This is an archive of the discontinued LLVM Phabricator instance.

Differential D103825

[clang] Do not crash when ArgTy is null in CheckArgAlignment
ClosedPublic

Authored by adamcz on Jun 7 2021, 9:27 AM.

Details

Reviewers
kadircet
hokein
Commits
rG49eba8bf1780: [clang] Do not crash when ArgTy is null in CheckArgAlignment
Summary

No repro case just yet. I only observed a crash like this and noticed
ArgTy-Value = 0 in coredump.

Diff Detail

Event Timeline

adamcz requested review of this revision.Jun 7 2021, 9:27 AM
adamcz created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJun 7 2021, 9:27 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B108014: Diff 350330.Jun 7 2021, 11:48 AM
kadircet added a subscriber: kadircet.Jun 8 2021, 3:39 AM
kadircet added inline comments.
clang/lib/Sema/SemaChecking.cpp
4567

i think ArgTy becomes null after this operation. e.g. the function requires a pointer param, user provides a non-pointer arg in a context where recovery exprs would keep the ast call attached.

I've also spent quite some time trying to reproduce but no luck.

4657–4660

i think before diving in here we should ensure this Expr doesn't have type or error dependence.

adamcz updated this revision to Diff 350612.Jun 8 2021, 8:36 AM

added a test

adamcz updated this revision to Diff 350613.Jun 8 2021, 8:38 AM

update commit description

Harbormaster completed remote builds in B108219: Diff 350613.Jun 8 2021, 9:11 AM
adamcz updated this revision to Diff 350629.Jun 8 2021, 9:35 AM

Added some containsErrors() calls, not sure if that's the right thing to do

adamcz added reviewers: kadircet, hokein.Jun 8 2021, 9:40 AM

FYI The ArgTy.isNull() check is sufficient to fix this. The Arg->containsErrors() is not - it's false in this case, since it seems CXXDefaultArgExpr with RecoveryExpr inside seems to not contains errors, according to containsError(). I can't tell if that's by design, or a bug.

Haojian, please let me know if you think Arg->containsError() should be true or if we should be testing somewhere else, or just drop it and accept that CheckArgAlignment may be called with RecoveryExpr and have it check for ArgTy->isNull().

Basically, let me know what you think about this. Thanks!

kadircet accepted this revision.Jun 8 2021, 9:56 AM

as discussed offline LG from my side.

regarding the default arg of a parameter containing an error, it seems to be effecting type information of the parameter even though the type is explicitly specified. so it feels like either:

  • one cannot perform any semantic checks on a parmvardecl with an errornous default arg, hence error dependence bit should be propagated from default arg to the parameter, or
  • there's an issue with the type checking logic itself and it shouldn't be making type of the var decl depend on the default argument (when it is explicitly specified in the declaration).

but i am not an expert in either, so these are just feelings :). But it'd be great if we got rid of the additional default arg containing error check in here one way or the other.

This revision is now accepted and ready to land.Jun 8 2021, 9:56 AM
Harbormaster completed remote builds in B108231: Diff 350629.Jun 8 2021, 9:56 AM
hokein added a comment.Jun 8 2021, 11:24 PM
In D103825#2805760, @adamcz wrote:

FYI The ArgTy.isNull() check is sufficient to fix this. The Arg->containsErrors() is not - it's false in this case, since it seems CXXDefaultArgExpr with RecoveryExpr inside seems to not contains errors, according to containsError(). I can't tell if that's by design, or a bug.

Haojian, please let me know if you think Arg->containsError() should be true or if we should be testing somewhere else, or just drop it and accept that CheckArgAlignment may be called with RecoveryExpr and have it check for ArgTy->isNull().

Basically, let me know what you think about this. Thanks!

Thanks for the analysis.

Yeah, I think this is a bug in clang when computing the dependence of CXXDefaultArgExpr -- the CXXDefaultArgExpr should respect the dependence of its actual argument (getExpr()). I think we should fix it first.

Regarding to test it, the best way is to dump the AST node and verify the containsError is in the dump string.

adamcz added a comment.Jun 9 2021, 11:28 AM

Thanks Haojian!
I sent out https://reviews.llvm.org/D103982 for the CXXDefaultArgExpr. I'll update this change after I submit that one.

adamcz updated this revision to Diff 351155.Jun 10 2021, 6:28 AM

updated after the CXXDefaultArgExpr containsErrors() change.

hokein accepted this revision.Jun 10 2021, 7:04 AM

Thanks! Really hope this is the last time to fix this crash.

clang/lib/Sema/SemaChecking.cpp
4574–4576

looks like the isNull is not needed to fix the crash, but let's be more defensive this time.

Harbormaster completed remote builds in B108612: Diff 351155.Jun 10 2021, 7:36 AM
Closed by commit rG49eba8bf1780: [clang] Do not crash when ArgTy is null in CheckArgAlignment (authored by adamcz). · Explain WhyJun 10 2021, 7:59 AM
This revision was automatically updated to reflect the committed changes.
adamcz added a commit: rG49eba8bf1780: [clang] Do not crash when ArgTy is null in CheckArgAlignment.
ArcsinX mentioned this in D133886: [clang][RecoveryExpr] Don't perform alignment check if parameter type is dependent.Sep 14 2022, 12:17 PM

Revision Contents

PathSize
clang/
lib/
Sema/
8 lines
test/
SemaCXX/
6 lines

Diff 351177

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 4,558 Lines▼ Show 20 Linesvoid Sema::CheckArgAlignment(SourceLocation Loc, NamedDecl *FDecl,
// If a function accepts a pointer or reference type // If a function accepts a pointer or reference type
if (!ParamTy->isPointerType() && !ParamTy->isReferenceType()) if (!ParamTy->isPointerType() && !ParamTy->isReferenceType())
return; return;
// If the parameter is a pointer type, get the pointee type for the // If the parameter is a pointer type, get the pointee type for the
// argument too. If the parameter is a reference type, don't try to get // argument too. If the parameter is a reference type, don't try to get
// the pointee type for the argument. // the pointee type for the argument.
if (ParamTy->isPointerType()) if (ParamTy->isPointerType())
ArgTy = ArgTy->getPointeeType(); ArgTy = ArgTy->getPointeeType();
kadircetUnsubmitted
Not Done
ReplyInline Actions

i think ArgTy becomes null after this operation. e.g. the function requires a pointer param, user provides a non-pointer arg in a context where recovery exprs would keep the ast call attached.

I've also spent quite some time trying to reproduce but no luck.

kadircet: i think ArgTy becomes null after this operation. e.g. the function requires a pointer param…
// Remove reference or pointer // Remove reference or pointer
ParamTy = ParamTy->getPointeeType(); ParamTy = ParamTy->getPointeeType();
// Find expected alignment, and the actual alignment of the passed object. // Find expected alignment, and the actual alignment of the passed object.
// getTypeAlignInChars requires complete types // getTypeAlignInChars requires complete types
if (ParamTy->isIncompleteType() || ArgTy->isIncompleteType() || if (ArgTy.isNull() || ParamTy->isIncompleteType() ||
ParamTy->isUndeducedType() || ArgTy->isUndeducedType()) ArgTy->isIncompleteType() || ParamTy->isUndeducedType() ||
ArgTy->isUndeducedType())
hokeinUnsubmitted
Not Done
ReplyInline Actions

looks like the isNull is not needed to fix the crash, but let's be more defensive this time.

hokein: looks like the `isNull` is not needed to fix the crash, but let's be more defensive this time.
return; return;
CharUnits ParamAlign = Context.getTypeAlignInChars(ParamTy); CharUnits ParamAlign = Context.getTypeAlignInChars(ParamTy);
CharUnits ArgAlign = Context.getTypeAlignInChars(ArgTy); CharUnits ArgAlign = Context.getTypeAlignInChars(ArgTy);
// If the argument is less aligned than the parameter, there is a // If the argument is less aligned than the parameter, there is a
// potential alignment issue. // potential alignment issue.
if (ArgAlign < ParamAlign) if (ArgAlign < ParamAlign)
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines if (isa_and_nonnull<FunctionProtoType>(FT))
Proto = cast<FunctionProtoType>(FDecl->getFunctionType()); Proto = cast<FunctionProtoType>(FDecl->getFunctionType());
} }
if (Proto) { if (Proto) {
// For variadic functions, we may have more args than parameters. // For variadic functions, we may have more args than parameters.
// For some K&R functions, we may have less args than parameters. // For some K&R functions, we may have less args than parameters.
const auto N = std::min<unsigned>(Proto->getNumParams(), Args.size()); const auto N = std::min<unsigned>(Proto->getNumParams(), Args.size());
for (unsigned ArgIdx = 0; ArgIdx < N; ++ArgIdx) { for (unsigned ArgIdx = 0; ArgIdx < N; ++ArgIdx) {
// Args[ArgIdx] can be null in malformed code. // Args[ArgIdx] can be null in malformed code.
if (const Expr *Arg = Args[ArgIdx]) { if (const Expr *Arg = Args[ArgIdx]) {
if (Arg->containsErrors())
continue;
kadircetUnsubmitted
Not Done
ReplyInline Actions

i think before diving in here we should ensure this Expr doesn't have type or error dependence.

kadircet: i think before diving in here we should ensure this `Expr` doesn't have type or error…
QualType ParamTy = Proto->getParamType(ArgIdx); QualType ParamTy = Proto->getParamType(ArgIdx);
QualType ArgTy = Arg->getType(); QualType ArgTy = Arg->getType();
CheckArgAlignment(Arg->getExprLoc(), FDecl, std::to_string(ArgIdx + 1), CheckArgAlignment(Arg->getExprLoc(), FDecl, std::to_string(ArgIdx + 1),
ArgTy, ParamTy); ArgTy, ParamTy);
} }
} }
} }
▲ Show 20 LinesShow All 11,700 LinesShow Last 20 Lines

clang/test/SemaCXX/recovery-expr-type.cpp

Show First 20 LinesShow All 130 Lines▼ Show 20 Linesstruct S { // expected-note {{candidate}}
~S(); ~S();
}; };
template <typename T> S(T t) -> S<void *>; template <typename T> S(T t) -> S<void *>;
void baz() { void baz() {
bar(S(123)); // expected-error {{no matching conversion}} bar(S(123)); // expected-error {{no matching conversion}}
} }
} // namespace test11 } // namespace test11
namespace test12 {
// Verify we do not crash.
void fun(int *foo = no_such_function()); // expected-error {{undeclared identifier}}
void baz() { fun(); }
} // namespace test12