cheri: clang-tidy: Check correct usage of __c_ua() vs. __c_ua_u()

In the CHERI Linux Kernel __c_ua() must be used to convert
a kernel pointer to an address while __c_ua_u() must be used
for user pointers. Check that this is consistently done even
if the current configuration does the same thing for both.

Author: Christian Ehrhardt

clang-tools-extra/clang-tidy/cheri/CMakeLists.txt

@@ -10,6 +10,7 @@ add_clang_library(clangTidyCheriModule
   FixdriverdataCheck.cpp
   FixinttoptrcastCheck.cpp
   FixptrtoulongcastCheck.cpp
+  FixuserptrtoaddrCheck.cpp
   IoctlCheck.cpp
   PtrtointcastCheck.cpp
 

clang-tools-extra/clang-tidy/cheri/CheriTidyModule.cpp

@@ -14,6 +14,7 @@
 #include "FixdriverdataCheck.h"
 #include "FixinttoptrcastCheck.h"
 #include "FixptrtoulongcastCheck.h"
+#include "FixuserptrtoaddrCheck.h"
 #include "IoctlCheck.h"
 #include "PtrtointcastCheck.h"
 
@@ -34,6 +35,8 @@ class CheriModule : public ClangTidyModule {
         "cheri-FixIntToPtrCast");
     CheckFactories.registerCheck<FixptrtoulongcastCheck>(
         "cheri-FixPtrToUlongCast");
+    CheckFactories.registerCheck<FixuserptrtoaddrCheck>(
+        "cheri-FixUserPtrToAddr");
     CheckFactories.registerCheck<IoctlCheck>(
         "cheri-Ioctl");
     CheckFactories.registerCheck<PtrtointcastCheck>("cheri-PtrToIntCast");

clang-tools-extra/clang-tidy/cheri/CheriUtil.h

@@ -71,6 +71,10 @@ class Util {
     }
   }
 
+  static bool isUserPtr(const Expr *E) {
+    return isUserPtr(E->getType().getTypePtr());
+  }
+
   /*
    * Given a type of something that is or can be called find the
    * type of the actual function that is called as a FunctionProtoType.

clang-tools-extra/clang-tidy/cheri/FixuserptrtoaddrCheck.cpp

@@ -0,0 +1,78 @@
+//===--- FixuserptrtoaddrCheck.cpp - clang-tidy ---------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "CheriUtil.h"
+#include "FixuserptrtoaddrCheck.h"
+#include "clang/AST/ASTContext.h"
+#include "clang/ASTMatchers/ASTMatchFinder.h"
+
+using namespace clang::ast_matchers;
+
+namespace clang::tidy::cheri {
+
+void FixuserptrtoaddrCheck::registerMatchers(MatchFinder *Finder) {
+  // clang-format off
+  Finder->addMatcher(
+      callExpr(
+          callee(
+              functionDecl(
+                  hasName("__c_pa")
+              )
+          )
+      ).bind("cpa"),
+      this
+  );
+  Finder->addMatcher(
+      callExpr(
+          callee(
+              functionDecl(
+                  hasName("__c_pa_u")
+              )
+          )
+      ).bind("cpau"),
+      this
+  );
+  // clang-format on
+}
+
+void FixuserptrtoaddrCheck::check(const MatchFinder::MatchResult &Result) {
+  const auto *Cpa = Result.Nodes.getNodeAs<CallExpr>("cpa");
+  const auto *Cpau = Result.Nodes.getNodeAs<CallExpr>("cpau");
+  const CallExpr *Call = Cpa ? Cpa : Cpau;
+
+  if (Cpa && Cpau)
+    return;
+  if (!Call || Call->getNumArgs() == 0)
+    return;
+
+  /*
+   * Skip the outer most implicit cast (if any) that converts to the
+   * formal type of the function parameter.
+   */
+  const Expr *Arg = Call->getArg(0);
+  if (const auto *Cast = dyn_cast<ImplicitCastExpr>(Arg))
+    Arg = Cast->getSubExpr();
+  bool user = Util::isUserPtr(Arg);
+
+  const Expr *Callee = Call->getCallee();
+  auto R = CharSourceRange::getTokenRange(Callee->getBeginLoc(), Callee->getEndLoc());
+  if (user && !Cpau)
+    {
+      diag(Call->getExprLoc(),
+          "CHERI: __c_pa() on user pointer. Should be __c_pa_u()")
+          << FixItHint::CreateReplacement(R, "__c_pa_u");
+    }
+  if (!user && !Cpa)
+    {
+      diag(Call->getExprLoc(),
+          "CHERI: __c_pa_u() on kernel pointer. Should be __c_pa()")
+          << FixItHint::CreateReplacement(R, "__c_pa");
+    }
+}
+
+} // namespace clang::tidy::cheri

clang-tools-extra/clang-tidy/cheri/FixuserptrtoaddrCheck.h

@@ -0,0 +1,30 @@
+//===--- FixuserptrtoaddrCheck.h - clang-tidy -------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CHERI_FIXUSERPTRTOADDRCHECK_H
+#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CHERI_FIXUSERPTRTOADDRCHECK_H
+
+#include "../ClangTidyCheck.h"
+
+namespace clang::tidy::cheri {
+
+/// In the CHERI Linux Kernel __c_ua() must be used to convert
+/// a kernel pointer to an address while __c_ua_u() must be used
+/// for user pointers. Check that this is consistently done even
+/// if the current configuration does the same thing for both.
+class FixuserptrtoaddrCheck : public ClangTidyCheck {
+public:
+  FixuserptrtoaddrCheck(StringRef Name, ClangTidyContext *Context)
+      : ClangTidyCheck(Name, Context) {}
+  void registerMatchers(ast_matchers::MatchFinder *Finder) override;
+  void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
+};
+
+} // namespace clang::tidy::cheri
+
+#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CHERI_FIXUSERPTRTOADDRCHECK_H

clang-tools-extra/docs/ReleaseNotes.rst

@@ -184,6 +184,11 @@ New checks
   Warn about explicit casts of pointers to a type that can only hold
   an address.
 
+- New :doc:`cheri-FixUserPtrToAddr
+  <clang-tidy/checks/cheri/FixUserPtrToAddr>` check.
+
+  Warn about incorrect use for __c_ua() vs. __c_ua_u() in the linux kernel.
+
 - New :doc:`cheri-Ioctl
   <clang-tidy/checks/cheri/Ioctl>` check.
 

clang-tools-extra/docs/clang-tidy/checks/cheri/FixUserPtrToAddr.rst

@@ -0,0 +1,10 @@
+.. title:: clang-tidy - cheri-FixUserPtrToAddr
+
+cheri-FixUserPtrToAddr
+======================
+
+In the CHERI Linux Kernel __c_ua() must be used to convert
+a kernel pointer to an address while __c_ua_u() must be used
+for user pointers. Check that this is consistently done even
+if the current configuration does the same thing for both.
+

clang-tools-extra/docs/clang-tidy/checks/list.rst

@@ -167,6 +167,7 @@ Clang-Tidy Checks
    `cheri-FixDriverData <cheri/FixDriverData.html>`_, "Yes"
    `cheri-FixIntToPtrCast <cheri/FixIntToPtrCast.html>`_, "Yes"
    `cheri-FixPtrToUlongCast <cheri/FixPtrToUlongCast.html>`_, "Yes"
+   `cheri-FixUserPtrToAddr <cheri/FixUserPtrToAddr.html>`_, "Yes"
    `cheri-Ioctl <cheri/Ioctl.html>`_, "Yes"
    `cheri-PtrToIntCast <cheri/PtrToIntCast.html>`_,
    `clang-analyzer-core.DynamicTypePropagation <clang-analyzer/core.DynamicTypePropagation.html>`_,

clang-tools-extra/test/clang-tidy/checkers/cheri/FixUserPtrToAddr.cpp

@@ -0,0 +1,18 @@
+// RUN: %check_clang_tidy %s cheri-FixUserPtrToAddr %t
+
+#define __user [[clang::annotate_type("user")]]
+
+extern unsigned long __c_pa(const volatile void *);
+extern unsigned long __c_pa_u(const volatile void __user *);
+
+int
+f(void *kp, void __user *up)
+{
+  __c_pa(kp);
+  __c_pa_u(kp);
+// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: CHERI: __c_pa_u() on kernel pointer. Should be __c_pa() [cheri-FixUserPtrToAddr]
+  __c_pa(up);
+// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: CHERI: __c_pa() on user pointer. Should be __c_pa_u() [cheri-FixUserPtrToAddr]
+  __c_pa_u(up);
+}
+