This is an archive of the discontinued LLVM Phabricator instance.

Differential D140598

[Clang] Add sanity check in Sema::getDestructorName to prevent nullptr dereference
ClosedPublic

Authored by shafik on Dec 22 2022, 6:08 PM.

Details

Reviewers
rsmith
aaron.ballman
erichkeane
Commits
rG6ec446ddcee3: [Clang] Add sanity check in Sema::getDestructorName to prevent nullptr…
Summary

Currently in Sema::getDestructorName we call SS.getScopeRep()->getPrefix() but SS.getScopeRep() can return nullptr because LookupInNestedNameSpec(...) called a little before can invalidate SS.

This fixes: https://github.com/llvm/llvm-project/issues/59446

Diff Detail

Event Timeline

shafik created this revision.Dec 22 2022, 6:08 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 22 2022, 6:08 PM
shafik requested review of this revision.Dec 22 2022, 6:08 PM
Harbormaster completed remote builds in B204706: Diff 485009.Dec 22 2022, 7:04 PM
tahonermann added a subscriber: tahonermann.Jan 3 2023, 7:56 AM
tahonermann added inline comments.
clang/lib/Sema/SemaExprCXX.cpp
394

CXXScopeSpec::isSet() is apparently (intended to be) deprecated.

clang/include/clang/Sema/DeclSpec.h:
 209   /// Deprecated.  Some call sites intend isNotEmpty() while others intend
 210   /// isValid().
 211   bool isSet() const { return getScopeRep() != nullptr; }

It sounds like this should instead call .isValid() or .isNotEmpty(), but I'm not sure which.

aaron.ballman added inline comments.Jan 5 2023, 1:39 PM
clang/lib/Sema/SemaExprCXX.cpp
394

We want to use isValid() -- isNotEmpty() will return true when the scope spec is present but invalid, so the call to SS.getScopeRep()->getPrefix() would crash in that case.

aaron.ballman added a comment.Jan 5 2023, 1:39 PM

Also, don't forget to add a release note for the fix. :-)

shafik updated this revision to Diff 491554.Jan 23 2023, 4:43 PM
shafik marked 2 inline comments as done.
  • Switched to isValid() over isSet()
  • Added release note
Harbormaster completed remote builds in B209500: Diff 491554.Jan 23 2023, 5:38 PM
aaron.ballman accepted this revision.Jan 24 2023, 5:54 AM

LGTM!

This revision is now accepted and ready to land.Jan 24 2023, 5:54 AM
This revision was landed with ongoing or failed builds.Jan 25 2023, 10:49 AM
Closed by commit rG6ec446ddcee3: [Clang] Add sanity check in Sema::getDestructorName to prevent nullptr… (authored by shafik). · Explain Why
This revision was automatically updated to reflect the committed changes.
shafik added a commit: rG6ec446ddcee3: [Clang] Add sanity check in Sema::getDestructorName to prevent nullptr….
Herald added a project: Restricted Project. · View Herald TranscriptJan 25 2023, 10:49 AM

Revision Contents

PathSize
clang/
docs/
3 lines
lib/
Sema/
2 lines
test/
SemaCXX/
12 lines

Diff 492183

clang/docs/ReleaseNotes.rst

Show First 20 LinesShow All 48 Lines▼ Show 20 Lines
infrastructure are described first, followed by language-specific infrastructure are described first, followed by language-specific
sections with improvements to Clang's support for those languages. sections with improvements to Clang's support for those languages.
Major New Features Major New Features
------------------ ------------------
Bug Fixes Bug Fixes
--------- ---------
- Fix crash on invalid code when looking up a destructor in a templated class
inside a namespace. This fixes
`Issue 59446 <https://github.com/llvm/llvm-project/issues/59446>`_.
Improvements to Clang's diagnostics Improvements to Clang's diagnostics
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Non-comprehensive list of changes in this release Non-comprehensive list of changes in this release
------------------------------------------------- -------------------------------------------------
New Compiler Flags New Compiler Flags
▲ Show 20 LinesShow All 141 LinesShow Last 20 Lines

clang/lib/Sema/SemaExprCXX.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 385 Lines▼ Show 20 Lines if (SS.isSet()) {
} }
// For compatibility with other compilers and older versions of Clang, // For compatibility with other compilers and older versions of Clang,
// //
// nested-name-specifier type-name :: ~ type-name // nested-name-specifier type-name :: ~ type-name
// //
// also looks for type-name in the scope. Unfortunately, we can't // also looks for type-name in the scope. Unfortunately, we can't
// reasonably apply this fallback for dependent nested-name-specifiers. // reasonably apply this fallback for dependent nested-name-specifiers.
if (SS.getScopeRep()->getPrefix()) { if (SS.isValid() && SS.getScopeRep()->getPrefix()) {
tahonermannUnsubmitted
Done
ReplyInline Actions

CXXScopeSpec::isSet() is apparently (intended to be) deprecated.

clang/include/clang/Sema/DeclSpec.h:
 209   /// Deprecated.  Some call sites intend isNotEmpty() while others intend
 210   /// isValid().
 211   bool isSet() const { return getScopeRep() != nullptr; }

It sounds like this should instead call .isValid() or .isNotEmpty(), but I'm not sure which.

tahonermann: `CXXScopeSpec::isSet()` is apparently (intended to be) deprecated. ```…
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

We want to use isValid() -- isNotEmpty() will return true when the scope spec is present but invalid, so the call to SS.getScopeRep()->getPrefix() would crash in that case.

aaron.ballman: We want to use `isValid()` -- `isNotEmpty()` will return `true` when the scope spec is present…
if (ParsedType T = LookupInScope()) { if (ParsedType T = LookupInScope()) {
Diag(SS.getEndLoc(), diag::ext_qualified_dtor_named_in_lexical_scope) Diag(SS.getEndLoc(), diag::ext_qualified_dtor_named_in_lexical_scope)
<< FixItHint::CreateRemoval(SS.getRange()); << FixItHint::CreateRemoval(SS.getRange());
Diag(FoundDecls.back()->getLocation(), diag::note_destructor_type_here) Diag(FoundDecls.back()->getLocation(), diag::note_destructor_type_here)
<< GetTypeFromParser(T); << GetTypeFromParser(T);
return T; return T;
} }
} }
▲ Show 20 LinesShow All 8,739 LinesShow Last 20 Lines

clang/test/SemaCXX/GH59446.cpp

  • This file was added.
// RUN: %clang_cc1 -fsyntax-only -verify -std=c++11 %s
namespace GH59446 { // expected-note {{to match this '{'}}
namespace N {
template <typename T> struct X ; // expected-note 2 {{template is declared here}}
// expected-note@-1 {{'N::X' declared here}}
// expected-note@-2 {{non-type declaration found by destructor name lookup}}
}
void f(X<int> *x) { // expected-error {{no template named 'X'; did you mean 'N::X'}}
x->N::X<int>::~X(); // expected-error 2 {{implicit instantiation of undefined template 'GH59446::N::X<int>'}}
// expected-error@-1 {{identifier 'X' after '~' in destructor name does not name a type}}
} // expected-error {{expected '}'}}