This is an archive of the discontinued LLVM Phabricator instance.

Differential D124524

[demangler] Avoid nullptr UB
AbandonedPublic

Authored by urnathan on Apr 27 2022, 5:59 AM.

Details

Reviewers
dblaikie
kstoimenov
Summary

this resolves a UB introduced by D122604

The microsoft demangler demangles string literal contents (sans
quotes), and can therefore demangle the empty string to nothing. With
lazy buffer allocation, this results in a null buffer and consequent
detected UB with a memcpy. However, the fault is earlier, with taking
a StringView of that null buffer. This adds an allocateBuffer member,
to ensure that there is a non-null buffer, even when it is not needed.

A unit test also requires this, as it commences by inserting
no-characters and then checking for an empty string.

An assert is added on theOutputBuffer's conversion to StringView, to
catch future cases.

(My assumption that demangling either failed or always produced at
least one character turned out to be false in this one cases. I do
not know why the Microsoft demangler behaves this way, as it appears
to decorate the demangled strings with quotes before presentation to
the user.)

Diff Detail

Unit TestsFailed

TimeTest
21,160 msx64 debian > libFuzzer.libFuzzer::fork.test
60,030 msx64 debian > libFuzzer.libFuzzer::fuzzer-leak.test
60,140 msx64 debian > libFuzzer.libFuzzer::large.test
60,020 msx64 debian > libFuzzer.libFuzzer::out-of-process-fuzz.test
60,020 msx64 debian > libFuzzer.libFuzzer::value-profile-load.test

Event Timeline

urnathan created this revision.Apr 27 2022, 5:59 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 27 2022, 5:59 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
urnathan requested review of this revision.Apr 27 2022, 5:59 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 27 2022, 5:59 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
urnathan added a child revision: D122604: [demangler] Simplify OutputBuffer initialization.Apr 27 2022, 6:00 AM
Harbormaster completed remote builds in B161585: Diff 425493.Apr 27 2022, 7:52 AM
dblaikie added a comment.Apr 27 2022, 9:18 AM

Hmm - why does this need an allocation, though? A StringPiece(nullptr, nullptr) sounds valid to me? Is something using a distinction between StringPiece that's zero-length but non-null and StringPiece that's null?

urnathan added a comment.Apr 27 2022, 12:51 PM
In D124524#3477537, @dblaikie wrote:

Hmm - why does this need an allocation, though? A StringPiece(nullptr, nullptr) sounds valid to me? Is something using a distinction between StringPiece that's zero-length but non-null and StringPiece that's null?

The UB is that we end up at memcpy (dst, SV.begin(), SV.size()), even though that's copying zero bytes, we have a null SV.begin(). C++20's string_view cannot be over a null pointer, and ISTM that the demangler's StringView (should) have the same restriction. StringView is a pair of pointers, along with a FIXME to move to std::string_view when C++17 is the implementation language. Hm, perhaps the assert belongs inside StringView?

This seemed the least-worst way of addressing it. Alternatively I guess we could unconditionally allocate in OutputBuffer's ctor, but that seemed less pleasant.

h-vetinari added a subscriber: h-vetinari.Apr 27 2022, 9:03 PM

2x "Buffer cannot by nullptr" -> "Buffer cannot be nullptr"

urnathan added a comment.Apr 28 2022, 4:19 AM

alternatively could punt on the whole nullptr thing and just special case the zero-length memcpy and test comparison. thoughts?
(For amusement value, I do know MIPS' memcpy routines segfault on memcpy (dst, nullptr, 0))

xbolva00 added subscribers: rjmccall, xbolva00.Apr 28 2022, 5:28 AM

Can you show some C++ rule why you think that

memcpy(nullptr, nullptr, 0) is UB?

cc @rjmccall

Some time ago I was told this usage is perfectly fine and LLVM cannot assume that dst and src are nonnull pointers.

urnathan added a comment.Apr 28 2022, 5:37 AM
In D124524#3479799, @xbolva00 wrote:

Can you show some C++ rule why you think that

memcpy(nullptr, nullptr, 0) is UB?

cc @rjmccall

Some time ago I was told this usage is perfectly fine and LLVM cannot assume that dst and src are nonnull pointers.

llvm's sanitizer barfs on such uses.

glibc's header files mark the pointer as non-null:
extern void *memcpy (void *restrict dest, const void *restrict src,

size_t __n) throw () __attribute__ ((__nonnull__ (1, 2)));

c99: 7.21.2.1 "The memcpy function copies n characters from the object pointed to by s2 into the
object pointed to by s1. If copying takes place between objects that overlap, the behavior
is undefined."

null is not a pointer to an object

It is an unfortunate edge case, but it is what it is.

xbolva00 added a comment.Apr 28 2022, 6:39 AM
In D124524#3479827, @urnathan wrote:
In D124524#3479799, @xbolva00 wrote:

Can you show some C++ rule why you think that

memcpy(nullptr, nullptr, 0) is UB?

cc @rjmccall

Some time ago I was told this usage is perfectly fine and LLVM cannot assume that dst and src are nonnull pointers.

llvm's sanitizer barfs on such uses.

glibc's header files mark the pointer as non-null:
extern void *memcpy (void *restrict dest, const void *restrict src,

size_t __n) throw () __attribute__ ((__nonnull__ (1, 2)));

c99: 7.21.2.1 "The memcpy function copies n characters from the object pointed to by s2 into the
object pointed to by s1. If copying takes place between objects that overlap, the behavior
is undefined."

null is not a pointer to an object

It is an unfortunate edge case, but it is what it is.

Yeah, so SImplifyLibCalls can just drop this restriction and be more aggresive.

dblaikie added a comment.Apr 28 2022, 9:55 AM
In D124524#3478021, @urnathan wrote:
In D124524#3477537, @dblaikie wrote:

Hmm - why does this need an allocation, though? A StringPiece(nullptr, nullptr) sounds valid to me? Is something using a distinction between StringPiece that's zero-length but non-null and StringPiece that's null?

The UB is that we end up at memcpy (dst, SV.begin(), SV.size()), even though that's copying zero bytes, we have a null SV.begin(). C++20's string_view cannot be over a null pointer, and ISTM that the demangler's StringView (should) have the same restriction. StringView is a pair of pointers, along with a FIXME to move to std::string_view when C++17 is the implementation language. Hm, perhaps the assert belongs inside StringView?

This seemed the least-worst way of addressing it. Alternatively I guess we could unconditionally allocate in OutputBuffer's ctor, but that seemed less pleasant.

Ah, OK - thanks for walking me through it. The other alternative could be to wrap the memcpy in "if (SV.data() != nullptr)"? That feels more direct/explicit/intentional about the issue, to me at least.

xbolva00 mentioned this in D124633: [SimplifyLibCalls] Pointers passed to libcalls must point to valid objects.Apr 28 2022, 12:39 PM
urnathan mentioned this in D122604: [demangler] Simplify OutputBuffer initialization.May 2 2022, 6:22 AM
dblaikie added a comment.May 2 2022, 11:09 AM

Yeah, I'd go with the fix at memcpy in D122604 instead.

I appreciate the argument from string_view's API design - though even string_view can be over nullptr, but can't be constructed with a null pointer (its default constructor creates a {nullptr, 0} string_view) so arguably the caller should be able to handle a null string_view.

urnathan added a comment.May 3 2022, 4:39 AM
In D124524#3486242, @dblaikie wrote:

Yeah, I'd go with the fix at memcpy in D122604 instead.

I appreciate the argument from string_view's API design - though even string_view can be over nullptr, but can't be constructed with a null pointer (its default constructor creates a {nullptr, 0} string_view) so arguably the caller should be able to handle a null string_view.

Oh, I'd not noticed that default ctor behavior. I've also looked up to make sure that C++ makes well defined subtracting nullptrs and adding/subbing zero to/from a nullptr. It's just the memcpy issue.

urnathan abandoned this revision.May 3 2022, 4:39 AM
urnathan removed a child revision: D122604: [demangler] Simplify OutputBuffer initialization.May 13 2022, 9:38 AM

Revision Contents

PathSize
libcxxabi/
src/
demangle/
7 lines
llvm/
include/
llvm/
Demangle/
7 lines
lib/
Demangle/
4 lines
unittests/
Demangle/
2 lines

Diff 425493

libcxxabi/src/demangle/Utility.h

Show First 20 LinesShow All 69 Lines▼ Show 20 Lines
public: public:
OutputBuffer(char *StartBuf, size_t Size) OutputBuffer(char *StartBuf, size_t Size)
: Buffer(StartBuf), CurrentPosition(0), BufferCapacity(Size) {} : Buffer(StartBuf), CurrentPosition(0), BufferCapacity(Size) {}
OutputBuffer() = default; OutputBuffer() = default;
// Non-copyable // Non-copyable
OutputBuffer(const OutputBuffer &) = delete; OutputBuffer(const OutputBuffer &) = delete;
OutputBuffer &operator=(const OutputBuffer &) = delete; OutputBuffer &operator=(const OutputBuffer &) = delete;
operator StringView() const { return StringView(Buffer, CurrentPosition); } operator StringView() const {
assert(Buffer && "Buffer cannot by nullptr");
return StringView(Buffer, CurrentPosition);
}
void reset(char *Buffer_, size_t BufferCapacity_) { void reset(char *Buffer_, size_t BufferCapacity_) {
CurrentPosition = 0; CurrentPosition = 0;
Buffer = Buffer_; Buffer = Buffer_;
BufferCapacity = BufferCapacity_; BufferCapacity = BufferCapacity_;
} }
/// If a ParameterPackExpansion (or similar type) is encountered, the offset /// If a ParameterPackExpansion (or similar type) is encountered, the offset
▲ Show 20 LinesShow All 82 Lines▼ Show 20 Linespublic:
size_t getCurrentPosition() const { return CurrentPosition; } size_t getCurrentPosition() const { return CurrentPosition; }
void setCurrentPosition(size_t NewPos) { CurrentPosition = NewPos; } void setCurrentPosition(size_t NewPos) { CurrentPosition = NewPos; }
char back() const { char back() const {
return CurrentPosition ? Buffer[CurrentPosition - 1] : '\0'; return CurrentPosition ? Buffer[CurrentPosition - 1] : '\0';
} }
// Some uses require a buffer even when they write nothing.
void allocateBuffer() { grow(1); }
bool empty() const { return CurrentPosition == 0; } bool empty() const { return CurrentPosition == 0; }
char *getBuffer() { return Buffer; } char *getBuffer() { return Buffer; }
char *getBufferEnd() { return Buffer + CurrentPosition - 1; } char *getBufferEnd() { return Buffer + CurrentPosition - 1; }
size_t getBufferCapacity() const { return BufferCapacity; } size_t getBufferCapacity() const { return BufferCapacity; }
}; };
template <class T> class ScopedOverride { template <class T> class ScopedOverride {
Show All 33 Lines

llvm/include/llvm/Demangle/Utility.h

Show First 20 LinesShow All 69 Lines▼ Show 20 Lines
public: public:
OutputBuffer(char *StartBuf, size_t Size) OutputBuffer(char *StartBuf, size_t Size)
: Buffer(StartBuf), CurrentPosition(0), BufferCapacity(Size) {} : Buffer(StartBuf), CurrentPosition(0), BufferCapacity(Size) {}
OutputBuffer() = default; OutputBuffer() = default;
// Non-copyable // Non-copyable
OutputBuffer(const OutputBuffer &) = delete; OutputBuffer(const OutputBuffer &) = delete;
OutputBuffer &operator=(const OutputBuffer &) = delete; OutputBuffer &operator=(const OutputBuffer &) = delete;
operator StringView() const { return StringView(Buffer, CurrentPosition); } operator StringView() const {
assert(Buffer && "Buffer cannot by nullptr");
return StringView(Buffer, CurrentPosition);
}
void reset(char *Buffer_, size_t BufferCapacity_) { void reset(char *Buffer_, size_t BufferCapacity_) {
CurrentPosition = 0; CurrentPosition = 0;
Buffer = Buffer_; Buffer = Buffer_;
BufferCapacity = BufferCapacity_; BufferCapacity = BufferCapacity_;
} }
/// If a ParameterPackExpansion (or similar type) is encountered, the offset /// If a ParameterPackExpansion (or similar type) is encountered, the offset
▲ Show 20 LinesShow All 82 Lines▼ Show 20 Linespublic:
size_t getCurrentPosition() const { return CurrentPosition; } size_t getCurrentPosition() const { return CurrentPosition; }
void setCurrentPosition(size_t NewPos) { CurrentPosition = NewPos; } void setCurrentPosition(size_t NewPos) { CurrentPosition = NewPos; }
char back() const { char back() const {
return CurrentPosition ? Buffer[CurrentPosition - 1] : '\0'; return CurrentPosition ? Buffer[CurrentPosition - 1] : '\0';
} }
// Some uses require a buffer even when they write nothing.
void allocateBuffer() { grow(1); }
bool empty() const { return CurrentPosition == 0; } bool empty() const { return CurrentPosition == 0; }
char *getBuffer() { return Buffer; } char *getBuffer() { return Buffer; }
char *getBufferEnd() { return Buffer + CurrentPosition - 1; } char *getBufferEnd() { return Buffer + CurrentPosition - 1; }
size_t getBufferCapacity() const { return BufferCapacity; } size_t getBufferCapacity() const { return BufferCapacity; }
}; };
template <class T> class ScopedOverride { template <class T> class ScopedOverride {
Show All 33 Lines

llvm/lib/Demangle/MicrosoftDemangle.cpp

Show First 20 LinesShow All 1,295 Lines▼ Show 20 Lines case '1':
IsWcharT = true; IsWcharT = true;
DEMANGLE_FALLTHROUGH; DEMANGLE_FALLTHROUGH;
case '0': case '0':
break; break;
default: default:
goto StringLiteralError; goto StringLiteralError;
} }
// We can demangle to an empty string, and need to avoid a null buffer in that
// case.
OB.allocateBuffer();
// Encoded Length // Encoded Length
std::tie(StringByteSize, IsNegative) = demangleNumber(MangledName); std::tie(StringByteSize, IsNegative) = demangleNumber(MangledName);
if (Error || IsNegative || StringByteSize < (IsWcharT ? 2 : 1)) if (Error || IsNegative || StringByteSize < (IsWcharT ? 2 : 1))
goto StringLiteralError; goto StringLiteralError;
// CRC 32 (always 8 characters plus a terminator) // CRC 32 (always 8 characters plus a terminator)
CrcEndPos = MangledName.find('@'); CrcEndPos = MangledName.find('@');
if (CrcEndPos == StringView::npos) if (CrcEndPos == StringView::npos)
▲ Show 20 LinesShow All 1,065 LinesShow Last 20 Lines

llvm/unittests/Demangle/OutputBufferTest.cpp

Show All 38 LinesTEST(OutputBufferTest, Format) {
EXPECT_EQ("?", printToString('?')); EXPECT_EQ("?", printToString('?'));
EXPECT_EQ("abc", printToString("abc")); EXPECT_EQ("abc", printToString("abc"));
} }
TEST(OutputBufferTest, Insert) { TEST(OutputBufferTest, Insert) {
OutputBuffer OB; OutputBuffer OB;
OB.allocateBuffer();
OB.insert(0, "", 0); OB.insert(0, "", 0);
EXPECT_EQ("", toString(OB)); EXPECT_EQ("", toString(OB));
OB.insert(0, "abcd", 4); OB.insert(0, "abcd", 4);
EXPECT_EQ("abcd", toString(OB)); EXPECT_EQ("abcd", toString(OB));
OB.insert(0, "x", 1); OB.insert(0, "x", 1);
EXPECT_EQ("xabcd", toString(OB)); EXPECT_EQ("xabcd", toString(OB));
Show All 40 Lines