This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/include/llvm/Demangle/
-
include/
-
llvm/
-
Demangle/
1
ItaniumDemangle.h

Differential D149061

[clang] remove dereferencing of invalid pointer
ClosedPublic

Authored by ashay-github on Apr 24 2023, 6:37 AM.

Download Raw Diff

Details

Reviewers

nickdesaulniers
DavidSpickett
MaskRay
ayzhao

Commits

rGff2e6199b235: [clang] remove dereferencing of invalid pointer

Summary

A line in the demangling code for float literals dereferences the
.end() iterator, which causes the Windows debug build of llvm-cxxfilt
to crash. The failure can be reproduced by passing the string
_Z5dummyIXtl8wrapper1IdEtlNS1_Ut_Edi9RightNametlNS2_Ut_ELd405ec00000000000EEEEEEvv
to llvm-cxxfilt -n.

This patch rewrites the code to use the .size() member of the
string_view type to avoid dereferencing past the buffer.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

ashay-github created this revision.Apr 24 2023, 6:37 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 24 2023, 6:37 AM

ashay-github requested review of this revision.Apr 24 2023, 6:37 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 24 2023, 6:37 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Seems fine to me, that is what size is for after all :). Just one comment.

llvm/include/llvm/Demangle/ItaniumDemangle.h
2332–2333	Might as well merge this into the `const char* t =` line below.

Harbormaster completed remote builds in B227711: Diff 516385.Apr 24 2023, 7:15 AM

inlined the definition of first into its two uses

LGTM, thanks.

This revision is now accepted and ready to land.Apr 24 2023, 7:41 AM

Harbormaster completed remote builds in B227727: Diff 516407.Apr 24 2023, 8:21 AM

Closed by commit rGff2e6199b235: [clang] remove dereferencing of invalid pointer (authored by • ashay). · Explain WhyApr 24 2023, 8:37 AM

This revision was automatically updated to reflect the committed changes.

• ashay added a commit: rGff2e6199b235: [clang] remove dereferencing of invalid pointer.

nickdesaulniers mentioned this in D148566: [libcxxabi] copy back std::string_view patches from LLVM.Apr 24 2023, 10:30 AM

Thanks for the patch! It would have been good to include your test case though.

In D149061#4292974, @nickdesaulniers wrote:

It would have been good to include your test case though.

Ah, I forgot to mention that the error was also reproducible using an existing test (the one in clang/test/CodeGenCXX/mangle-nttp-anon-union.cpp). The specific case that I mentioned ("_Z5dummyIXtl8wrapper1IdEtlNS1_Ut_Edi9RightNametlNS2_Ut_ELd405ec00000000000EEEEEEvv") is just a subset of the mangle-nttp-anon-union.cpp test, specifically the lines below:

dummy<wrapper1<double>{123.0}>();
// CHECK: call void @_Z5dummyIXtl8wrapper1IdEtlNS1_Ut_Edi9RightNametlNS2_Ut_ELd405ec00000000000EEEEEEvv
// DEMANGLED: call void @void dummy<wrapper1<double>{wrapper1<double>::'unnamed'{.RightName = wrapper1<double>::'unnamed'::'unnamed'{0x1.ec{{.*}}p+6}}}>()()

In D149061#4297011, @ashay-github wrote:
In D149061#4292974, @nickdesaulniers wrote:

It would have been good to include your test case though.

Ah, I forgot to mention that the error was also reproducible using an existing test (the one in clang/test/CodeGenCXX/mangle-nttp-anon-union.cpp). The specific case that I mentioned ("_Z5dummyIXtl8wrapper1IdEtlNS1_Ut_Edi9RightNametlNS2_Ut_ELd405ec00000000000EEEEEEvv") is just a subset of the mangle-nttp-anon-union.cpp test, specifically the lines below:
dummy<wrapper1<double>{123.0}>();
// CHECK: call void @_Z5dummyIXtl8wrapper1IdEtlNS1_Ut_Edi9RightNametlNS2_Ut_ELd405ec00000000000EEEEEEvv
// DEMANGLED: call void @void dummy<wrapper1<double>{wrapper1<double>::'unnamed'{.RightName = wrapper1<double>::'unnamed'::'unnamed'{0x1.ec{{.*}}p+6}}}>()()

Got it. Any ideas why I'm not able to reproduce on a non-windows host (and AFAIK that specific test case hasn't been flagged by any build bots)? I would think we should still be able to test the windows demangling scheme on any host.

Also, llvm/include/llvm/Demangle/ is the downstream copy from libcxxabi/. I'll have to copy it back in https://reviews.llvm.org/D148566.

nickdesaulniers mentioned this in D151760: [Demangle] fix deref of std::string_view::end().May 30 2023, 3:38 PM

Any ideas why I'm not able to reproduce on a non-windows host (and AFAIK that specific test case hasn't been flagged by any build bots)? I would think we should still be able to test the windows demangling scheme on any host.

My apologies for dropping this. I was out of town when your message arrived.

My hypothesis is that you may have build LLVM in Release configuration (and perhaps the bots build in Release configuration as well). Our Windows Release builds were passing but the Debug builds failed. When I looked through the standard library functions in MSVC header files, I found that a vast number of them contained #ifdef statements that were predicated on whether the compiler is called with debug flags, with the debug builds containing far more conservative checks.

nickdesaulniers mentioned this in rG54a2994fa8be: [Demangle] fix deref of std::string_view::end().May 31 2023, 9:49 AM

nickdesaulniers mentioned this in rG728a45181d7e: [libcxxabi] copy back std::string_view patches from LLVM.May 31 2023, 11:07 AM

Revision Contents

Path

Size

llvm/

include/

llvm/

Demangle/

ItaniumDemangle.h

9 lines

Diff 516420

llvm/include/llvm/Demangle/ItaniumDemangle.h

Show First 20 Lines • Show All 2,323 Lines • ▼ Show 20 Lines	static constexpr Kind KindForClass =
float_literal_impl::getFloatLiteralKind((Float *)nullptr);		float_literal_impl::getFloatLiteralKind((Float *)nullptr);

public:		public:
FloatLiteralImpl(std::string_view Contents_)		FloatLiteralImpl(std::string_view Contents_)
: Node(KindForClass), Contents(Contents_) {}		: Node(KindForClass), Contents(Contents_) {}

template<typename Fn> void match(Fn F) const { F(Contents); }		template<typename Fn> void match(Fn F) const { F(Contents); }

void printLeft(OutputBuffer &OB) const override {		void printLeft(OutputBuffer &OB) const override {
const char first = &Contents.begin();
const char last = &Contents.end() + 1;

const size_t N = FloatData<Float>::mangled_size;		const size_t N = FloatData<Float>::mangled_size;
		DavidSpickettUnsubmitted Not Done Reply Inline Actions Might as well merge this into the `const char* t =` line below. DavidSpickett: Might as well merge this into the `const char* t = ` line below.
if (static_cast<std::size_t>(last - first) > N) {		if (Contents.size() >= N) {
last = first + N;
union {		union {
Float value;		Float value;
char buf[sizeof(Float)];		char buf[sizeof(Float)];
};		};
const char *t = first;		const char t = &Contents.begin();
		const char *last = t + N;
char *e = buf;		char *e = buf;
for (; t != last; ++t, ++e) {		for (; t != last; ++t, ++e) {
unsigned d1 = isdigit(t) ? static_cast<unsigned>(t - '0')		unsigned d1 = isdigit(t) ? static_cast<unsigned>(t - '0')
: static_cast<unsigned>(*t - 'a' + 10);		: static_cast<unsigned>(*t - 'a' + 10);
++t;		++t;
unsigned d0 = isdigit(t) ? static_cast<unsigned>(t - '0')		unsigned d0 = isdigit(t) ? static_cast<unsigned>(t - '0')
: static_cast<unsigned>(*t - 'a' + 10);		: static_cast<unsigned>(*t - 'a' + 10);
*e = static_cast<char>((d1 << 4) + d0);		*e = static_cast<char>((d1 << 4) + d0);
▲ Show 20 Lines • Show All 3,163 Lines • Show Last 20 Lines