Add MacOS C Reference Implementation

[mlmitch]

Basic methods for efficient calculation exposed in header
Use an allocatable data structure as handle so data and resources can be reused
Unit testing implemented with CUnit

[jonahtomrobinson]

You look to be using doxygen documentation comments for the API in this file. Would use of https://www.doxygen.nl/manual/commands.html#cmdparam be a better approach then these Windows-specific defines? They aren't the most OS agnostic.

[mlmitch]

mmm ... coming back to this, its a little bit silly to have these for non-windows since each header file is platform specific

[jonahtomrobinson]

Would pid_t be a more appropriate type for pid? On my machine (and most I believe) pid_t is signed, which makes me think an unsigned type may not be appropriate.

https://www.gnu.org/software/libc/manual/html_node/Process-Identification.html

[mlmitch]

Done.

I take your point about pid being signed. It might be a good idea to change the CPID spec so the pid part of digest inputs is an int64_t instead of uint64_t. This would technically be a breaking change, but no one is using the max range of uint64_t so I think it would be a good change in practice.

Thoughts?

[jonahtomrobinson]

This value is configurable and system dependent, does it make sense to define it ourselves?

On a standard Linux (potentially unix) system the max default is 32768.

Why are we defining this number in hex?

[mlmitch]

With making the PID field pid_t/int64_t, I've removed this check and the OS call will just fail.

[jonahtomrobinson]

Personally this seems a tad overkill, these are very standard return values with standard meanings.
We've also specified the meaning of the return values explicitly in the API comments

@return 0 on success, -1 on error.

[davemcincork]

My biggest concern about this implementation is that every function returns only success or failure. If it's a failure, the caller has no way to determine why it has failed. Given that this is a "UNIXy" implementation, I'd have thought that either:

1. Each function would directly return 0 on success or else an error code from errno.h.
2. Each function would return success/failure and set errno to an error code from errno.h.

By way of comparison, each function in the Windows implementation returns a standard winerror.h code.

[jonahtomrobinson]

Another option would be just return true/false from stdbool and simplify the API if we simply don't care about HOW it failed.

[mlmitch]

got rid of constants. returning 0 and -1 directly

[jonahtomrobinson]

We should remove this empty file.

[mlmitch]

empty windows and linuc cmake linux files are just there to establish directory structure

[jonahtomrobinson]

Should the README explain how to acquire these dependencies if they are not available by default? Should we be specifying minimum versions?

[mlmitch]

I believe these are part of the base macos installation

[jonahtomrobinson]

IMO it is preferable to add directory one level above to the include search paths or explicitly include the path to files based on a single top level include. Relative search paths like these are prone to breaking and make it harder to integrate a library in my experience.

[mlmitch]

Got rid of constants.h so this no longer applies

[jonahtomrobinson]

Consider removing these comments, I don't think they add anything.

[davemcincork]

I actually think they have a usefulness. The MACOS_EXPECTED_DIGEST_INPUT_CONTENT_SIZE macro is mysteriously set to 88 and having field sizes in trailing comments like this helps explain where that value comes from. I'd actually be inclined to add a similar trailing comment to the other fields in this struct, e.g.

typedef struct {
    char serial_number[MACOS_SERIAL_NUMBER_BUFFER_SIZE]; //   16 bytes
    uuid_t hardware_uuid;                                // + 16 bytes
    process_creation_time_t kernel_task_creation_time;   // + 16 bytes
    process_creation_time_t launchd_creation_time;       // + 16 bytes
    process_creation_time_t process_creation_time;       // + 16 bytes
    uint64_t pid;                                        // +  8 bytes
} digest_input_content_t;                                // = 88 bytes

[jonahtomrobinson]

You could go either way for sure. If we keep them then I agree that we should be consistent and add them for all. But equally I would question what value the reader gets from knowing this information and whether we are adding comment management overhead (although admittedly minimal) to changes to this struct.

[mlmitch]

Added comments like dave has. The byte arithmetic for the structure should not change as this is the thing that gets hashed.

[jonahtomrobinson]

Consider the following styling.

Suggested change

	if (NULL == library_handle || NULL == uuid_string) {
	if (!library_handle || !uuid_string) {

[davemcincork]

I agree. A NULL == foo or foo == NULL test always makes me feel like I'm reading Java or C# 😄

Note that this practice is throughout this code.

[mlmitch]

will do

[jonahtomrobinson]

Most standard c-styling would suggest declaring this at the top of the scope. What styling are you following in this project? It should probably be specified in the README.

[davemcincork]

Dunno about that tbh...we're not writing K&R C here.

[jonahtomrobinson]

I'm not really a proponent for it, rather I'm just picking up on the fact now as it's something that often comes up once there are more eyes on the code. Simply linking to some public styling guide or tool in the README would put this kind of comment to rest from the start.

[mlmitch]

What styling are you following in this project?

declare a variable as close as possible to its use

[jonahtomrobinson]

Consider defining these magic numbers as constants and remove the comments. That why the code is (more) self-documenting.

[jonahtomrobinson]

I'd consider breaking these checks up.

First validate the basic null check on pointer params, then perform further validation on the param data itself.

[jonahtomrobinson]

Would it be more flexible to move the NULL set into the cpid_finalize function?

[davemcincork]

But then you'd have to pass the address of that pointer, and that would potentially complicate calling this function from elsewhere. Consider, for example, that in other context where it is called the variable might be const.

[jonahtomrobinson]

It's not a big deal to me either way

[jonahtomrobinson]

return_code doesn't seem to be used elsewhere and isn't used as a "return_code" in the context of this funciton. I'd suggest removing it.

Suggested change

	int return_code = sysctl(mib, 4, &process_info, &info_size, NULL, 0);
	if (0 != return_code) {
	return RETURN_ERROR;
	}
	if (0 != sysctl(mib, 4, &process_info, &info_size, NULL, 0)) {
	return RETURN_ERROR;
	}

[jonahtomrobinson]

There is similar code in other functions in this file

[davemcincork]

The reason people traditionally do things like that is that it makes debugging easier because the value returned by the function call isn't lost. In a release build, the temporary variable will be optimised away anyway.

An obvious exception is where the return type of the called function is boolean. In that case, the value is clear from the direction that the if-statement takes 😄

[jonahtomrobinson]

Yeah I get it will be optimized away. If you're at the point of step-through debugging it is easy enough to break out the information you want if needed. To me defining a variable for it it to be basically unused seems verbose.

Certainly not a deal breaker either way.

[jonahtomrobinson]

Empty file, should be removed

[jonahtomrobinson]

Defining a CMakePresets.txt could potentially simplify these steps.

[davemcincork]

One other major comment I have relates to const correctness. But let's discuss offline so that I'm clearer about the intention behind this code.

[davemcincork]

I actually think they have a usefulness. The MACOS_EXPECTED_DIGEST_INPUT_CONTENT_SIZE macro is mysteriously set to 88 and having field sizes in trailing comments like this helps explain where that value comes from. I'd actually be inclined to add a similar trailing comment to the other fields in this struct, e.g.

typedef struct {
    char serial_number[MACOS_SERIAL_NUMBER_BUFFER_SIZE]; //   16 bytes
    uuid_t hardware_uuid;                                // + 16 bytes
    process_creation_time_t kernel_task_creation_time;   // + 16 bytes
    process_creation_time_t launchd_creation_time;       // + 16 bytes
    process_creation_time_t process_creation_time;       // + 16 bytes
    uint64_t pid;                                        // +  8 bytes
} digest_input_content_t;                                // = 88 bytes

[davemcincork]

The reason people traditionally do things like that is that it makes debugging easier because the value returned by the function call isn't lost. In a release build, the temporary variable will be optimised away anyway.

An obvious exception is where the return type of the called function is boolean. In that case, the value is clear from the direction that the if-statement takes 😄

[davemcincork]

But then you'd have to pass the address of that pointer, and that would potentially complicate calling this function from elsewhere. Consider, for example, that in other context where it is called the variable might be const.

[davemcincork]

I think cpid_handle_t should be an opaque void* as it is in the Windows implementation.

[davemcincork]

Don't you need to include <stdint.h> to get the fixed width integer types? If it's working now, it's most likely just a happy side-effect of including another header.

[davemcincork]

As noted above, I don't think you should declaratively associate cpid_handle_t and cpid_struct.

[davemcincork]

I agree. A NULL == foo or foo == NULL test always makes me feel like I'm reading Java or C# 😄

Note that this practice is throughout this code.

[davemcincork]

Dunno about that tbh...we're not writing K&R C here.

[davemcincork]

My biggest concern about this implementation is that every function returns only success or failure. If it's a failure, the caller has no way to determine why it has failed. Given that this is a "UNIXy" implementation, I'd have thought that either:

1. Each function would directly return 0 on success or else an error code from errno.h.
2. Each function would return success/failure and set errno to an error code from errno.h.

By way of comparison, each function in the Windows implementation returns a standard winerror.h code.