital N. I think we can make it a const member method. And I can't see any usage of this method in this patch.

76

Looks like this method is used internally, do we need to expose it? or just define it as an anonymous function in the cc file?

80

The inline is redundant.

clang-tidy/android/CloexecMemfdCreateCheck.cpp
25

nit: add /*ArgPos=*/ before parameter 1 to make it more readable.

yawanng updated this revision to Diff 109778.Aug 4 2017, 10:50 AM
yawanng marked 13 inline comments as done.
yawanng added inline comments.
clang-tidy/android/CloexecCheck.h
73

It's not used in this one, but in others.

hokein accepted this revision.Aug 7 2017, 12:01 PM

Looks good to me, a few nits. Thanks for improving it continuously.

I'd hold it for a while to see whether @alexfh has further comments before submitting it.

clang-tidy/android/CloexecCheck.h
29

remove an extra blank before and.

46

Nit: you are missing the parameter part in the comment, the same below.

/// \param Result XXX
/// \param MacroFlag XXX
/// \param ArgPos
48

Is the ArgPos 0-based or 1-based? I know it is 0-based, but we'd better mention in the document part.

117

nit: I'd put this method as the first protected method.

yawanng updated this revision to Diff 110065.Aug 7 2017, 1:15 PM
yawanng marked 4 inline comments as done.
In D35372#834238, @hokein wrote:

Looks good to me, a few nits. Thanks for improving it continuously.

I'd hold it for a while to see whether @alexfh has further comments before submitting it.

Thank you for the reviewing :-)

alexfh added a comment.Aug 9 2017, 9:39 AM

I'm not sure this approach is the best to deal with the boilerplate, but it seems like an improvement compared to repeating code. See a few comments inline.

clang-tidy/android/CloexecCheck.cpp
66
  1. Should this be a class method?
  2. Is this ever used? (if it is going to be used in a different check, let's postpone its addition to that moment)
clang-tidy/android/CloexecCheck.h
43

Can we make this method non-template and put its implementation to the .cpp file? It could accept a Matcher<FunctionDecl> or something like that and just apply it:

void registerForCall(MatchFinder *Finder, Matcher<FunctionDecl> Function) {

Finder->addMatcher(calExpr(callee(functionDecl(isExternC(), Function).bind(...))).bind(...), this);

}

Then you could make FuncDeclBindingStr and FuncBindingStr local to the file.

47

s/we has/we have/

102–137

These methods don't add much value: hasParameter(N, hasType(isInteger())) is not much longer or harder to read than hasIntegerParameter(N), etc. Also having these utilities as non-static methods doesn't make much sense. If you want a shorter way to describe function signatures, I would suggest a single utility function hasParameters() that would take a list of type matchers and apply them to the corresponding parameters. That one could be useful more broadly than in this specific check, so it could be placed in utils/ (and later in ASTMatchers.h, if we find enough potential users).

140

You're missing one more const: static const char * const FuncDeclBindingStr;

alexfh requested changes to this revision.Aug 9 2017, 9:40 AM
This revision now requires changes to proceed.Aug 9 2017, 9:40 AM
yawanng updated this revision to Diff 110443.Aug 9 2017, 11:29 AM
yawanng edited edge metadata.
yawanng marked 5 inline comments as done.
alexfh accepted this revision.Aug 10 2017, 6:06 AM

LG with a few nits.

clang-tidy/android/CloexecCheck.cpp
50

No need to qualify names in ast_matchers::, since there's a using directive above.

clang-tidy/android/CloexecCheck.h
39

nit: Please add an empty line before this comment.

55

Please remove top-level const from the last two arguments. It has no effect in declaration (and definition can still use top-level const, if needed, since it is not a part of the function signature). Same below.

This revision is now accepted and ready to land.Aug 10 2017, 6:06 AM
yawanng updated this revision to Diff 110606.Aug 10 2017, 10:13 AM
yawanng marked 3 inline comments as done.
yawanng closed this revision.Aug 10 2017, 10:18 AM
yawanng added a comment.Aug 10 2017, 3:56 PM

rL310669 is the latest and complete version. It fixes an issue in windows platform.

Revision Contents

PathSize
clang-tidy/
android/
3 lines
2 lines
148 lines
105 lines
35 lines
29 lines
docs/
6 lines
clang-tidy/
checks/
18 lines
1 line
test/
clang-tidy/
63 lines

Diff 110065

clang-tidy/android/AndroidTidyModule.cpp

Context not available.
#include "../ClangTidyModuleRegistry.h" #include "../ClangTidyModuleRegistry.h"
#include "CloexecCreatCheck.h" #include "CloexecCreatCheck.h"
#include "CloexecFopenCheck.h" #include "CloexecFopenCheck.h"
#include "CloexecMemfdCreateCheck.h"
#include "CloexecOpenCheck.h" #include "CloexecOpenCheck.h"
#include "CloexecSocketCheck.h" #include "CloexecSocketCheck.h"
Context not available.
void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override { void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
CheckFactories.registerCheck<CloexecCreatCheck>("android-cloexec-creat"); CheckFactories.registerCheck<CloexecCreatCheck>("android-cloexec-creat");
CheckFactories.registerCheck<CloexecFopenCheck>("android-cloexec-fopen"); CheckFactories.registerCheck<CloexecFopenCheck>("android-cloexec-fopen");
CheckFactories.registerCheck<CloexecMemfdCreateCheck>(
"android-cloexec-memfd-create");
CheckFactories.registerCheck<CloexecOpenCheck>("android-cloexec-open"); CheckFactories.registerCheck<CloexecOpenCheck>("android-cloexec-open");
CheckFactories.registerCheck<CloexecSocketCheck>("android-cloexec-socket"); CheckFactories.registerCheck<CloexecSocketCheck>("android-cloexec-socket");
} }
Context not available.

clang-tidy/android/CMakeLists.txt

Context not available.
add_clang_library(clangTidyAndroidModule add_clang_library(clangTidyAndroidModule
AndroidTidyModule.cpp AndroidTidyModule.cpp
CloexecCheck.cpp
CloexecCreatCheck.cpp CloexecCreatCheck.cpp
CloexecFopenCheck.cpp CloexecFopenCheck.cpp
CloexecMemfdCreateCheck.cpp
CloexecOpenCheck.cpp CloexecOpenCheck.cpp
CloexecSocketCheck.cpp CloexecSocketCheck.cpp
Context not available.

clang-tidy/android/CloexecCheck.h

  • This file was added.
//===--- CloexecCheck.h - clang-tidy-----------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// \file
/// This file contains the declaration of the CloexecCheck class, which is the
/// base class for all of the close-on-exec checks in Android module.
hokeinUnsubmitted
Done
ReplyInline Actions

A blank line here.

hokein: A blank line here.
///
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_H
#include "../ClangTidy.h"
hokeinUnsubmitted
Done
ReplyInline Actions

This base class will be used in a bunch of cloase-on-exec checks.
It deserves a better and more detailed documentation (e.g. the intended usage).

hokein: This base class will be used in a bunch of cloase-on-exec checks. It deserves a better and…
namespace clang {
namespace tidy {
namespace android {
hokeinUnsubmitted
Done
ReplyInline Actions

Normally, the style should like:

class Foo {
public:
  ...
protected:
  ...
privated:
  ...
};

BTW, in C++11 these are declarations, you still need to define them in the .cc file like

const static constexpr char* CloexecCheck::FuncDeclBindingStr;
hokein: Normally, the style should like: ``` class Foo { public: ... protected: ... privated: ...
/// \brief The base class for all close-on-exec checks in Android module.
/// To be specific, there are some functions that need the close-on-exec flag to
/// prevent the file descriptor leakage on fork+exec and this class provides
hokeinUnsubmitted
Done
ReplyInline Actions

I think we can drop the do for most methods, how about

doRegisterMatchers => registerMatchers
doMacroFlagInsertion => insertMacroFlag
doFuncReplacement => replaceFunc
doStringFlagInsertion => insertStringFlag?

hokein: I think we can drop the `do` for most methods, how about `doRegisterMatchers` =>…
/// utilities to identify and fix these C functions.
class CloexecCheck : public ClangTidyCheck {
hokeinUnsubmitted
Done
ReplyInline Actions

remove an extra blank before and.

hokein: remove an extra blank before `and`.
public:
CloexecCheck(StringRef Name, ClangTidyContext *Context)
hokeinUnsubmitted
Done
ReplyInline Actions

Instead of using the magic string funDecl anywhere, I would define a static const member for it. The same to func.

hokein: Instead of using the magic string `funDecl` anywhere, I would define a static const member for…
: ClangTidyCheck(Name, Context) {}
hokeinUnsubmitted
Done
ReplyInline Actions

I think this method (and below) can be protected member.

hokein: I think this method (and below) can be `protected` member.
protected:
template <typename... Types>
void registerMatchersImpl(ast_matchers::MatchFinder *Finder,
hokeinUnsubmitted
Done
ReplyInline Actions

It is unclear to me what the "issue" means here? I assume there are three types of fixes?

hokein: It is unclear to me what the "issue" means here? I assume there are three types of fixes?
yawanngAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes. It means three types of fixes :-)

yawanng: Yes. It means three types of fixes :-)
Types... Params) {
hokeinUnsubmitted
Done
ReplyInline Actions

Deserve a document on the behavior of the method, would be better to give an example. The same below.

Is Flag required to be a macro flag? looks like it could be any string.

hokein: Deserve a document on the behavior of the method, would be better to give an example. The same…
yawanngAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes, the flag is expected to be a string of the required macro name.

yawanng: Yes, the flag is expected to be a string of the required macro name.
// We assume all the checked APIs are C functions.
auto FuncDecl = std::bind(ast_matchers::functionDecl,
alexfhUnsubmitted
Done
ReplyInline Actions

nit: Please add an empty line before this comment.

alexfh: nit: Please add an empty line before this comment.
ast_matchers::isExternC(), Params...);
Finder->addMatcher(
ast_matchers::callExpr(
ast_matchers::callee(FuncDecl().bind(FuncDeclBindingStr)))
alexfhUnsubmitted
Done
ReplyInline Actions

Can we make this method non-template and put its implementation to the .cpp file? It could accept a Matcher<FunctionDecl> or something like that and just apply it:

void registerForCall(MatchFinder *Finder, Matcher<FunctionDecl> Function) {

Finder->addMatcher(calExpr(callee(functionDecl(isExternC(), Function).bind(...))).bind(...), this);

}

Then you could make FuncDeclBindingStr and FuncBindingStr local to the file.

alexfh: Can we make this method non-template and put its implementation to the .cpp file? It could…
.bind(FuncBindingStr),
this);
}
hokeinUnsubmitted
Done
ReplyInline Actions

Nit: you are missing the parameter part in the comment, the same below.

/// \param Result XXX
/// \param MacroFlag XXX
/// \param ArgPos
hokein: Nit: you are missing the parameter part in the comment, the same below. ``` /// \param Result…
/// Currently, we has three types of fixes.
alexfhUnsubmitted
Done
ReplyInline Actions

s/we has/we have/

alexfh: s/we has/we have/
///
hokeinUnsubmitted
Done
ReplyInline Actions

Is the ArgPos 0-based or 1-based? I know it is 0-based, but we'd better mention in the document part.

hokein: Is the `ArgPos` 0-based or 1-based? I know it is 0-based, but we'd better mention in the…
/// Type1 is to insert the necessary macro flag in the flag argument. For
/// example, 'O_CLOEXEC' is required in function 'open()', so
/// \code
/// open(file, O_RDONLY);
hokeinUnsubmitted
Done
ReplyInline Actions

I'd name it MacroFlag.

hokein: I'd name it `MacroFlag`.
/// \endcode
/// should be
hokeinUnsubmitted
Done
ReplyInline Actions

Maybe getSpellingArg which sounds more natural?

hokein: Maybe getSpellingArg which sounds more natural?
/// \code
hokeinUnsubmitted
Done
ReplyInline Actions

s/n/N

hokein: s/n/N
alexfhUnsubmitted
Done
ReplyInline Actions

Please remove top-level const from the last two arguments. It has no effect in declaration (and definition can still use top-level const, if needed, since it is not a part of the function signature). Same below.

alexfh: Please remove top-level const from the last two arguments. It has no effect in declaration (and…
/// open(file, O_RDONLY | O_CLOEXE);
/// \endcode
///
/// \param [out] Result MatchResult from AST matcher.
/// \param MacroFlag The macro name of the flag.
hokeinUnsubmitted
Done
ReplyInline Actions

It is not obvious to see what these parameter mean. Msg is a message for warning, maybe WarningMsg?

I'd suggest using the formal documentation for this class (https://llvm.org/docs/CodingStandards.html#doxygen-use-in-documentation-comments).

hokein: It is not obvious to see what these parameter mean. `Msg` is a message for warning, maybe…
/// \param ArgPos The 0-based position of the flag argument.
void insertMacroFlag(const ast_matchers::MatchFinder::MatchResult &Result,
const StringRef MarcoFlag, const int ArgPos);
hokeinUnsubmitted
Done
ReplyInline Actions

e is not a string, is a char.

hokein: `e` is not a string, is a char.
/// Type2 is to replace the API to another function that has required the
hokeinUnsubmitted
Done
ReplyInline Actions

s/fpen/fopen.

hokein: s/fpen/fopen.
/// ability. For example:
/// \code
/// creat(path, mode);
/// \endcode
hokeinUnsubmitted
Done
ReplyInline Actions

Is char for Mode sufficient? Seems to me that only fopen check is using it, or there will be more checks using this in the future?

hokein: Is `char` for `Mode` sufficient? Seems to me that only `fopen` check is using it, or there will…
/// should be
/// \code
/// open(path, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, mode)
/// \endcode
hokeinUnsubmitted
Done
ReplyInline Actions

n should be capital N. I think we can make it a const member method. And I can't see any usage of this method in this patch.

hokein: `n` should be capital `N`. I think we can make it a const member method. And I can't see any…
yawanngAuthorUnsubmitted
Not Done
ReplyInline Actions

It's not used in this one, but in others.

yawanng: It's not used in this one, but in others.
///
/// \param [out] Result MatchResult from AST matcher.
/// \param WarningMsg The warning message.
hokeinUnsubmitted
Not Done
ReplyInline Actions

should we put this method and below in the base class? They seem to be check-specific, I think?

hokein: should we put this method and below in the base class? They seem to be check-specific, I think?
yawanngAuthorUnsubmitted
Not Done
ReplyInline Actions

Only the 'mode_t' one is currently only used by one check. The reason for putting them all together here is to be kind of uniform and maybe facilitate possible future checks that may contain this type.

yawanng: Only the 'mode_t' one is currently only used by one check. The reason for putting them all…
hokeinUnsubmitted
Done
ReplyInline Actions

Looks like this method is used internally, do we need to expose it? or just define it as an anonymous function in the cc file?

hokein: Looks like this method is used internally, do we need to expose it? or just define it as an…
/// \param FixMsg The fix message.
void replaceFunc(const ast_matchers::MatchFinder::MatchResult &Result,
StringRef WarningMsg, StringRef FixMsg);
hokeinUnsubmitted
Done
ReplyInline Actions

The inline is redundant.

hokein: The `inline` is redundant.
/// Type3 is also to add a flag to the corresponding argument, but this time,
/// the flag is some string and each char represents a mode rather than a
/// macro. For example, 'fopen' needs char 'e' in its mode argument string, so
/// \code
/// fopen(in_file, "r");
/// \endcode
/// should be
/// \code
/// fopen(in_file, "re");
/// \endcode
///
/// \param [out] Result MatchResult from AST matcher.
/// \param Mode The required mode char.
/// \param ArgPos The 0-based position of the flag argument.
void insertStringFlag(const ast_matchers::MatchFinder::MatchResult &Result,
const char Mode, const int ArgPos);
/// Helper function to get the spelling of a particular argument.
StringRef getSpellingArg(const ast_matchers::MatchFinder::MatchResult &Result,
int N) const;
ast_matchers::internal::Matcher<FunctionDecl> hasIntegerParameter(int N) {
return ast_matchers::hasParameter(
N, ast_matchers::hasType(ast_matchers::isInteger()));
}
ast_matchers::internal::Matcher<FunctionDecl>
hasCharPointerTypeParameter(int N) {
return ast_matchers::hasParameter(
N, ast_matchers::hasType(ast_matchers::pointerType(
ast_matchers::pointee(ast_matchers::isAnyCharacter()))));
}
ast_matchers::internal::Matcher<FunctionDecl>
hasSockAddrPointerTypeParameter(int N) {
return ast_matchers::hasParameter(
N,
hokeinUnsubmitted
Done
ReplyInline Actions

nit: I'd put this method as the first protected method.

hokein: nit: I'd put this method as the first protected method.
ast_matchers::hasType(ast_matchers::pointsTo(ast_matchers::recordDecl(
ast_matchers::isStruct(), ast_matchers::hasName("sockaddr")))));
}
ast_matchers::internal::Matcher<FunctionDecl>
hasSockLenPointerTypeParameter(int N) {
return ast_matchers::hasParameter(
N, ast_matchers::hasType(ast_matchers::pointsTo(
ast_matchers::namedDecl(ast_matchers::hasName("socklen_t")))));
}
ast_matchers::internal::Matcher<FunctionDecl> hasMODETTypeParameter(int N) {
return ast_matchers::hasParameter(
N, ast_matchers::hasType(
ast_matchers::namedDecl(ast_matchers::hasName("mode_t"))));
}
ast_matchers::internal::Matcher<FunctionDecl> returnsInteger() {
return ast_matchers::returns(ast_matchers::isInteger());
}
alexfhUnsubmitted
Done
ReplyInline Actions

These methods don't add much value: hasParameter(N, hasType(isInteger())) is not much longer or harder to read than hasIntegerParameter(N), etc. Also having these utilities as non-static methods doesn't make much sense. If you want a shorter way to describe function signatures, I would suggest a single utility function hasParameters() that would take a list of type matchers and apply them to the corresponding parameters. That one could be useful more broadly than in this specific check, so it could be placed in utils/ (and later in ASTMatchers.h, if we find enough potential users).

alexfh: These methods don't add much value: `hasParameter(N, hasType(isInteger()))` is not much longer…
private:
const static char *FuncDeclBindingStr;
alexfhUnsubmitted
Done
ReplyInline Actions

You're missing one more const: static const char * const FuncDeclBindingStr;

alexfh: You're missing one more const: `static const char * const FuncDeclBindingStr;`
const static char *FuncBindingStr;
};
} // namespace android
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_H

clang-tidy/android/CloexecCheck.cpp

  • This file was added.
//===--- CloexecCheck.cpp - clang-tidy-------------------------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "CloexecCheck.h"
#include "../utils/ASTUtils.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Lex/Lexer.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace android {
namespace {
// Helper function to form the correct string mode for Type3.
// Build the replace text. If it's string constant, add <Mode> directly in the
// end of the string. Else, add <Mode>.
std::string buildFixMsgForStringFlag(const Expr *Arg, const SourceManager &SM,
const LangOptions &LangOpts,
const char Mode) {
if (Arg->getLocStart().isMacroID())
return (Lexer::getSourceText(
CharSourceRange::getTokenRange(Arg->getSourceRange()), SM,
LangOpts) +
" \"" + Twine(Mode) + "\"")
.str();
StringRef SR = cast<StringLiteral>(Arg->IgnoreParenCasts())->getString();
return ("\"" + SR + Twine(Mode) + "\"").str();
}
} // namespace
const char *CloexecCheck::FuncDeclBindingStr = "funcDecl";
const char *CloexecCheck::FuncBindingStr = "func";
void CloexecCheck::insertMacroFlag(const MatchFinder::MatchResult &Result,
const StringRef MacroFlag,
const int ArgPos) {
const auto *MatchedCall = Result.Nodes.getNodeAs<CallExpr>(FuncBindingStr);
const auto *FlagArg = MatchedCall->getArg(ArgPos);
const auto *FD = Result.Nodes.getNodeAs<FunctionDecl>(FuncDeclBindingStr);
SourceManager &SM = *Result.SourceManager;
alexfhUnsubmitted
Done
ReplyInline Actions

No need to qualify names in ast_matchers::, since there's a using directive above.

alexfh: No need to qualify names in `ast_matchers::`, since there's a using directive above.
if (utils::exprHasBitFlagWithSpelling(FlagArg->IgnoreParenCasts(), SM,
Result.Context->getLangOpts(),
MacroFlag))
return;
SourceLocation EndLoc =
Lexer::getLocForEndOfToken(SM.getFileLoc(FlagArg->getLocEnd()), 0, SM,
Result.Context->getLangOpts());
diag(EndLoc, "%0 should use %1 where possible")
<< FD << MacroFlag
<< FixItHint::CreateInsertion(EndLoc, (Twine(" | ") + MacroFlag).str());
hokeinUnsubmitted
Done
ReplyInline Actions

Use const auto*, obviously indicates this is a pointer, the same to other places.

hokein: Use `const auto*`, obviously indicates this is a pointer, the same to other places.
}
StringRef CloexecCheck::getSpellingArg(const MatchFinder::MatchResult &Result,
alexfhUnsubmitted
Done
ReplyInline Actions
  1. Should this be a class method?
  2. Is this ever used? (if it is going to be used in a different check, let's postpone its addition to that moment)
alexfh: 1. Should this be a class method? 2. Is this ever used? (if it is going to be used in a…
int N) const {
hokeinUnsubmitted
Done
ReplyInline Actions

const auto*

hokein: `const auto*`
const auto *MatchedCall = Result.Nodes.getNodeAs<CallExpr>(FuncBindingStr);
const SourceManager &SM = *Result.SourceManager;
return Lexer::getSourceText(
CharSourceRange::getTokenRange(MatchedCall->getArg(N)->getSourceRange()),
SM, Result.Context->getLangOpts());
}
void CloexecCheck::replaceFunc(const MatchFinder::MatchResult &Result,
StringRef WarningMsg, StringRef FixMsg) {
const auto *MatchedCall = Result.Nodes.getNodeAs<CallExpr>(FuncBindingStr);
diag(MatchedCall->getLocStart(), WarningMsg)
<< FixItHint::CreateReplacement(MatchedCall->getSourceRange(), FixMsg);
}
void CloexecCheck::insertStringFlag(
const ast_matchers::MatchFinder::MatchResult &Result, const char Mode,
const int ArgPos) {
const auto *MatchedCall = Result.Nodes.getNodeAs<CallExpr>(FuncBindingStr);
const auto *FD = Result.Nodes.getNodeAs<FunctionDecl>(FuncDeclBindingStr);
const auto *ModeArg = MatchedCall->getArg(ArgPos);
// Check if the <Mode> may be in the mode string.
const auto *ModeStr = dyn_cast<StringLiteral>(ModeArg->IgnoreParenCasts());
if (!ModeStr || (ModeStr->getString().find(Mode) != StringRef::npos))
return;
const std::string &ReplacementText = buildFixMsgForStringFlag(
ModeArg, *Result.SourceManager, Result.Context->getLangOpts(), Mode);
hokeinUnsubmitted
Done
ReplyInline Actions

I think there will be a use-after-free issue here.

The method returns a StringRef (which doesn't own the "std::string"), the temporary std::string will be destructed after the method finished.

hokein: I think there will be a use-after-free issue here. The method returns a StringRef (which…
diag(ModeArg->getLocStart(), "use %0 mode '%1' to set O_CLOEXEC")
<< FD << Mode
<< FixItHint::CreateReplacement(ModeArg->getSourceRange(),
ReplacementText);
}
} // namespace android
} // namespace tidy
} // namespace clang

clang-tidy/android/CloexecMemfdCreateCheck.h

  • This file was added.
//===--- CloexecMemfdCreateCheck.h - clang-tidy-----------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_MEMFD_CREATE_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_MEMFD_CREATE_H
#include "CloexecCheck.h"
namespace clang {
namespace tidy {
namespace android {
/// Finds code that uses memfd_create() without using the MFD_CLOEXEC flag.
///
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/android-cloexec-memfd-create.html
class CloexecMemfdCreateCheck : public CloexecCheck {
public:
CloexecMemfdCreateCheck(StringRef Name, ClangTidyContext *Context)
: CloexecCheck(Name, Context) {}
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
};
} // namespace android
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_ANDROID_CLOEXEC_MEMFD_CREATE_H

clang-tidy/android/CloexecMemfdCreateCheck.cpp

  • This file was added.
//===--- CloexecMemfdCreateCheck.cpp - clang-tidy--------------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "CloexecMemfdCreateCheck.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace android {
void CloexecMemfdCreateCheck::registerMatchers(MatchFinder *Finder) {
registerMatchersImpl(Finder, returnsInteger(), hasName("memfd_create"),
hasCharPointerTypeParameter(0), hasIntegerParameter(1));
}
void CloexecMemfdCreateCheck::check(const MatchFinder::MatchResult &Result) {
insertMacroFlag(Result, "MFD_CLOEXEC", /*ArgPos=*/1);
}
hokeinUnsubmitted
Done
ReplyInline Actions

nit: add /*ArgPos=*/ before parameter 1 to make it more readable.

hokein: nit: add `/*ArgPos=*/` before parameter 1 to make it more readable.
} // namespace android
} // namespace tidy
} // namespace clang

docs/ReleaseNotes.rst

Context not available.
Checks if the required mode ``e`` exists in the mode argument of ``fopen()``. Checks if the required mode ``e`` exists in the mode argument of ``fopen()``.
- New `android-cloexec-memfd_create
<http://clang.llvm.org/extra/clang-tidy/checks/android-cloexec-memfd_create.html>`_ check
Checks if the required file flag ``MFD_CLOEXEC`` is present in the argument of
``memfd_create()``.
- New `android-cloexec-socket - New `android-cloexec-socket
<http://clang.llvm.org/extra/clang-tidy/checks/android-cloexec-socket.html>`_ check <http://clang.llvm.org/extra/clang-tidy/checks/android-cloexec-socket.html>`_ check
Context not available.

docs/clang-tidy/checks/android-cloexec-memfd-create.rst

  • This file was added.
.. title:: clang-tidy - android-cloexec-memfd-create
android-cloexec-memfd-create
============================
``memfd_create()`` should include ``MFD_CLOEXEC`` in its type argument to avoid
the file descriptor leakage. Without this flag, an opened sensitive file would
remain open across a fork+exec to a lower-privileged SELinux domain.
Examples:
.. code-block:: c++
memfd_create(name, MFD_ALLOW_SEALING);
// becomes
memfd_create(name, MFD_ALLOW_SEALING | MFD_CLOEXEC);

docs/clang-tidy/checks/list.rst

Context not available.
.. toctree:: .. toctree::
android-cloexec-creat android-cloexec-creat
android-cloexec-fopen android-cloexec-fopen
android-cloexec-memfd-create
android-cloexec-open android-cloexec-open
android-cloexec-socket android-cloexec-socket
boost-use-to-string boost-use-to-string
Context not available.

test/clang-tidy/android-cloexec-memfd-create.cpp

  • This file was added.
// RUN: %check_clang_tidy %s android-cloexec-memfd-create %t
#define MFD_ALLOW_SEALING 1
#define __O_CLOEXEC 3
#define MFD_CLOEXEC __O_CLOEXEC
#define TEMP_FAILURE_RETRY(exp) \
({ \
int _rc; \
do { \
_rc = (exp); \
} while (_rc == -1); \
})
#define NULL 0
extern "C" int memfd_create(const char *name, unsigned int flags);
void a() {
memfd_create(NULL, MFD_ALLOW_SEALING);
// CHECK-MESSAGES: :[[@LINE-1]]:39: warning: 'memfd_create' should use MFD_CLOEXEC where possible [android-cloexec-memfd-create]
// CHECK-FIXES: memfd_create(NULL, MFD_ALLOW_SEALING | MFD_CLOEXEC)
TEMP_FAILURE_RETRY(memfd_create(NULL, MFD_ALLOW_SEALING));
// CHECK-MESSAGES: :[[@LINE-1]]:58: warning: 'memfd_create'
// CHECK-FIXES: TEMP_FAILURE_RETRY(memfd_create(NULL, MFD_ALLOW_SEALING | MFD_CLOEXEC))
}
void f() {
memfd_create(NULL, 3);
// CHECK-MESSAGES: :[[@LINE-1]]:23: warning: 'memfd_create'
// CHECK-FIXES: memfd_create(NULL, 3 | MFD_CLOEXEC)
TEMP_FAILURE_RETRY(memfd_create(NULL, 3));
// CHECK-MESSAGES: :[[@LINE-1]]:42: warning: 'memfd_create'
// CHECK-FIXES: TEMP_FAILURE_RETRY(memfd_create(NULL, 3 | MFD_CLOEXEC))
int flag = 3;
memfd_create(NULL, flag);
TEMP_FAILURE_RETRY(memfd_create(NULL, flag));
}
namespace i {
int memfd_create(const char *name, unsigned int flags);
void d() {
memfd_create(NULL, MFD_ALLOW_SEALING);
TEMP_FAILURE_RETRY(memfd_create(NULL, MFD_ALLOW_SEALING));
}
} // namespace i
void e() {
memfd_create(NULL, MFD_CLOEXEC);
TEMP_FAILURE_RETRY(memfd_create(NULL, MFD_CLOEXEC));
memfd_create(NULL, MFD_ALLOW_SEALING | MFD_CLOEXEC);
TEMP_FAILURE_RETRY(memfd_create(NULL, MFD_ALLOW_SEALING | MFD_CLOEXEC));
}
class G {
public:
int memfd_create(const char *name, unsigned int flags);
void d() {
memfd_create(NULL, MFD_ALLOW_SEALING);
TEMP_FAILURE_RETRY(memfd_create(NULL, MFD_ALLOW_SEALING));
}
};