This is an archive of the discontinued LLVM Phabricator instance.

Differential D119525

[clang] Fix crash when array size is missing in initializer
ClosedPublic

Authored by tbaeder on Feb 10 2022, 11:38 PM.

Details

Reviewers
aaron.ballman
rsmith
Commits
rGf8cedc642d9b: [clang] Never wrap a nullptr in CXXNewExpr::getArraySize()
Summary

This fixes the crash from https://github.com/llvm/llvm-project/issues/53742

CXXNewExpr::getArraySize() may return a llvm::Optional<> pointing to a nullptr.

Diff Detail

Event Timeline

tbaeder requested review of this revision.Feb 10 2022, 11:38 PM
tbaeder created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptFeb 10 2022, 11:38 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
tbaeder updated this revision to Diff 407785.Feb 10 2022, 11:47 PM

This is a pretty big gotcha at best and I feel like getArraySize() should return None in that case instead... thoughts?

Harbormaster completed remote builds in B148925: Diff 407785.Feb 11 2022, 12:25 AM
aaron.ballman added a comment.Feb 11 2022, 5:55 AM
In D119525#3313554, @tbaeder wrote:

This is a pretty big gotcha at best and I feel like getArraySize() should return None in that case instead... thoughts?

I think it is a gotcha -- some places protect against a null pointer (https://github.com/llvm/llvm-project/blob/main/clang/lib/Sema/TreeTransform.h#L11923 and https://github.com/llvm/llvm-project/blob/main/clang/lib/AST/StmtPrinter.cpp#L2138) while other places assume the pointer isn't null (https://github.com/llvm/llvm-project/blob/main/clang/lib/CodeGen/CGExprCXX.cpp#L731 and https://github.com/llvm/llvm-project/blob/main/clang/lib/AST/ExprConstant.cpp#L9431). So I think a better approach is to fix up the interface so it doesn't return nullptr rather than play whack-a-mole forever with the API (and fix up the places currently checking for nullptr explicitly).

tbaeder updated this revision to Diff 407885.Feb 11 2022, 8:12 AM
tbaeder added inline comments.
clang/lib/AST/StmtPrinter.cpp
2135

I changed this just for clarity, not doing it did not cause any tests to fail. Not sure if this is tested at all.

aaron.ballman accepted this revision.Feb 11 2022, 8:41 AM

LGTM aside from some minor nits. Can you also add a release note for the change?

clang/include/clang/AST/ExprCXX.h
2271
2285
clang/lib/AST/StmtPrinter.cpp
2135

-ast-print is... pretty terrible (I've had half a mind to put up an RFC asking if we should remove it entirely, that's how unmaintained it is), so I suspect it's not tested.

This revision is now accepted and ready to land.Feb 11 2022, 8:41 AM
Harbormaster completed remote builds in B148989: Diff 407885.Feb 11 2022, 8:53 AM
tbaeder updated this revision to Diff 407912.Feb 11 2022, 9:26 AM
tbaeder marked 3 inline comments as done.
tbaeder added inline comments.
clang/lib/AST/StmtPrinter.cpp
2135

Alright, I'll leave it at that then. I briefly tried to test the code but didn't succeed.

Harbormaster completed remote builds in B149006: Diff 407912.Feb 11 2022, 10:18 AM
tbaeder marked an inline comment as done.Feb 13 2022, 6:13 AM
In D119525#3314383, @aaron.ballman wrote:

Can you also add a release note for the change?

Would this go in the "libclang" section in clang/docs/ReleaseNotes.rst? Or somewhere else?

aaron.ballman added a comment.Feb 14 2022, 11:00 AM
In D119525#3317623, @tbaeder wrote:
In D119525#3314383, @aaron.ballman wrote:

Can you also add a release note for the change?

Would this go in the "libclang" section in clang/docs/ReleaseNotes.rst? Or somewhere else?

Nope, I'd add a new section titled "Bug Fixes" after "Major New Features" and then add it there.

tbaeder updated this revision to Diff 409173.Feb 16 2022, 1:23 AM
Harbormaster completed remote builds in B149907: Diff 409173.Feb 16 2022, 1:24 AM
aaron.ballman added a comment.Feb 16 2022, 5:09 AM

Continues to LGTM, though I had a recommendation for the release note. Feel free to land when you'd like.

clang/docs/ReleaseNotes.rst
59

Just added a reference to the bug that was fixed.

tbaeder added inline comments.Feb 16 2022, 7:07 AM
clang/docs/ReleaseNotes.rst
59

I was wondering about this. Where does the "PRXXXXXX" syntax come from? Since the repo and issues are on github now, I don't see how it makes sense to call it a PR (it's an issue, not a pull request) and github doesn't linkify those, while it does when using the #xxxxxx syntax (which isn't relevant in this case, but it is when using it in git commit messages). I have seen other people use the same syntax to refer to issues. I'd probably just add an actual link to the github issue here if that's permitted. Thanks for the suggestion though, I'm on PTO this week so don't land this until Monday :)

aaron.ballman added inline comments.Feb 17 2022, 6:15 AM
clang/docs/ReleaseNotes.rst
59

I was wondering about this. Where does the "PRXXXXXX" syntax come from?

"Problem Report" -- ancient terminology.

I have seen other people use the same syntax to refer to issues. I'd probably just add an actual link to the github issue here if that's permitted.

TBH, I think that's an even better suggestion (linking to the issue). One concern I have is that it's really hard to tell whether the number is a bugzilla issue number or a GitHub issue number (I suppose we should all assume they're always github issue numbers these days though), so I wasn't keen on having a number with no prefix to it. But if we're linking to what's been fixed, then there's never a chance for confusion.

Thanks for the suggestion though, I'm on PTO this week so don't land this until Monday :)

Sounds good to me, enjoy your PTO!

tbaeder updated this revision to Diff 410233.Feb 20 2022, 11:58 PM
tbaeder marked an inline comment as done.
tbaeder added inline comments.
clang/docs/ReleaseNotes.rst
59

I added a link for the new entry and replaced the old PR mention with a link as well, so it's consistent at least.

Harbormaster completed remote builds in B150645: Diff 410233.Feb 21 2022, 12:53 AM
This revision was landed with ongoing or failed builds.Feb 22 2022, 7:28 AM
Closed by commit rGf8cedc642d9b: [clang] Never wrap a nullptr in CXXNewExpr::getArraySize() (authored by tbaeder). · Explain Why
This revision was automatically updated to reflect the committed changes.
tbaeder marked an inline comment as done.
tbaeder added a commit: rGf8cedc642d9b: [clang] Never wrap a nullptr in CXXNewExpr::getArraySize().

Revision Contents

PathSize
clang/
docs/
11 lines
include/
clang/
AST/
21 lines
lib/
AST/
2 lines
4 lines
Sema/
4 lines
test/
AST/
14 lines

Diff 410533

clang/docs/ReleaseNotes.rst

Show First 20 LinesShow All 48 Lines▼ Show 20 Lines
- Clang now supports the ``-fzero-call-used-regs`` feature for x86. The purpose - Clang now supports the ``-fzero-call-used-regs`` feature for x86. The purpose
of this feature is to limit Return-Oriented Programming (ROP) exploits and of this feature is to limit Return-Oriented Programming (ROP) exploits and
information leakage. It works by zeroing out a selected class of registers information leakage. It works by zeroing out a selected class of registers
before function return --- e.g., all GPRs that are used within the function. before function return --- e.g., all GPRs that are used within the function.
There is an analogous ``zero_call_used_regs`` attribute to allow for finer There is an analogous ``zero_call_used_regs`` attribute to allow for finer
control of this feature. control of this feature.
Bug Fixes
------------------
- ``CXXNewExpr::getArraySize()`` previously returned a ``llvm::Optional``
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions
------------------
- - ``CXXNewExpr::getArraySize()`` previously returned a ``llvm::Optional``
+ - Fixes PR53742. ``CXXNewExpr::getArraySize()`` previously returned a ``llvm::Optional``
wrapping a ``nullptr`` when the ``CXXNewExpr`` did not have an array

Just added a reference to the bug that was fixed.

aaron.ballman: Just added a reference to the bug that was fixed.
tbaederAuthorUnsubmitted
Done
ReplyInline Actions

I was wondering about this. Where does the "PRXXXXXX" syntax come from? Since the repo and issues are on github now, I don't see how it makes sense to call it a PR (it's an issue, not a pull request) and github doesn't linkify those, while it does when using the #xxxxxx syntax (which isn't relevant in this case, but it is when using it in git commit messages). I have seen other people use the same syntax to refer to issues. I'd probably just add an actual link to the github issue here if that's permitted. Thanks for the suggestion though, I'm on PTO this week so don't land this until Monday :)

tbaeder: I was wondering about this. Where does the "PRXXXXXX" syntax come from? Since the repo and…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

I was wondering about this. Where does the "PRXXXXXX" syntax come from?

"Problem Report" -- ancient terminology.

I have seen other people use the same syntax to refer to issues. I'd probably just add an actual link to the github issue here if that's permitted.

TBH, I think that's an even better suggestion (linking to the issue). One concern I have is that it's really hard to tell whether the number is a bugzilla issue number or a GitHub issue number (I suppose we should all assume they're always github issue numbers these days though), so I wasn't keen on having a number with no prefix to it. But if we're linking to what's been fixed, then there's never a chance for confusion.

Thanks for the suggestion though, I'm on PTO this week so don't land this until Monday :)

Sounds good to me, enjoy your PTO!

aaron.ballman: > I was wondering about this. Where does the "PRXXXXXX" syntax come from? "Problem Report"…
tbaederAuthorUnsubmitted
Done
ReplyInline Actions

I added a link for the new entry and replaced the old PR mention with a link as well, so it's consistent at least.

tbaeder: I added a link for the new entry and replaced the old PR mention with a link as well, so it's…
wrapping a ``nullptr`` when the ``CXXNewExpr`` did not have an array
size expression. This was fixed and ``::getArraySize()`` will now always
either return ``None`` or a ``llvm::Optional`` wrapping a valid ``Expr*``.
This fixes `Issue #53742<https://github.com/llvm/llvm-project/issues/53742>`_.
Improvements to Clang's diagnostics Improvements to Clang's diagnostics
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Non-comprehensive list of changes in this release Non-comprehensive list of changes in this release
------------------------------------------------- -------------------------------------------------
New Compiler Flags New Compiler Flags
------------------ ------------------
Show All 13 Lines
- ... - ...
Attribute Changes in Clang Attribute Changes in Clang
-------------------------- --------------------------
- Added support for parameter pack expansion in `clang::annotate`. - Added support for parameter pack expansion in `clang::annotate`.
- The ``overloadable`` attribute can now be written in all of the syntactic - The ``overloadable`` attribute can now be written in all of the syntactic
locations a declaration attribute may appear. Fixes PR53805. locations a declaration attribute may appear.
This fixes `Issue #53805<https://github.com/llvm/llvm-project/issues/53805>`_.
Windows Support Windows Support
--------------- ---------------
- Add support for MSVC-compatible ``/JMC``/``/JMC-`` flag in clang-cl (supports - Add support for MSVC-compatible ``/JMC``/``/JMC-`` flag in clang-cl (supports
X86/X64/ARM/ARM64). ``/JMC`` could only be used when ``/Zi`` or ``/Z7`` is X86/X64/ARM/ARM64). ``/JMC`` could only be used when ``/Zi`` or ``/Z7`` is
turned on. With this addition, clang-cl can be used in Visual Studio for the turned on. With this addition, clang-cl can be used in Visual Studio for the
JustMyCode feature. Note, you may need to manually add ``/JMC`` as additional JustMyCode feature. Note, you may need to manually add ``/JMC`` as additional
▲ Show 20 LinesShow All 147 LinesShow Last 20 Lines

clang/include/clang/AST/ExprCXX.h

Show First 20 LinesShow All 2,255 Lines▼ Show 20 Linespublic:
FunctionDecl *getOperatorNew() const { return OperatorNew; } FunctionDecl *getOperatorNew() const { return OperatorNew; }
void setOperatorNew(FunctionDecl *D) { OperatorNew = D; } void setOperatorNew(FunctionDecl *D) { OperatorNew = D; }
FunctionDecl *getOperatorDelete() const { return OperatorDelete; } FunctionDecl *getOperatorDelete() const { return OperatorDelete; }
void setOperatorDelete(FunctionDecl *D) { OperatorDelete = D; } void setOperatorDelete(FunctionDecl *D) { OperatorDelete = D; }
bool isArray() const { return CXXNewExprBits.IsArray; } bool isArray() const { return CXXNewExprBits.IsArray; }
/// This might return None even if isArray() returns true,
/// since there might not be an array size expression.
/// If the result is not-None, it will never wrap a nullptr.
Optional<Expr *> getArraySize() { Optional<Expr *> getArraySize() {
if (!isArray()) if (!isArray())
return None; return None;
return cast_or_null<Expr>(getTrailingObjects<Stmt *>()[arraySizeOffset()]);
if (auto *Result =
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
return None;
- if (auto Result =
+ if (auto *Result =
cast_or_null<Expr>(getTrailingObjects<Stmt *>()[arraySizeOffset()]))
aaron.ballman:
cast_or_null<Expr>(getTrailingObjects<Stmt *>()[arraySizeOffset()]))
return Result;
return None;
} }
/// This might return None even if isArray() returns true,
/// since there might not be an array size expression.
/// If the result is not-None, it will never wrap a nullptr.
Optional<const Expr *> getArraySize() const { Optional<const Expr *> getArraySize() const {
if (!isArray()) if (!isArray())
return None; return None;
return cast_or_null<Expr>(getTrailingObjects<Stmt *>()[arraySizeOffset()]);
if (auto *Result =
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
return None;
- if (auto Result =
+ if (auto *Result =
cast_or_null<Expr>(getTrailingObjects<Stmt *>()[arraySizeOffset()]))
aaron.ballman:
cast_or_null<Expr>(getTrailingObjects<Stmt *>()[arraySizeOffset()]))
return Result;
return None;
} }
unsigned getNumPlacementArgs() const { unsigned getNumPlacementArgs() const {
return CXXNewExprBits.NumPlacementArgs; return CXXNewExprBits.NumPlacementArgs;
} }
Expr **getPlacementArgs() { Expr **getPlacementArgs() {
return reinterpret_cast<Expr **>(getTrailingObjects<Stmt *>() + return reinterpret_cast<Expr **>(getTrailingObjects<Stmt *>() +
▲ Show 20 LinesShow All 2,625 LinesShow Last 20 Lines

clang/lib/AST/ExprConstant.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 9,421 Lines▼ Show 20 Linesbool PointerExprEvaluator::VisitCXXNewExpr(const CXXNewExpr *E) {
} }
const Expr *Init = E->getInitializer(); const Expr *Init = E->getInitializer();
const InitListExpr *ResizedArrayILE = nullptr; const InitListExpr *ResizedArrayILE = nullptr;
const CXXConstructExpr *ResizedArrayCCE = nullptr; const CXXConstructExpr *ResizedArrayCCE = nullptr;
bool ValueInit = false; bool ValueInit = false;
QualType AllocType = E->getAllocatedType(); QualType AllocType = E->getAllocatedType();
if (Optional<const Expr*> ArraySize = E->getArraySize()) { if (Optional<const Expr *> ArraySize = E->getArraySize()) {
const Expr *Stripped = *ArraySize; const Expr *Stripped = *ArraySize;
for (; auto *ICE = dyn_cast<ImplicitCastExpr>(Stripped); for (; auto *ICE = dyn_cast<ImplicitCastExpr>(Stripped);
Stripped = ICE->getSubExpr()) Stripped = ICE->getSubExpr())
if (ICE->getCastKind() != CK_NoOp && if (ICE->getCastKind() != CK_NoOp &&
ICE->getCastKind() != CK_IntegralCast) ICE->getCastKind() != CK_IntegralCast)
break; break;
llvm::APSInt ArrayBound; llvm::APSInt ArrayBound;
▲ Show 20 LinesShow All 6,482 LinesShow Last 20 Lines

clang/lib/AST/StmtPrinter.cpp

Show First 20 LinesShow All 2,126 Lines▼ Show 20 Lines for (unsigned i = 1; i < NumPlace; ++i) {
OS << ", "; OS << ", ";
PrintExpr(E->getPlacementArg(i)); PrintExpr(E->getPlacementArg(i));
} }
OS << ") "; OS << ") ";
} }
if (E->isParenTypeId()) if (E->isParenTypeId())
OS << "("; OS << "(";
std::string TypeS; std::string TypeS;
if (Optional<Expr *> Size = E->getArraySize()) { if (E->isArray()) {
tbaederAuthorUnsubmitted
Done
ReplyInline Actions

I changed this just for clarity, not doing it did not cause any tests to fail. Not sure if this is tested at all.

tbaeder: I changed this just for clarity, not doing it did not cause any tests to fail. Not sure if this…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

-ast-print is... pretty terrible (I've had half a mind to put up an RFC asking if we should remove it entirely, that's how unmaintained it is), so I suspect it's not tested.

aaron.ballman: -ast-print is... pretty terrible (I've had half a mind to put up an RFC asking if we should…
tbaederAuthorUnsubmitted
Done
ReplyInline Actions

Alright, I'll leave it at that then. I briefly tried to test the code but didn't succeed.

tbaeder: Alright, I'll leave it at that then. I briefly tried to test the code but didn't succeed.
llvm::raw_string_ostream s(TypeS); llvm::raw_string_ostream s(TypeS);
s << '['; s << '[';
if (*Size) if (Optional<Expr *> Size = E->getArraySize())
(*Size)->printPretty(s, Helper, Policy); (*Size)->printPretty(s, Helper, Policy);
s << ']'; s << ']';
} }
E->getAllocatedType().print(OS, Policy, TypeS); E->getAllocatedType().print(OS, Policy, TypeS);
if (E->isParenTypeId()) if (E->isParenTypeId())
OS << ")"; OS << ")";
CXXNewExpr::InitializationStyle InitStyle = E->getInitializationStyle(); CXXNewExpr::InitializationStyle InitStyle = E->getInitializationStyle();
▲ Show 20 LinesShow All 479 LinesShow Last 20 Lines

clang/lib/Sema/TreeTransform.h

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 11,906 Lines▼ Show 20 LinesTreeTransform<Derived>::TransformCXXNewExpr(CXXNewExpr *E) {
// Transform the type that we're allocating // Transform the type that we're allocating
TypeSourceInfo *AllocTypeInfo = TypeSourceInfo *AllocTypeInfo =
getDerived().TransformTypeWithDeducedTST(E->getAllocatedTypeSourceInfo()); getDerived().TransformTypeWithDeducedTST(E->getAllocatedTypeSourceInfo());
if (!AllocTypeInfo) if (!AllocTypeInfo)
return ExprError(); return ExprError();
// Transform the size of the array we're allocating (if any). // Transform the size of the array we're allocating (if any).
Optional<Expr *> ArraySize; Optional<Expr *> ArraySize;
if (Optional<Expr *> OldArraySize = E->getArraySize()) { if (E->isArray()) {
ExprResult NewArraySize; ExprResult NewArraySize;
if (*OldArraySize) { if (Optional<Expr *> OldArraySize = E->getArraySize()) {
NewArraySize = getDerived().TransformExpr(*OldArraySize); NewArraySize = getDerived().TransformExpr(*OldArraySize);
if (NewArraySize.isInvalid()) if (NewArraySize.isInvalid())
return ExprError(); return ExprError();
} }
ArraySize = NewArraySize.get(); ArraySize = NewArraySize.get();
} }
// Transform the placement arguments (if any). // Transform the placement arguments (if any).
▲ Show 20 LinesShow All 2,955 LinesShow Last 20 Lines

clang/test/AST/issue53742.cpp

  • This file was added.
// RUN: %clang_cc1 -fsyntax-only %s -verify
struct Data {
char *a;
char *b;
bool *c;
};
int main() {
Data in;
in.a = new char[](); // expected-error {{cannot determine allocated array size from initializer}}
in.c = new bool[100]();
in.b = new char[100]();
}