This is an archive of the discontinued LLVM Phabricator instance.

Differential D85601

Fixes an assertion when IntRange processes a throw expression
ClosedPublic

Authored by Mordante on Aug 9 2020, 4:58 AM.

Details

Reviewers
rsmith
rjmccall
Commits
rG827ba67e3833: [Sema] Validate calls to GetExprRange.
Summary

Fixes PR46484: Clang crash in clang/lib/Sema/SemaChecking.cpp:10028

Diff Detail

Event Timeline

Mordante requested review of this revision.Aug 9 2020, 4:58 AM
Mordante created this revision.
Harbormaster completed remote builds in B67622: Diff 284187.Aug 9 2020, 5:26 AM
rsmith added a comment.Aug 9 2020, 1:11 PM

Did this only crash during error recovery before, or also for your void g() example? If we were only crashing in error recovery, that would suggest that error recovery was producing a bad AST, and perhaps we should be fixing this elsewhere.

clang/lib/Sema/SemaChecking.cpp
10164

Can we handle this in code that's specific to conditional expressions instead? Presumably somewhere higher up in the call graph, some code is assuming that it can recurse from a conditional expression to its subexpressions, and that assumption is wrong.

Mordante marked an inline comment as done.Aug 10 2020, 12:54 PM

I added void g() since that's valid code which also caused an assertion failure. So the issue isn't in the error recovery but in determining the required IntRange. It seems the code doesn't take http://eel.is/c++draft/expr.cond#2.1 into account.

clang/lib/Sema/SemaChecking.cpp
10164

I can take a look at it if you want. However I feel this fix is better. If the conditional doesn't throw it can properly evaluate the required IntRange. If it throws the range doesn't matter, therefore I didn't want to increment the required range.
Do you agree?
Should I add more comment to clarify the design decission?

rsmith added inline comments.Aug 10 2020, 6:09 PM
clang/lib/Sema/SemaChecking.cpp
10164

In order to get here, we need to have called functions that are documented as taking only integer types but passing them a void type. So the bug has already occurred before we got here.

10310–10320

It seems to me that the bug is here. GetExprRange is documented as "Pseudo-evaluate the given integer expression", but the true and false expressions here might not be integer expressions -- specifically, one of them could be of type void if it's a throw-expression. In that case, we should only call GetExprRange on the other expression. The expression range of the void-typed expression is irrelevant in this case, because that expression never returns.

Mordante marked 3 inline comments as done.Aug 14 2020, 10:28 AM
Mordante added inline comments.
clang/lib/Sema/SemaChecking.cpp
10310–10320

Thanks for the hint I'll look into this solution.

Mordante updated this revision to Diff 285704.Aug 14 2020, 11:32 AM
Mordante marked an inline comment as done.

Addresses review comments.

rsmith accepted this revision.Aug 14 2020, 12:02 PM

Thanks!

This revision is now accepted and ready to land.Aug 14 2020, 12:02 PM
Closed by commit rG827ba67e3833: [Sema] Validate calls to GetExprRange. (authored by Mordante). · Explain WhyAug 16 2020, 9:36 AM
This revision was automatically updated to reflect the committed changes.
Mordante added a commit: rG827ba67e3833: [Sema] Validate calls to GetExprRange..

Revision Contents

PathSize
clang/
lib/
Sema/
14 lines
test/
SemaCXX/
17 lines

Diff 285704

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 10,155 Lines▼ Show 20 Lines if (!C.getLangOpts().CPlusPlus) {
return IntRange(std::max(NumPositive + 1, NumNegative), return IntRange(std::max(NumPositive + 1, NumNegative),
false/*NonNegative*/); false/*NonNegative*/);
} }
if (const auto *EIT = dyn_cast<ExtIntType>(T)) if (const auto *EIT = dyn_cast<ExtIntType>(T))
return IntRange(EIT->getNumBits(), EIT->isUnsigned()); return IntRange(EIT->getNumBits(), EIT->isUnsigned());
const BuiltinType *BT = cast<BuiltinType>(T); const BuiltinType *BT = cast<BuiltinType>(T);
assert(BT->isInteger()); assert(BT->isInteger());
rsmithUnsubmitted
Done
ReplyInline Actions

Can we handle this in code that's specific to conditional expressions instead? Presumably somewhere higher up in the call graph, some code is assuming that it can recurse from a conditional expression to its subexpressions, and that assumption is wrong.

rsmith: Can we handle this in code that's specific to conditional expressions instead? Presumably…
MordanteAuthorUnsubmitted
Done
ReplyInline Actions

I can take a look at it if you want. However I feel this fix is better. If the conditional doesn't throw it can properly evaluate the required IntRange. If it throws the range doesn't matter, therefore I didn't want to increment the required range.
Do you agree?
Should I add more comment to clarify the design decission?

Mordante: I can take a look at it if you want. However I feel this fix is better. If the conditional…
rsmithUnsubmitted
Done
ReplyInline Actions

In order to get here, we need to have called functions that are documented as taking only integer types but passing them a void type. So the bug has already occurred before we got here.

rsmith: In order to get here, we need to have called functions that are documented as taking only…
return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger()); return IntRange(C.getIntWidth(QualType(T, 0)), BT->isUnsignedInteger());
} }
/// Returns the "target" range of a canonical integral type, i.e. /// Returns the "target" range of a canonical integral type, i.e.
/// the range of values expressible in the type. /// the range of values expressible in the type.
/// ///
/// This matches forValueOfCanonicalType except that enums have the /// This matches forValueOfCanonicalType except that enums have the
▲ Show 20 LinesShow All 129 Lines▼ Show 20 Linesstatic IntRange GetExprRange(ASTContext &C, const Expr *E, unsigned MaxWidth,
if (const auto *CO = dyn_cast<ConditionalOperator>(E)) { if (const auto *CO = dyn_cast<ConditionalOperator>(E)) {
// If we can fold the condition, just take that operand. // If we can fold the condition, just take that operand.
bool CondResult; bool CondResult;
if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C)) if (CO->getCond()->EvaluateAsBooleanCondition(CondResult, C))
return GetExprRange(C, return GetExprRange(C,
CondResult ? CO->getTrueExpr() : CO->getFalseExpr(), CondResult ? CO->getTrueExpr() : CO->getFalseExpr(),
MaxWidth, InConstantContext); MaxWidth, InConstantContext);
// Otherwise, conservatively merge. // Otherwise, conservatively merge.
IntRange L = // GetExprRange requires an integer expression, but a throw expression
GetExprRange(C, CO->getTrueExpr(), MaxWidth, InConstantContext); // results in a void type.
IntRange R = Expr *E = CO->getTrueExpr();
GetExprRange(C, CO->getFalseExpr(), MaxWidth, InConstantContext); IntRange L = E->getType()->isVoidType()
? IntRange{0, true}
: GetExprRange(C, E, MaxWidth, InConstantContext);
E = CO->getFalseExpr();
IntRange R = E->getType()->isVoidType()
? IntRange{0, true}
: GetExprRange(C, E, MaxWidth, InConstantContext);
rsmithUnsubmitted
Done
ReplyInline Actions

It seems to me that the bug is here. GetExprRange is documented as "Pseudo-evaluate the given integer expression", but the true and false expressions here might not be integer expressions -- specifically, one of them could be of type void if it's a throw-expression. In that case, we should only call GetExprRange on the other expression. The expression range of the void-typed expression is irrelevant in this case, because that expression never returns.

rsmith: It seems to me that the bug is here. `GetExprRange` is documented as "Pseudo-evaluate the given…
MordanteAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for the hint I'll look into this solution.

Mordante: Thanks for the hint I'll look into this solution.
return IntRange::join(L, R); return IntRange::join(L, R);
} }
if (const auto *BO = dyn_cast<BinaryOperator>(E)) { if (const auto *BO = dyn_cast<BinaryOperator>(E)) {
switch (BO->getOpcode()) { switch (BO->getOpcode()) {
case BO_Cmp: case BO_Cmp:
llvm_unreachable("builtin <=> should have class type"); llvm_unreachable("builtin <=> should have class type");
▲ Show 20 LinesShow All 5,322 LinesShow Last 20 Lines

clang/test/SemaCXX/conditional-expr.cpp

Show First 20 LinesShow All 403 Lines▼ Show 20 Lines void f(bool b) {
A &&r = b ? static_cast<A&&>(B()) : static_cast<A&&>(C()); A &&r = b ? static_cast<A&&>(B()) : static_cast<A&&>(C());
} }
struct D { A &&a; }; struct D { A &&a; };
void f_indirect(bool b) { void f_indirect(bool b) {
D d = b ? D{B()} : D{C()}; D d = b ? D{B()} : D{C()};
} }
} }
namespace PR46484 {
// expected-error@+4{{expected ':'}}
// expected-note@+3{{to match this '?'}}
// expected-warning@+2{{variable 'b' is uninitialized}}
// expected-error@+1 2 {{expected ';' after top level declarator}}
int a long b = a = b ? throw 0 1
void g() {
extern int a;
extern long b;
long c = a = b ? throw 0 : 1;
long d = a = b ? 1 : throw 0;
// expected-error@+1 {{assigning to 'int' from incompatible type 'void'}}
long e = a = b ? throw 0 : throw 1;
}
} // namespace PR46484