This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/Format/
-
Format/
2/3
FormatTokenLexer.cpp
-
unittests/Format/
-
Format/
-
FormatTestJS.cpp

Differential D135356

[Format] Fix crash when hitting eof while lexing JS template string
ClosedPublic

Authored by sammccall on Oct 6 2022, 4:12 AM.

Download Raw Diff

Details

Reviewers

kadircet

Commits

rG882a05afa17f: [Format] Fix crash when hitting eof while lexing JS template string

Summary

Different loop termination conditions resulted in confusion of whether
*Offset was intended to be inside or outside the token.
This ultimately led to constructing an out-of-range SourceLocation.

Fix by making Offset consistently point *after* the token.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

sammccall created this revision.Oct 6 2022, 4:12 AM

Herald added a project: Restricted Project. · View Herald TranscriptOct 6 2022, 4:12 AM

sammccall requested review of this revision.Oct 6 2022, 4:12 AM

Herald added a project: Restricted Project. · View Herald TranscriptOct 6 2022, 4:12 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

thanks!

clang/lib/Format/FormatTokenLexer.cpp
767	it's a separate concern, but feels like this could also trigger some crashes (e.g. an input like "`\")
772	nit: `Offset += 2;` instead?

This revision is now accepted and ready to land.Oct 6 2022, 4:25 AM

Harbormaster completed remote builds in B190706: Diff 465699.Oct 6 2022, 5:13 AM

sammccall marked an inline comment as done.Oct 6 2022, 8:00 AM

sammccall added inline comments.

clang/lib/Format/FormatTokenLexer.cpp
767	Good catch. I think you're right, but: I'm not sure that example doesn't crash under asan, and I didn't find a crashing one that pattern occurs a bunch more times in this file I really want to have an isolated minimal fix + test as this bug is causing an outage I don't really have spare time now to dive deeper into this

This revision was landed with ongoing or failed builds.Oct 6 2022, 8:01 AM

Closed by commit rG882a05afa17f: [Format] Fix crash when hitting eof while lexing JS template string (authored by sammccall). · Explain Why

This revision was automatically updated to reflect the committed changes.

sammccall added a commit: rG882a05afa17f: [Format] Fix crash when hitting eof while lexing JS template string.

This breaks tests: http://45.33.8.238/linux/88341/step_7.txt

Please take a look and revert for now if it takes a while to fix.

We are seeing the same error reported above:

FormatTests: clang/lib/Lex/Lexer.cpp:1151: SourceLocation clang::Lexer::getSourceLocation(const char *, unsigned int) const: Assertion `Loc >= BufferStart && Loc <= BufferEnd && "Location out of range for this buffer!"' failed.

https://luci-milo.appspot.com/ui/p/fuchsia/builders/toolchain.ci/clang-linux-x64/b8801040768684259873/overview

Fixed by 4b53c00173163774d32125fbcae283a46a9a4b19 I think.

(@kadircet suggested a possible second crash, I couldn't get it to crash so included the testcase with this patch. Turns out it does crash...)

In D135356#3840428, @sammccall wrote:

Fixed by 4b53c00173163774d32125fbcae283a46a9a4b19 I think.

It fixed the test error that we are seeing, thanks!

rymiel mentioned this in D147176: [clang-format] NFC ensure Style operator== remains sorted for ease of editing.Mar 29 2023, 2:05 PM

owenpan added a project: Restricted Project.Mar 29 2023, 5:35 PM

Revision Contents

Path

Size

clang/

lib/

Format/

FormatTokenLexer.cpp

9 lines

unittests/

Format/

FormatTestJS.cpp

2 lines

Diff 465742

clang/lib/Format/FormatTokenLexer.cpp

Show First 20 Lines • Show All 754 Lines • ▼ Show 20 Lines	void FormatTokenLexer::handleTemplateStrings() {
}		}

// 'Manually' lex ahead in the current file buffer.		// 'Manually' lex ahead in the current file buffer.
const char *Offset = Lex->getBufferLocation();		const char *Offset = Lex->getBufferLocation();
const char *TmplBegin = Offset - BacktickToken->TokenText.size(); // at "`"		const char *TmplBegin = Offset - BacktickToken->TokenText.size(); // at "`"
for (; Offset != Lex->getBuffer().end(); ++Offset) {		for (; Offset != Lex->getBuffer().end(); ++Offset) {
if (Offset[0] == '`') {		if (Offset[0] == '`') {
StateStack.pop();		StateStack.pop();
		++Offset;
break;		break;
}		}
if (Offset[0] == '\\') {		if (Offset[0] == '\\') {
++Offset; // Skip the escaped character.		++Offset; // Skip the escaped character.
		kadircetUnsubmitted Not Done Reply Inline Actions it's a separate concern, but feels like this could also trigger some crashes (e.g. an input like "`\") kadircet: it's a separate concern, but feels like this could also trigger some crashes (e.g. an input…
		sammccallAuthorUnsubmitted Done Reply Inline Actions Good catch. I think you're right, but: I'm not sure that example doesn't crash under asan, and I didn't find a crashing one that pattern occurs a bunch more times in this file I really want to have an isolated minimal fix + test as this bug is causing an outage I don't really have spare time now to dive deeper into this sammccall: Good catch. I think you're right, but: - I'm not sure - that example doesn't crash under asan…
} else if (Offset + 1 < Lex->getBuffer().end() && Offset[0] == '$' &&		} else if (Offset + 1 < Lex->getBuffer().end() && Offset[0] == '$' &&
Offset[1] == '{') {		Offset[1] == '{') {
// '${' introduces an expression interpolation in the template string.		// '${' introduces an expression interpolation in the template string.
StateStack.push(LexerState::NORMAL);		StateStack.push(LexerState::NORMAL);
++Offset;		Offset += 2;
		kadircetUnsubmitted Done Reply Inline Actions nit: `Offset += 2;` instead? kadircet: nit: `Offset += 2;` instead?
break;		break;
}		}
}		}

StringRef LiteralText(TmplBegin, Offset - TmplBegin + 1);		StringRef LiteralText(TmplBegin, Offset - TmplBegin);
BacktickToken->setType(TT_TemplateString);		BacktickToken->setType(TT_TemplateString);
BacktickToken->Tok.setKind(tok::string_literal);		BacktickToken->Tok.setKind(tok::string_literal);
BacktickToken->TokenText = LiteralText;		BacktickToken->TokenText = LiteralText;

// Adjust width for potentially multiline string literals.		// Adjust width for potentially multiline string literals.
size_t FirstBreak = LiteralText.find('\n');		size_t FirstBreak = LiteralText.find('\n');
StringRef FirstLineText = FirstBreak == StringRef::npos		StringRef FirstLineText = FirstBreak == StringRef::npos
? LiteralText		? LiteralText
: LiteralText.substr(0, FirstBreak);		: LiteralText.substr(0, FirstBreak);
BacktickToken->ColumnWidth = encoding::columnWidthWithTabs(		BacktickToken->ColumnWidth = encoding::columnWidthWithTabs(
FirstLineText, BacktickToken->OriginalColumn, Style.TabWidth, Encoding);		FirstLineText, BacktickToken->OriginalColumn, Style.TabWidth, Encoding);
size_t LastBreak = LiteralText.rfind('\n');		size_t LastBreak = LiteralText.rfind('\n');
if (LastBreak != StringRef::npos) {		if (LastBreak != StringRef::npos) {
BacktickToken->IsMultiline = true;		BacktickToken->IsMultiline = true;
unsigned StartColumn = 0; // The template tail spans the entire line.		unsigned StartColumn = 0; // The template tail spans the entire line.
BacktickToken->LastLineColumnWidth =		BacktickToken->LastLineColumnWidth =
encoding::columnWidthWithTabs(LiteralText.substr(LastBreak + 1),		encoding::columnWidthWithTabs(LiteralText.substr(LastBreak + 1),
StartColumn, Style.TabWidth, Encoding);		StartColumn, Style.TabWidth, Encoding);
}		}

SourceLocation loc = Offset < Lex->getBuffer().end()		SourceLocation loc = Lex->getSourceLocation(Offset);
? Lex->getSourceLocation(Offset + 1)
: SourceMgr.getLocForEndOfFile(ID);
resetLexer(SourceMgr.getFileOffset(loc));		resetLexer(SourceMgr.getFileOffset(loc));
}		}

void FormatTokenLexer::tryParsePythonComment() {		void FormatTokenLexer::tryParsePythonComment() {
FormatToken *HashToken = Tokens.back();		FormatToken *HashToken = Tokens.back();
if (!HashToken->isOneOf(tok::hash, tok::hashhash))		if (!HashToken->isOneOf(tok::hash, tok::hashhash))
return;		return;
// Turn the remainder of this line into a comment.		// Turn the remainder of this line into a comment.
▲ Show 20 Lines • Show All 506 Lines • Show Last 20 Lines

clang/unittests/Format/FormatTestJS.cpp

	Show First 20 Lines • Show All 2,139 Lines • ▼ Show 20 Lines

	TEST_F(FormatTestJS, NestedTemplateStrings) {			TEST_F(FormatTestJS, NestedTemplateStrings) {
	verifyFormat(			verifyFormat(
	"var x = `<ul>${xs.map(x => `<li>${x}</li>`).join('\\n')}</ul>`;");			"var x = `<ul>${xs.map(x => `<li>${x}</li>`).join('\\n')}</ul>`;");
	verifyFormat("var x = `he${({text: 'll'}.text)}o`;");			verifyFormat("var x = `he${({text: 'll'}.text)}o`;");

	// Crashed at some point.			// Crashed at some point.
	verifyFormat("}");			verifyFormat("}");
				verifyFormat("`");
				verifyFormat("`\\");
	}			}

	TEST_F(FormatTestJS, TaggedTemplateStrings) {			TEST_F(FormatTestJS, TaggedTemplateStrings) {
	verifyFormat("var x = html`<ul>`;");			verifyFormat("var x = html`<ul>`;");
	verifyFormat("yield `hello`;");			verifyFormat("yield `hello`;");
	verifyFormat("var f = {\n"			verifyFormat("var f = {\n"
	" param: longTagName`This is a ${\n"			" param: longTagName`This is a ${\n"
	" 'really'} long line`\n"			" 'really'} long line`\n"
	▲ Show 20 Lines • Show All 668 Lines • Show Last 20 Lines