This is an archive of the discontinued LLVM Phabricator instance.

Differential D124915

Check for resource exhaustion when recursively parsing declarators
ClosedPublic

Authored by aaron.ballman on May 4 2022, 5:02 AM.

Details

Reviewers
erichkeane
rsmith
rjmccall
Commits
rGc67104172034: Check for resource exhaustion when recursively parsing declarators
Summary

With sufficiently tortured code, it's possible to cause a stack overflow when parsing declarators. Thus, we now check for resource exhaustion when recursively parsing declarators so that we can at least warn the user we're about to crash before we actually crash.

This fixes https://github.com/llvm/llvm-project/issues/51642.

Diff Detail

Event Timeline

aaron.ballman created this revision.May 4 2022, 5:02 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 4 2022, 5:02 AM
aaron.ballman requested review of this revision.May 4 2022, 5:02 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 4 2022, 5:02 AM
arsenm added a subscriber: arsenm.May 4 2022, 5:03 AM

I think I've seen this one before

aaron.ballman added a comment.May 4 2022, 5:05 AM

Two things to note:

  1. I'm not convinced that adding a test case is the right thing to do here. On the one hand, we want to verify that we now emit the diagnostic before crashing. But on the other hand, this test is extremely expensive to run (because it exhausts the stack) and its behavior is highly specific to the test platform its being run on. If someone asked me to remove the test coverage here, I would not be sad.
  2. The runWithSufficientStackSpace() implementation is a copy of what's already in Sema. I investigated lifting this interface to something more common, but the issue is with generating a diagnostic (there's no common diagnostic engine between Sema and Parser that I could find). Given the simplicity of the implementation, I figured it's reasonably defensible to duplicate the code.
yihanaa added a subscriber: yihanaa.May 4 2022, 5:18 AM
Harbormaster completed remote builds in B162652: Diff 426964.May 4 2022, 5:35 AM
aaron.ballman updated this revision to Diff 428969.May 12 2022, 9:28 AM

Rebased.

I removed the test coverage because it turned out to not be testing anything. If we exhaust resources, then we don't run the -verify to test the diagnostic behavior, and we're relying on the crash being the test condition, but any crash will suffice.

erichkeane added a comment.May 12 2022, 9:55 AM

I don't see how you can test this behavior without figuring out how to get a 'perfect' number to warn but not crash... The only way to validate that I would expect would be to do some bizarre flag that has us just 'don't run' in the case where the warning is emitted, but that would be strange/only used for the test.

Note that I think you might have an improper comment on the Parser::runWithSufficientStackSpace, else we perhaps wish to combine the Sema.cpp and Parser.cpp implementations in some way.

clang/include/clang/Parse/Parser.h
802 ↗(On Diff #428969)

Hmm... The Parser version of this might be used for Template Instantiation? Should we remove the SEMA one and move all uses to the Parser then?

erichkeane added inline comments.May 12 2022, 9:59 AM
clang/lib/Parse/Parser.cpp
2618 ↗(On Diff #428969)

Another concern here: Do we properly initialize "Actions" in the case where we don't have a semantic Action? That is, if we are just preprocessing?

aaron.ballman marked an inline comment as done.May 12 2022, 10:08 AM
aaron.ballman added inline comments.
clang/include/clang/Parse/Parser.h
802 ↗(On Diff #428969)

Nope, but I could be less silly and just... use the one from Sema... instead of moving it to Parser. Derp!

aaron.ballman updated this revision to Diff 428987.May 12 2022, 10:11 AM
aaron.ballman marked an inline comment as done.

Simplify the implementation by using the facilities Sema already exposes. The behavior remains the same:

F:\source\llvm-project>llvm\out\build\x64-Debug\bin\clang.exe -cc1 -fsyntax-only "C:\Users\aballman\OneDrive - Intel Corporation\Desktop\test.c"
C:\Users\aballman\OneDrive - Intel Corporation\Desktop\test.c:8:1: warning: stack nearly exhausted; compilation time may suffer, and crashes due to stack overflow are likely [-Wstack-exhausted]
int PTR6 q3_var = 0;
^
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
erichkeane accepted this revision.May 12 2022, 10:15 AM

Another concern here: Do we properly initialize "Actions" in the case where we don't have a semantic Action? That is, if we are just preprocessing?

Doh! Forgot we don't do 'Parser' in preprocessor mode. LGTM!

This revision is now accepted and ready to land.May 12 2022, 10:15 AM
This revision was landed with ongoing or failed builds.May 12 2022, 10:20 AM
Closed by commit rGc67104172034: Check for resource exhaustion when recursively parsing declarators (authored by aaron.ballman). · Explain Why
This revision was automatically updated to reflect the committed changes.
aaron.ballman added a commit: rGc67104172034: Check for resource exhaustion when recursively parsing declarators.
Harbormaster completed remote builds in B164132: Diff 428987.May 12 2022, 11:28 AM

Revision Contents

PathSize
clang/
docs/
4 lines
lib/
Parse/
15 lines

Diff 428994

clang/docs/ReleaseNotes.rst

Show First 20 LinesShow All 216 Lines▼ Show 20 Lines
- Added the ``-Wgnu-line-marker`` diagnostic flag (grouped under the ``-Wgnu`` - Added the ``-Wgnu-line-marker`` diagnostic flag (grouped under the ``-Wgnu``
flag) which is a portability warning about use of GNU linemarker preprocessor flag) which is a portability warning about use of GNU linemarker preprocessor
directives. Fixes `Issue 55067 <https://github.com/llvm/llvm-project/issues/55067>`_. directives. Fixes `Issue 55067 <https://github.com/llvm/llvm-project/issues/55067>`_.
- Using ``#elifdef`` and ``#elifndef`` that are incompatible with C/C++ - Using ``#elifdef`` and ``#elifndef`` that are incompatible with C/C++
standards before C2x/C++2b are now warned via ``-pedantic``. Additionally, standards before C2x/C++2b are now warned via ``-pedantic``. Additionally,
on such language mode, ``-Wpre-c2x-compat`` and ``-Wpre-c++2b-compat`` on such language mode, ``-Wpre-c2x-compat`` and ``-Wpre-c++2b-compat``
diagnostic flags report a compatibility issue. diagnostic flags report a compatibility issue.
Fixes `Issue 55306 <https://github.com/llvm/llvm-project/issues/55306>`_. Fixes `Issue 55306 <https://github.com/llvm/llvm-project/issues/55306>`_.
- Clang now checks for stack resource exhaustion when recursively parsing
declarators in order to give a diagnostic before we run out of stack space.
This fixes `Issue 51642 <https://github.com/llvm/llvm-project/issues/51642>`_.
Non-comprehensive list of changes in this release Non-comprehensive list of changes in this release
------------------------------------------------- -------------------------------------------------
- Improve __builtin_dump_struct: - Improve __builtin_dump_struct:
- Support bitfields in struct and union. - Support bitfields in struct and union.
- Improve the dump format, dump both bitwidth(if its a bitfield) and field - Improve the dump format, dump both bitwidth(if its a bitfield) and field
▲ Show 20 LinesShow All 267 LinesShow Last 20 Lines

clang/lib/Parse/ParseDecl.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 5,759 Lines▼ Show 20 Lines if (isInvalid) {
assert(PrevSpec && "Method did not return previous specifier!"); assert(PrevSpec && "Method did not return previous specifier!");
Diag(Tok, DiagID) << PrevSpec; Diag(Tok, DiagID) << PrevSpec;
} }
EndLoc = ConsumeToken(); EndLoc = ConsumeToken();
} }
} }
/// ParseDeclarator - Parse and verify a newly-initialized declarator. /// ParseDeclarator - Parse and verify a newly-initialized declarator.
///
void Parser::ParseDeclarator(Declarator &D) { void Parser::ParseDeclarator(Declarator &D) {
/// This implements the 'declarator' production in the C grammar, then checks /// This implements the 'declarator' production in the C grammar, then checks
/// for well-formedness and issues diagnostics. /// for well-formedness and issues diagnostics.
Actions.runWithSufficientStackSpace(D.getBeginLoc(), [&] {
ParseDeclaratorInternal(D, &Parser::ParseDirectDeclarator); ParseDeclaratorInternal(D, &Parser::ParseDirectDeclarator);
});
} }
static bool isPtrOperatorToken(tok::TokenKind Kind, const LangOptions &Lang, static bool isPtrOperatorToken(tok::TokenKind Kind, const LangOptions &Lang,
DeclaratorContext TheContext) { DeclaratorContext TheContext) {
if (Kind == tok::star || Kind == tok::caret) if (Kind == tok::star || Kind == tok::caret)
return true; return true;
// OpenCL 2.0 and later define this keyword. // OpenCL 2.0 and later define this keyword.
▲ Show 20 LinesShow All 94 Lines▼ Show 20 Lines if (SS.isNotEmpty()) {
SourceLocation StarLoc = ConsumeToken(); SourceLocation StarLoc = ConsumeToken();
D.SetRangeEnd(StarLoc); D.SetRangeEnd(StarLoc);
DeclSpec DS(AttrFactory); DeclSpec DS(AttrFactory);
ParseTypeQualifierListOpt(DS); ParseTypeQualifierListOpt(DS);
D.ExtendWithDeclSpec(DS); D.ExtendWithDeclSpec(DS);
// Recurse to parse whatever is left. // Recurse to parse whatever is left.
Actions.runWithSufficientStackSpace(D.getBeginLoc(), [&] {
ParseDeclaratorInternal(D, DirectDeclParser); ParseDeclaratorInternal(D, DirectDeclParser);
});
// Sema will have to catch (syntactically invalid) pointers into global // Sema will have to catch (syntactically invalid) pointers into global
// scope. It has to catch pointers into namespace scope anyway. // scope. It has to catch pointers into namespace scope anyway.
D.AddTypeInfo(DeclaratorChunk::getMemberPointer( D.AddTypeInfo(DeclaratorChunk::getMemberPointer(
SS, DS.getTypeQualifiers(), StarLoc, DS.getEndLoc()), SS, DS.getTypeQualifiers(), StarLoc, DS.getEndLoc()),
std::move(DS.getAttributes()), std::move(DS.getAttributes()),
/* Don't replace range end. */ SourceLocation()); /* Don't replace range end. */ SourceLocation());
return; return;
Show All 32 Lines if (Kind == tok::star || Kind == tok::caret) {
unsigned Reqs = AR_CXX11AttributesParsed | AR_DeclspecAttributesParsed | unsigned Reqs = AR_CXX11AttributesParsed | AR_DeclspecAttributesParsed |
((D.getContext() != DeclaratorContext::CXXNew) ((D.getContext() != DeclaratorContext::CXXNew)
? AR_GNUAttributesParsed ? AR_GNUAttributesParsed
: AR_GNUAttributesParsedAndRejected); : AR_GNUAttributesParsedAndRejected);
ParseTypeQualifierListOpt(DS, Reqs, true, !D.mayOmitIdentifier()); ParseTypeQualifierListOpt(DS, Reqs, true, !D.mayOmitIdentifier());
D.ExtendWithDeclSpec(DS); D.ExtendWithDeclSpec(DS);
// Recursively parse the declarator. // Recursively parse the declarator.
ParseDeclaratorInternal(D, DirectDeclParser); Actions.runWithSufficientStackSpace(
D.getBeginLoc(), [&] { ParseDeclaratorInternal(D, DirectDeclParser); });
if (Kind == tok::star) if (Kind == tok::star)
// Remember that we parsed a pointer type, and remember the type-quals. // Remember that we parsed a pointer type, and remember the type-quals.
D.AddTypeInfo(DeclaratorChunk::getPointer( D.AddTypeInfo(DeclaratorChunk::getPointer(
DS.getTypeQualifiers(), Loc, DS.getConstSpecLoc(), DS.getTypeQualifiers(), Loc, DS.getConstSpecLoc(),
DS.getVolatileSpecLoc(), DS.getRestrictSpecLoc(), DS.getVolatileSpecLoc(), DS.getRestrictSpecLoc(),
DS.getAtomicSpecLoc(), DS.getUnalignedSpecLoc()), DS.getAtomicSpecLoc(), DS.getUnalignedSpecLoc()),
std::move(DS.getAttributes()), SourceLocation()); std::move(DS.getAttributes()), SourceLocation());
else else
Show All 28 Lines if (DS.getTypeQualifiers() != DeclSpec::TQ_unspecified) {
diag::err_invalid_reference_qualifier_application) << "volatile"; diag::err_invalid_reference_qualifier_application) << "volatile";
// 'restrict' is permitted as an extension. // 'restrict' is permitted as an extension.
if (DS.getTypeQualifiers() & DeclSpec::TQ_atomic) if (DS.getTypeQualifiers() & DeclSpec::TQ_atomic)
Diag(DS.getAtomicSpecLoc(), Diag(DS.getAtomicSpecLoc(),
diag::err_invalid_reference_qualifier_application) << "_Atomic"; diag::err_invalid_reference_qualifier_application) << "_Atomic";
} }
// Recursively parse the declarator. // Recursively parse the declarator.
ParseDeclaratorInternal(D, DirectDeclParser); Actions.runWithSufficientStackSpace(
D.getBeginLoc(), [&] { ParseDeclaratorInternal(D, DirectDeclParser); });
if (D.getNumTypeObjects() > 0) { if (D.getNumTypeObjects() > 0) {
// C++ [dcl.ref]p4: There shall be no references to references. // C++ [dcl.ref]p4: There shall be no references to references.
DeclaratorChunk& InnerChunk = D.getTypeObject(D.getNumTypeObjects() - 1); DeclaratorChunk& InnerChunk = D.getTypeObject(D.getNumTypeObjects() - 1);
if (InnerChunk.Kind == DeclaratorChunk::Reference) { if (InnerChunk.Kind == DeclaratorChunk::Reference) {
if (const IdentifierInfo *II = D.getIdentifier()) if (const IdentifierInfo *II = D.getIdentifier())
Diag(InnerChunk.Loc, diag::err_illegal_decl_reference_to_reference) Diag(InnerChunk.Loc, diag::err_illegal_decl_reference_to_reference)
<< II; << II;
▲ Show 20 LinesShow All 1,585 LinesShow Last 20 Lines