This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/ASTMatchers/
-
ASTMatchers/
-
ASTMatchFinder.cpp
-
unittests/ASTMatchers/
-
ASTMatchers/
-
ASTMatchersTraversalTest.cpp

Differential D126077

Fix stack crash in classIsDerivedFrom triggered by clang-tidy
Needs ReviewPublic

Authored by datacompboy on May 20 2022, 10:04 AM.

Download Raw Diff

Details

Reviewers

aaron.ballman
njames93
alexfh
LegalizeAdulthood

Summary

Protect classIsDerivedFrom from run-out-of-stack crash and infinity loop.

Rewrite recursion to loop-over-stack and add checks for complexity to avoid crash on deep definition or infinify recursion.

This fixes https://github.com/llvm/llvm-project/issues/55614

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

datacompboy created this revision.May 20 2022, 10:04 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 20 2022, 10:04 AM

datacompboy requested review of this revision.May 20 2022, 10:04 AM

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptMay 20 2022, 10:04 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B165544: Diff 431003.May 20 2022, 10:44 AM

Do you know of any other instances where this issue could surface?

Please can you add a line to the Improved Checks section in clang-tools-extra/docs/ReleaseNotes.rst about this fix. Make sure it is in alphabetical order.

clang-tools-extra/test/clang-tidy/infrastructure/recursive-templates.cpp
2 ↗	(On Diff #431003)	Can you narrow down the check list to just include a check is causing the crash. Also given we are only ensuring there is no crash, we don't need to invoke FileCheck. clang-tidy will return non-zero if it crashes, causing the whole test to fail.
8 ↗	(On Diff #431003)	This is different to the reproducer in the bug report as it doesn't have an instantiation of the struct in this test, unlike the bug report.
11–13 ↗	(On Diff #431003)	Definitely unrelated to this check and could safely be removed.

datacompboy updated this revision to Diff 431339.May 23 2022, 5:05 AM

Harbormaster completed remote builds in B165816: Diff 431339.May 23 2022, 5:50 AM

In D126077#3530189, @njames93 wrote:

Do you know of any other instances where this issue could surface?

I didn't found any other cases where isDerivedFrom used directly, only in couple of internal checks, none of which are part of clang distribution.

Please can you add a line to the Improved Checks section in clang-tools-extra/docs/ReleaseNotes.rst about this fix. Make sure it is in alphabetical order.

I removed test case from the clang-tidy and made a unit-test instead, so it's not affecting this section.
Do you think it worth to include in any other release notes sections?

LegalizeAdulthood resigned from this revision.Mar 29 2023, 8:57 AM

Revision Contents

Path

Size

clang/

lib/

ASTMatchers/

ASTMatchFinder.cpp

64 lines

unittests/

ASTMatchers/

ASTMatchersTraversalTest.cpp

8 lines

Diff 431339

clang/lib/ASTMatchers/ASTMatchFinder.cpp

Show All 38 Lines
// of performance vs. memory consumption by running matcher		// of performance vs. memory consumption by running matcher
// that match on every statement over a very large codebase.		// that match on every statement over a very large codebase.
//		//
// FIXME: Do some performance optimization in general and		// FIXME: Do some performance optimization in general and
// revisit this number; also, put up micro-benchmarks that we can		// revisit this number; also, put up micro-benchmarks that we can
// optimize this on.		// optimize this on.
static const unsigned MaxMemoizationEntries = 10000;		static const unsigned MaxMemoizationEntries = 10000;

		// The maximum number of steps thru ancestors allowed to run before
		// give up. The limit could only be hit by infinity / too deep
		// recursion or very complicated automatically generated types
		// inheritance.
		static const unsigned MaxDerivationComplexity = 10000;

enum class MatchType {		enum class MatchType {
Ancestors,		Ancestors,

Descendants,		Descendants,
Child,		Child,
};		};

// We use memoization to avoid running the same matcher on the same		// We use memoization to avoid running the same matcher on the same
▲ Show 20 Lines • Show All 1,297 Lines • ▼ Show 20 Lines	if (auto *ClassTemplate = dyn_cast_or_null<ClassTemplateDecl>(
return ClassTemplate->getTemplatedDecl();		return ClassTemplate->getTemplatedDecl();

return nullptr;		return nullptr;
}		}

// Returns true if the given C++ class is directly or indirectly derived		// Returns true if the given C++ class is directly or indirectly derived
// from a base type with the given name. A class is not considered to be		// from a base type with the given name. A class is not considered to be
// derived from itself.		// derived from itself.
bool MatchASTVisitor::classIsDerivedFrom(const CXXRecordDecl *Declaration,		bool MatchASTVisitor::classIsDerivedFrom(const CXXRecordDecl *DeclarationIn,
const Matcher<NamedDecl> &Base,		const Matcher<NamedDecl> &Base,
BoundNodesTreeBuilder *Builder,		BoundNodesTreeBuilder *Builder,
bool Directly) {		bool Directly) {
		SmallVector<const CXXRecordDecl *> DeclarationsStack;
		int iterations = 0;
		DeclarationsStack.push_back(DeclarationIn);
		while (!DeclarationsStack.empty()) {
		const CXXRecordDecl *Declaration = DeclarationsStack.pop_back_val();
		if (++iterations > MaxDerivationComplexity \|\|
		DeclarationsStack.size() > MaxDerivationComplexity) {
		// This can happen in case of too deep derivation chain or recursion.
		return false;
		}
if (!Declaration->hasDefinition())		if (!Declaration->hasDefinition())
return false;		return false;
for (const auto &It : Declaration->bases()) {		for (const auto &It : Declaration->bases()) {
const Type *TypeNode = It.getType().getTypePtr();		const Type *TypeNode = It.getType().getTypePtr();

if (typeHasMatchingAlias(TypeNode, Base, Builder))		if (typeHasMatchingAlias(TypeNode, Base, Builder))
return true;		return true;

// FIXME: Going to the primary template here isn't really correct, but		// FIXME: Going to the primary template here isn't really correct, but
// unfortunately we accept a Decl matcher for the base class not a Type		// unfortunately we accept a Decl matcher for the base class not a Type
// matcher, so it's the best thing we can do with our current interface.		// matcher, so it's the best thing we can do with our current interface.
CXXRecordDecl *ClassDecl = getAsCXXRecordDeclOrPrimaryTemplate(TypeNode);		CXXRecordDecl *ClassDecl = getAsCXXRecordDeclOrPrimaryTemplate(TypeNode);
if (!ClassDecl)		if (!ClassDecl)
continue;		continue;
if (ClassDecl == Declaration) {		if (ClassDecl == Declaration) {
// This can happen for recursive template definitions.		// This can happen for recursive template definitions.
continue;		continue;
}		}
BoundNodesTreeBuilder Result(*Builder);		BoundNodesTreeBuilder Result(*Builder);
if (Base.matches(*ClassDecl, this, &Result)) {		if (Base.matches(*ClassDecl, this, &Result)) {
*Builder = std::move(Result);		*Builder = std::move(Result);
return true;		return true;
}		}
if (!Directly && classIsDerivedFrom(ClassDecl, Base, Builder, Directly))		if (!Directly) {
return true;		DeclarationsStack.push_back(ClassDecl);
		}
		}
}		}
return false;		return false;
}		}

// Returns true if the given Objective-C class is directly or indirectly		// Returns true if the given Objective-C class is directly or indirectly
// derived from a matching base class. A class is not considered to be derived		// derived from a matching base class. A class is not considered to be derived
// from itself.		// from itself.
bool MatchASTVisitor::objcClassIsDerivedFrom(		bool MatchASTVisitor::objcClassIsDerivedFrom(
▲ Show 20 Lines • Show All 298 Lines • Show Last 20 Lines

clang/unittests/ASTMatchers/ASTMatchersTraversalTest.cpp

Show First 20 Lines • Show All 162 Lines • ▼ Show 20 Lines	TEST(TypeMatcher, MatchesClassType) {

EXPECT_TRUE(		EXPECT_TRUE(
matches("class A { public: A *a; class B {}; };", TypeAHasClassB));		matches("class A { public: A *a; class B {}; };", TypeAHasClassB));

EXPECT_TRUE(matchesC("struct S {}; void f(void) { struct S s; }",		EXPECT_TRUE(matchesC("struct S {}; void f(void) { struct S s; }",
varDecl(hasType(namedDecl(hasName("S"))))));		varDecl(hasType(namedDecl(hasName("S"))))));
}		}

		TEST(TypeMatcherDeathTest, isDerivedRecursion) {
		EXPECT_TRUE(notMatches(
		"template<typename T> struct t1;"
		"template<typename T> struct t2: t1< T > {};"
		"template<typename T> struct t1: t2< T > {};",
		cxxRecordDecl(isDerivedFrom("::T"))));
		}

TEST(TypeMatcher, MatchesDeclTypes) {		TEST(TypeMatcher, MatchesDeclTypes) {
// TypedefType -> TypedefNameDecl		// TypedefType -> TypedefNameDecl
EXPECT_TRUE(matches("typedef int I; void f(I i);",		EXPECT_TRUE(matches("typedef int I; void f(I i);",
parmVarDecl(hasType(namedDecl(hasName("I"))))));		parmVarDecl(hasType(namedDecl(hasName("I"))))));
// ObjCObjectPointerType		// ObjCObjectPointerType
EXPECT_TRUE(matchesObjC("@interface Foo @end void f(Foo *f);",		EXPECT_TRUE(matchesObjC("@interface Foo @end void f(Foo *f);",
parmVarDecl(hasType(objcObjectPointerType()))));		parmVarDecl(hasType(objcObjectPointerType()))));
// ObjCObjectPointerType -> ObjCInterfaceType -> ObjCInterfaceDecl		// ObjCObjectPointerType -> ObjCInterfaceType -> ObjCInterfaceDecl
▲ Show 20 Lines • Show All 6,158 Lines • Show Last 20 Lines