This is an archive of the discontinued LLVM Phabricator instance.

Differential D126077

Fix stack crash in classIsDerivedFrom triggered by clang-tidy
Needs ReviewPublic

Authored by datacompboy on May 20 2022, 10:04 AM.

Details

Reviewers
aaron.ballman
njames93
alexfh
LegalizeAdulthood
Summary

Protect classIsDerivedFrom from run-out-of-stack crash and infinity loop.




Rewrite recursion to loop-over-stack and add checks for complexity to avoid crash on deep definition or infinify recursion.



This fixes https://github.com/llvm/llvm-project/issues/55614
Diff Detail
Unit TestsFailed
TimeTest
2,230 msx64 debian > libFuzzer.libFuzzer::merge_two_step.test
Event Timeline
datacompboy created this revision.May 20 2022, 10:04 AM
Herald added a project: Restricted Project.  ·  View Herald TranscriptMay 20 2022, 10:04 AM
datacompboy requested review of this revision.May 20 2022, 10:04 AM
Herald added projects: Restricted Project, Restricted Project.  ·  View Herald TranscriptMay 20 2022, 10:04 AM
Herald added a subscriber: cfe-commits.  ·  View Herald Transcript
Harbormaster completed remote builds in B165544: Diff 431003.May 20 2022, 10:44 AM
njames93 edited reviewers, added: aaron.ballman, njames93, alexfh, LegalizeAdulthood; removed: bixia, aartbik.May 22 2022, 4:00 AM
njames93 added a subscriber: njames93.
Do you know of any other instances where this issue could surface?



Please can you add a line to the Improved Checks section in clang-tools-extra/docs/ReleaseNotes.rst about this fix. Make sure it is in alphabetical order.
clang-tools-extra/test/clang-tidy/infrastructure/recursive-templates.cpp


2
Can you narrow down the check list to just include a check is causing the crash.

Also given we are only ensuring there is no crash, we don't need to invoke FileCheck. clang-tidy will return non-zero if it crashes, causing the whole test to fail.


8
This is different to the reproducer in the bug report as it doesn't have an instantiation of the struct in this test, unlike the bug report.


11–13
Definitely unrelated to this check and could safely be removed.
datacompboy updated this revision to Diff 431339.May 23 2022, 5:05 AM
Harbormaster completed remote builds in B165816: Diff 431339.May 23 2022, 5:50 AM
datacompboy added a comment.May 24 2022, 4:45 AM


In D126077#3530189, @njames93 wrote:


Do you know of any other instances where this issue could surface?





I didn't found any other cases where isDerivedFrom used directly, only in couple of internal checks, none of which are part of clang distribution.



Please can you add a line to the Improved Checks section in clang-tools-extra/docs/ReleaseNotes.rst about this fix. Make sure it is in alphabetical order.



I removed test case from the clang-tidy and made a unit-test instead, so it's not affecting this section.

Do you think it worth to include in any other release notes sections?
LegalizeAdulthood resigned from this revision.Mar 29 2023, 8:57 AM
Revision Contents
PathSize
clang-tools-extra/
test/
clang-tidy/
infrastructure/
14 lines
clang/
lib/
ASTMatchers/
64 lines
Diff 431003
clang-tools-extra/test/clang-tidy/infrastructure/recursive-templates.cpp
  • This file was added.
// Regression test: shouldn't crash.

// RUN: clang-tidy %s -checks='*' -- | FileCheck %s

njames93Unsubmitted
Not Done
ReplyInline Actions
Can you narrow down the check list to just include a check is causing the crash.

Also given we are only ensuring there is no crash, we don't need to invoke FileCheck. clang-tidy will return non-zero if it crashes, causing the whole test to fail.
njames93: Can you narrow down the check list to just include a check is causing the crash.
Also given we…
template<typename T> struct t1;

template<typename T> struct t2: t1< T > {};

template<typename T> struct t1: t2< T > {};



int main() {

  return 0;

njames93Unsubmitted
Not Done
ReplyInline Actions
This is different to the reproducer in the bug report as it doesn't have an instantiation of the struct in this test, unlike the bug report.
njames93: This is different to the reproducer in the bug report as it doesn't have an instantiation of…
}



namespace i {

}

// CHECK: warning: namespace 'i' not terminated with a closing comment [llvm-namespace-comment]

njames93Unsubmitted
Not Done
ReplyInline Actions
Definitely unrelated to this check and could safely be removed.
njames93: Definitely unrelated to this check and could safely be removed.


clang/lib/ASTMatchers/ASTMatchFinder.cpp
Show All 38 Lines
// of performance vs. memory consumption by running matcher
// of performance vs. memory consumption by running matcher

// that match on every statement over a very large codebase.
// that match on every statement over a very large codebase.

//
//

// FIXME: Do some performance optimization in general and
// FIXME: Do some performance optimization in general and

// revisit this number; also, put up micro-benchmarks that we can
// revisit this number; also, put up micro-benchmarks that we can

// optimize this on.
// optimize this on.

static const unsigned MaxMemoizationEntries = 10000;
static const unsigned MaxMemoizationEntries = 10000;




// The maximum number of steps thru ancestors allowed to run before

// give up. The limit could only be hit by infinity / too deep

// recursion or very complicated automatically generated types

// inheritance.

static const unsigned MaxDerivationComplexity = 10000;



enum class MatchType {
enum class MatchType {

  Ancestors,
  Ancestors,




  Descendants,
  Descendants,

  Child,
  Child,

};
};




// We use memoization to avoid running the same matcher on the same
// We use memoization to avoid running the same matcher on the same

▲ Show 20 LinesShow All 1,297 Lines▼ Show 20 Lines    if (auto *ClassTemplate = dyn_cast_or_null<ClassTemplateDecl>(

      return ClassTemplate->getTemplatedDecl();
      return ClassTemplate->getTemplatedDecl();




  return nullptr;
  return nullptr;

}
}




// Returns true if the given C++ class is directly or indirectly derived
// Returns true if the given C++ class is directly or indirectly derived

// from a base type with the given name.  A class is not considered to be
// from a base type with the given name.  A class is not considered to be

// derived from itself.
// derived from itself.

bool MatchASTVisitor::classIsDerivedFrom(const CXXRecordDecl *Declaration,
bool MatchASTVisitor::classIsDerivedFrom(const CXXRecordDecl *DeclarationIn,

                                         const Matcher<NamedDecl> &Base,
                                         const Matcher<NamedDecl> &Base,

                                         BoundNodesTreeBuilder *Builder,
                                         BoundNodesTreeBuilder *Builder,

                                         bool Directly) {
                                         bool Directly) {

  SmallVector<const CXXRecordDecl *> DeclarationsStack;

  int iterations = 0;

  DeclarationsStack.push_back(DeclarationIn);

  while (!DeclarationsStack.empty()) {

    const CXXRecordDecl *Declaration = DeclarationsStack.pop_back_val();

    if (++iterations > MaxDerivationComplexity ||

        DeclarationsStack.size() > MaxDerivationComplexity) {

      // This can happen in case of too deep derivation chain or recursion.

      return false;

    }

  if (!Declaration->hasDefinition())
    if (!Declaration->hasDefinition())

    return false;
      return false;

  for (const auto &It : Declaration->bases()) {
    for (const auto &It : Declaration->bases()) {

    const Type *TypeNode = It.getType().getTypePtr();
      const Type *TypeNode = It.getType().getTypePtr();




    if (typeHasMatchingAlias(TypeNode, Base, Builder))
      if (typeHasMatchingAlias(TypeNode, Base, Builder))

      return true;
        return true;




    // FIXME: Going to the primary template here isn't really correct, but
      // FIXME: Going to the primary template here isn't really correct, but

    // unfortunately we accept a Decl matcher for the base class not a Type
      // unfortunately we accept a Decl matcher for the base class not a Type

    // matcher, so it's the best thing we can do with our current interface.
      // matcher, so it's the best thing we can do with our current interface.

    CXXRecordDecl *ClassDecl = getAsCXXRecordDeclOrPrimaryTemplate(TypeNode);
      CXXRecordDecl *ClassDecl = getAsCXXRecordDeclOrPrimaryTemplate(TypeNode);

    if (!ClassDecl)
      if (!ClassDecl)

      continue;
        continue;

    if (ClassDecl == Declaration) {
      if (ClassDecl == Declaration) {

      // This can happen for recursive template definitions.
        // This can happen for recursive template definitions.

      continue;
        continue;

    }
      }

    BoundNodesTreeBuilder Result(*Builder);
      BoundNodesTreeBuilder Result(*Builder);

    if (Base.matches(*ClassDecl, this, &Result)) {
      if (Base.matches(*ClassDecl, this, &Result)) {

      *Builder = std::move(Result);
        *Builder = std::move(Result);

      return true;
        return true;

    }
      }

    if (!Directly && classIsDerivedFrom(ClassDecl, Base, Builder, Directly))
      if (!Directly) {

      return true;
        DeclarationsStack.push_back(ClassDecl);

      }

    }

  }
  }

  return false;
  return false;

}
}




// Returns true if the given Objective-C class is directly or indirectly
// Returns true if the given Objective-C class is directly or indirectly

// derived from a matching base class. A class is not considered to be derived
// derived from a matching base class. A class is not considered to be derived

// from itself.
// from itself.

bool MatchASTVisitor::objcClassIsDerivedFrom(
bool MatchASTVisitor::objcClassIsDerivedFrom(

▲ Show 20 LinesShow All 298 LinesShow Last 20 Lines