This is an archive of the discontinued LLVM Phabricator instance.

Differential D144054

[Lex] Fix a crash in updateConsecutiveMacroArgTokens.
ClosedPublic

Authored by hokein on Feb 14 2023, 3:41 PM.

Details

Reviewers
sammccall
Commits
rG341dd6076b12: [Lex] Fix a crash in updateConsecutiveMacroArgTokens.
Summary

Fixes https://github.com/llvm/llvm-project/issues/60722.

Diff Detail

Event Timeline

hokein created this revision.Feb 14 2023, 3:41 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 14 2023, 3:41 PM
hokein requested review of this revision.Feb 14 2023, 3:41 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 14 2023, 3:41 PM
hokein added inline comments.Feb 14 2023, 3:48 PM
clang/test/Lexer/update_consecutive_macro_crash.cpp
8

More details about the issue :

  • due to the error recovery, the clang lexer inserts a pair of () around the macro argument int{,}, so we will see [(, int, {, ,, }, )] tokens
  • however, the size of file id for the macro argument only take account the written tokens which are [int, {, ,, }], and the extra inserted ) token is at the Limit source location which triggers an empty Partition.
shafik added a subscriber: shafik.Feb 14 2023, 4:21 PM
shafik added inline comments.
clang/lib/Lex/TokenLexer.cpp
1023

You had refactored the previous version, was this the way it was handled before? Do we need to add more test to ensure that we don't have any other unintended issues?

1031

I don't believe we include links to issues in comments but you should definitely add the information to the commit message and when folks look at the commit they can get the that context there.

Harbormaster completed remote builds in B213751: Diff 497463.Feb 14 2023, 4:49 PM
hokein added inline comments.Feb 15 2023, 1:14 AM
clang/lib/Lex/TokenLexer.cpp
1023

was this the way it was handled before?

Yeah, the previous implementation literally checked whether every token is from the same file id by calling getFileID.

Do we need to add more test to ensure that we don't have any other unintended issues?

I'd like to add more, but it is hard to foresee all invalid cases (clang has different error-recovery strategies that might have different side effects).

1031

I'm happy to remove it. But is there any guideline discouraging this practise? I have already seen this pattern in LLVM project. I think this is based on the author's judgement (IMO, it seems better to keep it for this case).

sammccall accepted this revision.Feb 22 2023, 12:50 AM
sammccall added inline comments.
clang/lib/Lex/TokenLexer.cpp
1029

Naively, it seems like if recovery tokens could lead us to read one-past-the-end, it could also cause us to read two-past-the-end in which case this check would fail.

We're relying on this never happening, so I think the comment should refer more specifically to the tokens that get inserted.

Maybe "recovery only ever inserts a single token past the end of the FileID, specifically the ) when a macro-arg containing a comma should be guarded by parentheses"?

1031

I see 50+ refs to github issues, 70+ links to bugs.llvm.org, 1K+ references to PRNNNNN.
The reference seems useful when it's a strange workaround like this.

clang/test/Lexer/update_consecutive_macro_crash.cpp
8

can you add these as comments to the test?

This revision is now accepted and ready to land.Feb 22 2023, 12:50 AM
hokein updated this revision to Diff 499405.Feb 22 2023, 1:15 AM
hokein marked 2 inline comments as done.

address comments.

This revision was landed with ongoing or failed builds.Feb 22 2023, 1:16 AM
Closed by commit rG341dd6076b12: [Lex] Fix a crash in updateConsecutiveMacroArgTokens. (authored by hokein). · Explain Why
This revision was automatically updated to reflect the committed changes.
hokein added a commit: rG341dd6076b12: [Lex] Fix a crash in updateConsecutiveMacroArgTokens..
Harbormaster completed remote builds in B215189: Diff 499405.Feb 22 2023, 2:54 AM

Revision Contents

PathSize
clang/
lib/
Lex/
13 lines
test/
Lexer/
11 lines

Diff 497463

clang/lib/Lex/TokenLexer.cpp

Show First 20 LinesShow All 1,014 Lines▼ Show 20 Lines if (BeginLoc.isFileID()) {
}); });
} else { } else {
// Call getFileID once to calculate the bounds, and use the cheaper // Call getFileID once to calculate the bounds, and use the cheaper
// sourcelocation-against-bounds comparison. // sourcelocation-against-bounds comparison.
FileID BeginFID = SM.getFileID(BeginLoc); FileID BeginFID = SM.getFileID(BeginLoc);
SourceLocation Limit = SourceLocation Limit =
SM.getComposedLoc(BeginFID, SM.getFileIDSize(BeginFID)); SM.getComposedLoc(BeginFID, SM.getFileIDSize(BeginFID));
Partition = All.take_while([&](const Token &T) { Partition = All.take_while([&](const Token &T) {
return T.getLocation() >= BeginLoc && T.getLocation() < Limit && // NOTE: the Limit is included! In general, all token locations
shafikUnsubmitted
Not Done
ReplyInline Actions

You had refactored the previous version, was this the way it was handled before? Do we need to add more test to ensure that we don't have any other unintended issues?

shafik: You had refactored the previous version, was this the way it was handled before? Do we need to…
hokeinAuthorUnsubmitted
Done
ReplyInline Actions

was this the way it was handled before?

Yeah, the previous implementation literally checked whether every token is from the same file id by calling getFileID.

Do we need to add more test to ensure that we don't have any other unintended issues?

I'd like to add more, but it is hard to foresee all invalid cases (clang has different error-recovery strategies that might have different side effects).

hokein: > was this the way it was handled before? Yeah, the previous implementation literally checked…
NearLast(T.getLocation()); // should be within [BeginLoc, Limit) range. However, the clang
// lexer might inject extra tokens for error-recovery, and these extra
// tokens are not taken account in the expansion FileID size!
//
// Including Limit will not mischeck for across-file-id tokens
// because SourceManager allocates FileSize + 1 for each SLocEntry.
sammccallUnsubmitted
Done
ReplyInline Actions

Naively, it seems like if recovery tokens could lead us to read one-past-the-end, it could also cause us to read two-past-the-end in which case this check would fail.

We're relying on this never happening, so I think the comment should refer more specifically to the tokens that get inserted.

Maybe "recovery only ever inserts a single token past the end of the FileID, specifically the ) when a macro-arg containing a comma should be guarded by parentheses"?

sammccall: Naively, it seems like if recovery tokens could lead us to read one-past-the-end, it could also…
//
// See https://github.com/llvm/llvm-project/issues/60722.
shafikUnsubmitted
Not Done
ReplyInline Actions

I don't believe we include links to issues in comments but you should definitely add the information to the commit message and when folks look at the commit they can get the that context there.

shafik: I don't believe we include links to issues in comments but you should definitely add the…
hokeinAuthorUnsubmitted
Done
ReplyInline Actions

I'm happy to remove it. But is there any guideline discouraging this practise? I have already seen this pattern in LLVM project. I think this is based on the author's judgement (IMO, it seems better to keep it for this case).

hokein: I'm happy to remove it. But is there any guideline discouraging this practise? I have already…
sammccallUnsubmitted
Done
ReplyInline Actions

I see 50+ refs to github issues, 70+ links to bugs.llvm.org, 1K+ references to PRNNNNN.
The reference seems useful when it's a strange workaround like this.

sammccall: I see 50+ refs to github issues, 70+ links to bugs.llvm.org, 1K+ references to PRNNNNN. The…
return T.getLocation() >= BeginLoc && T.getLocation() <= Limit
&& NearLast(T.getLocation());
}); });
} }
assert(!Partition.empty()); assert(!Partition.empty());
// For the consecutive tokens, find the length of the SLocEntry to contain // For the consecutive tokens, find the length of the SLocEntry to contain
// all of them. // all of them.
SourceLocation::UIntTy FullLength = SourceLocation::UIntTy FullLength =
Partition.back().getEndLoc().getRawEncoding() - Partition.back().getEndLoc().getRawEncoding() -
▲ Show 20 LinesShow All 54 LinesShow Last 20 Lines

clang/test/Lexer/update_consecutive_macro_crash.cpp

  • This file was added.
// RUN: %clang -cc1 -fsyntax-only -verify %s 2>&1
// https://github.com/llvm/llvm-project/issues/60722
#define X(val2) Y(val2++) // expected-note {{macro 'X' defined here}}
#define Y(expression) expression ;
void foo() {
X(int{,}); // expected-error {{too many arguments provided to function-like macro invocation}} \
hokeinAuthorUnsubmitted
Done
ReplyInline Actions

More details about the issue :

  • due to the error recovery, the clang lexer inserts a pair of () around the macro argument int{,}, so we will see [(, int, {, ,, }, )] tokens
  • however, the size of file id for the macro argument only take account the written tokens which are [int, {, ,, }], and the extra inserted ) token is at the Limit source location which triggers an empty Partition.
hokein: More details about the issue : - due to the error recovery, the clang lexer inserts a pair of…
sammccallUnsubmitted
Done
ReplyInline Actions

can you add these as comments to the test?

sammccall: can you add these as comments to the test?
expected-error {{expected expression}} \
expected-note {{parentheses are required around macro argument containing braced initializer list}}
}