This is an archive of the discontinued LLVM Phabricator instance.

[clang] Fix a nullptr-access crash in CheckTemplateArgument.
ClosedPublic

Authored by hokein on Sep 19 2022, 6:13 AM.

Download Raw Diff

Details

Reviewers

kadircet
adamcz

Commits

rGe782d9a4a49c: [clang] Fix a nullptr-access crash in CheckTemplateArgument.

Summary

It is possible that we can pass a null ParamType to
CheckNonTypeTemplateParameter -- the ParamType var can be reset to a null
type on Line 6940, and the followed bailout if is not entered.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

hokein created this revision.Sep 19 2022, 6:13 AM

Herald added a project: Restricted Project. · View Herald TranscriptSep 19 2022, 6:13 AM

hokein requested review of this revision.Sep 19 2022, 6:13 AM

Herald added a project: Restricted Project. · View Herald TranscriptSep 19 2022, 6:13 AM

adamcz accepted this revision.Sep 19 2022, 6:32 AM

adamcz added inline comments.

clang/lib/Sema/SemaTemplate.cpp
6965	So this can only happen when Result is TDK_AlreadyDiagnosed above, right? In that case, I would handle such case explicitly in the code above, like: if (Result == TDK_AlreadyDiagnosed) return ExprError(); else if (Result != TDK_Success) { ... } Seems like it would be more readable. However, I am definitely not opposed to keeping this check here as well, in case there are other ways to get into this situation.

This revision is now accepted and ready to land.Sep 19 2022, 6:32 AM

Harbormaster completed remote builds in B187481: Diff 461195.Sep 19 2022, 6:43 AM

address review comment.

clang/lib/Sema/SemaTemplate.cpp
6965	right. I think either of them works, switched to your version.

This revision was landed with ongoing or failed builds.Sep 19 2022, 10:21 AM

Closed by commit rGe782d9a4a49c: [clang] Fix a nullptr-access crash in CheckTemplateArgument. (authored by hokein). · Explain Why

This revision was automatically updated to reflect the committed changes.

hokein added a commit: rGe782d9a4a49c: [clang] Fix a nullptr-access crash in CheckTemplateArgument..

Harbormaster completed remote builds in B187522: Diff 461260.Sep 19 2022, 11:23 AM

Revision Contents

Path

Size

clang/

lib/

Sema/

SemaTemplate.cpp

5 lines

test/

SemaTemplate/

temp_arg_nontype_cxx1z.cpp

21 lines

Diff 461261

clang/lib/Sema/SemaTemplate.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 6,943 Lines • ▼ Show 20 Lines	if (isa<DeducedTemplateSpecializationType>(DeducedT)) {
DeduceAutoType(TSI->getTypeLoc(), DeductionArg, ParamType, Info,		DeduceAutoType(TSI->getTypeLoc(), DeductionArg, ParamType, Info,
/DependentDeduction=/true,		/DependentDeduction=/true,
// We do not check constraints right now because the		// We do not check constraints right now because the
// immediately-declared constraint of the auto type is		// immediately-declared constraint of the auto type is
// also an associated constraint, and will be checked		// also an associated constraint, and will be checked
// along with the other associated constraints after		// along with the other associated constraints after
// checking the template argument list.		// checking the template argument list.
/IgnoreConstraints=/true);		/IgnoreConstraints=/true);
if (Result != TDK_Success && Result != TDK_AlreadyDiagnosed) {		if (Result == TDK_AlreadyDiagnosed) {
		if (ParamType.isNull())
		return ExprError();
		} else if (Result != TDK_Success) {
Diag(Arg->getExprLoc(),		Diag(Arg->getExprLoc(),
diag::err_non_type_template_parm_type_deduction_failure)		diag::err_non_type_template_parm_type_deduction_failure)
<< Param->getDeclName() << Param->getType() << Arg->getType()		<< Param->getDeclName() << Param->getType() << Arg->getType()
<< Arg->getSourceRange();		<< Arg->getSourceRange();
Diag(Param->getLocation(), diag::note_template_param_here);		Diag(Param->getLocation(), diag::note_template_param_here);
return ExprError();		return ExprError();
}		}
}		}
// CheckNonTypeTemplateParameterType will produce a diagnostic if there's		// CheckNonTypeTemplateParameterType will produce a diagnostic if there's
// an error. The error message normally references the parameter		// an error. The error message normally references the parameter
		adamczUnsubmitted Done Reply Inline Actions So this can only happen when Result is TDK_AlreadyDiagnosed above, right? In that case, I would handle such case explicitly in the code above, like: if (Result == TDK_AlreadyDiagnosed) return ExprError(); else if (Result != TDK_Success) { ... } Seems like it would be more readable. However, I am definitely not opposed to keeping this check here as well, in case there are other ways to get into this situation. adamcz: So this can only happen when Result is TDK_AlreadyDiagnosed above, right? In that case, I would…
		hokeinAuthorUnsubmitted Done Reply Inline Actions right. I think either of them works, switched to your version. hokein: right. I think either of them works, switched to your version.
// declaration, but here we'll pass the argument location because that's		// declaration, but here we'll pass the argument location because that's
// where the parameter type is deduced.		// where the parameter type is deduced.
ParamType = CheckNonTypeTemplateParameterType(ParamType, Arg->getExprLoc());		ParamType = CheckNonTypeTemplateParameterType(ParamType, Arg->getExprLoc());
if (ParamType.isNull()) {		if (ParamType.isNull()) {
Diag(Param->getLocation(), diag::note_template_param_here);		Diag(Param->getLocation(), diag::note_template_param_here);
return ExprError();		return ExprError();
}		}
}		}
▲ Show 20 Lines • Show All 4,323 Lines • Show Last 20 Lines

clang/test/SemaTemplate/temp_arg_nontype_cxx1z.cpp

Show First 20 Lines • Show All 552 Lines • ▼ Show 20 Lines	namespace TypeSuffix {
template <auto N> struct F {};		template <auto N> struct F {};
template <> struct F<'a'> { using type = unsigned char; }; // expected-note {{'F<'a'>::type' declared here}}		template <> struct F<'a'> { using type = unsigned char; }; // expected-note {{'F<'a'>::type' declared here}}
F<'b'>::type f; // expected-error {{no type named 'type' in 'TypeSuffix::F<'b'>'; did you mean 'F<'a'>::type'?}}		F<'b'>::type f; // expected-error {{no type named 'type' in 'TypeSuffix::F<'b'>'; did you mean 'F<'a'>::type'?}}

template <auto... N> struct X {};		template <auto... N> struct X {};
X<1, 1u>::type y; // expected-error {{no type named 'type' in 'TypeSuffix::X<1, 1U>'}}		X<1, 1u>::type y; // expected-error {{no type named 'type' in 'TypeSuffix::X<1, 1U>'}}
X<1, 1>::type z; // expected-error {{no type named 'type' in 'TypeSuffix::X<1, 1>'}}		X<1, 1>::type z; // expected-error {{no type named 'type' in 'TypeSuffix::X<1, 1>'}}
}		}

		namespace no_crash {
		template <class T>
		class Base {
		public:
		template <class> class EntryPointSpec {};
		template <auto Method>
		using EntryPoint = EntryPointSpec<T>;
		};

		class Derived : Base<Derived>{
		template <class...> class Spec {};

		void Invalid(Undefined) const; // expected-error {{unknown type name 'Undefined'}}
		void crash() {
		return Spec{
		EntryPoint<&Invalid>()
		};
		}
		};
		} // no_crash