This is an archive of the discontinued LLVM Phabricator instance.

Differential D16572

PR23057: fix use-after-free due to local token buffer in ParseCXXAmbiguousParenExpression
ClosedPublic

Authored by DmitryPolukhin on Jan 26 2016, 2:45 AM.

Details

Reviewers
rjmccall
majnemer
rsmith
Commits
rC259750: PR23057: fix use-after-free due to local token buffer in…
Summary

To completely eliminate use-after-free in this place I had to copy tokens into new array and pass ownership. As far as I understand the code it is not possible to guarantee that all inserted tokens are consumed before exiting from this function. Depending on how many tokens were consumed before SkipUntil is called, it may not happen due to unbalanced brackets, etc. Other places where EnterTokenStream is called usually pass vector that some class owns but here it is not possible because this place can be called recursively.

Diff Detail

Event Timeline

DmitryPolukhin updated this revision to Diff 45960.Jan 26 2016, 2:45 AM
DmitryPolukhin retitled this revision from to PR23057: fix use-after-free due to local token buffer in ParseCXXAmbiguousParenExpression.
DmitryPolukhin updated this object.
DmitryPolukhin added a reviewer: rjmccall.
DmitryPolukhin added a subscriber: cfe-commits.
dblaikie added a subscriber: dblaikie.Jan 26 2016, 8:47 AM

I don't fully understand your explanation. Is your change introducing a
memory leak? (or was the old code causing a double free (if
EnterTokenStream does take ownership of this argument)in addition to
use-after-free?)

DmitryPolukhin added a comment.Jan 26 2016, 10:01 AM

I didn't introduce a leak because I pass ownership of the Buffer to EnterTokenStream (i.e. pass true as the last argument OwnsTokens). ASan also doesn't report a leak with my patch. Original code didn't have double free because it used call EnterTokenStream with OwnsTokens == false.

DmitryPolukhin added a reviewer: rsmith.Jan 28 2016, 5:56 AM
DmitryPolukhin added a subscriber: kcc.
majnemer added a subscriber: majnemer.Feb 1 2016, 8:28 PM

I believe this change is correct but I believe we can handle this a little more efficiently.

I wonder if it would be better if we instead inserted a special EOF token at the end of Toks. If any errors occur, consume tokens until we hit our special EOF token. ParseLexedAttribute and ParseLexedMethodDeclaration follow this pattern. To make it a little more obvious that the lifetime of Toks is somehow tied to EnterTokenStream and the parsing code that follows, it might make sense to factor the code after EnterTokenStream into another function.

DmitryPolukhin updated this revision to Diff 46644.Feb 2 2016, 6:06 AM

Use EOF token instead of copy buffer. This approach looks a bit more fragile but definitely more efficient, PTAL.

majnemer accepted this revision.Feb 2 2016, 8:32 AM
majnemer added a reviewer: majnemer.

LGTM

This revision is now accepted and ready to land.Feb 2 2016, 8:32 AM
ABataev closed this revision.Feb 3 2016, 8:29 PM
ABataev added a subscriber: ABataev.

Committed in http://reviews.llvm.org/rL259750

Revision Contents

PathSize
lib/
Parse/
20 lines
test/
Parser/
9 lines

Diff 46644

lib/Parse/ParseExprCXX.cpp

Show First 20 LinesShow All 3,075 Lines▼ Show 20 Lines if (Tok.is(tok::l_paren) && NextToken().is(tok::r_paren)) {
IsTypeCast); IsTypeCast);
} }
// If we parsed a cast-expression, it's really a type-id, otherwise it's // If we parsed a cast-expression, it's really a type-id, otherwise it's
// an expression. // an expression.
ParseAs = NotCastExpr ? SimpleExpr : CastExpr; ParseAs = NotCastExpr ? SimpleExpr : CastExpr;
} }
// Create a fake EOF to mark end of Toks buffer.
Token AttrEnd;
AttrEnd.startToken();
AttrEnd.setKind(tok::eof);
AttrEnd.setLocation(Tok.getLocation());
AttrEnd.setEofData(Toks.data());
Toks.push_back(AttrEnd);
// The current token should go after the cached tokens. // The current token should go after the cached tokens.
Toks.push_back(Tok); Toks.push_back(Tok);
// Re-enter the stored parenthesized tokens into the token stream, so we may // Re-enter the stored parenthesized tokens into the token stream, so we may
// parse them now. // parse them now.
PP.EnterTokenStream(Toks.data(), Toks.size(), PP.EnterTokenStream(Toks.data(), Toks.size(),
true/*DisableMacroExpansion*/, false/*OwnsTokens*/); true/*DisableMacroExpansion*/, false/*OwnsTokens*/);
// Drop the current token and bring the first cached one. It's the same token // Drop the current token and bring the first cached one. It's the same token
// as when we entered this function. // as when we entered this function.
ConsumeAnyToken(); ConsumeAnyToken();
if (ParseAs >= CompoundLiteral) { if (ParseAs >= CompoundLiteral) {
// Parse the type declarator. // Parse the type declarator.
DeclSpec DS(AttrFactory); DeclSpec DS(AttrFactory);
Declarator DeclaratorInfo(DS, Declarator::TypeNameContext); Declarator DeclaratorInfo(DS, Declarator::TypeNameContext);
{ {
ColonProtectionRAIIObject InnerColonProtection(*this); ColonProtectionRAIIObject InnerColonProtection(*this);
ParseSpecifierQualifierList(DS); ParseSpecifierQualifierList(DS);
ParseDeclarator(DeclaratorInfo); ParseDeclarator(DeclaratorInfo);
} }
// Match the ')'. // Match the ')'.
Tracker.consumeClose(); Tracker.consumeClose();
ColonProt.restore(); ColonProt.restore();
// Consume EOF marker for Toks buffer.
assert(Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();
if (ParseAs == CompoundLiteral) { if (ParseAs == CompoundLiteral) {
ExprType = CompoundLiteral; ExprType = CompoundLiteral;
if (DeclaratorInfo.isInvalidType()) if (DeclaratorInfo.isInvalidType())
return ExprError(); return ExprError();
TypeResult Ty = Actions.ActOnTypeName(getCurScope(), DeclaratorInfo); TypeResult Ty = Actions.ActOnTypeName(getCurScope(), DeclaratorInfo);
return ParseCompoundLiteralExpression(Ty.get(), return ParseCompoundLiteralExpression(Ty.get(),
Tracker.getOpenLocation(), Tracker.getOpenLocation(),
Show All 20 LinesParser::ParseCXXAmbiguousParenExpression(ParenParseOption &ExprType,
ExprType = SimpleExpr; ExprType = SimpleExpr;
Result = ParseExpression(); Result = ParseExpression();
if (!Result.isInvalid() && Tok.is(tok::r_paren)) if (!Result.isInvalid() && Tok.is(tok::r_paren))
Result = Actions.ActOnParenExpr(Tracker.getOpenLocation(), Result = Actions.ActOnParenExpr(Tracker.getOpenLocation(),
Tok.getLocation(), Result.get()); Tok.getLocation(), Result.get());
// Match the ')'. // Match the ')'.
if (Result.isInvalid()) { if (Result.isInvalid()) {
SkipUntil(tok::r_paren, StopAtSemi); while (Tok.isNot(tok::eof))
ConsumeAnyToken();
assert(Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();
return ExprError(); return ExprError();
} }
Tracker.consumeClose(); Tracker.consumeClose();
// Consume EOF marker for Toks buffer.
assert(Tok.is(tok::eof) && Tok.getEofData() == AttrEnd.getEofData());
ConsumeAnyToken();
return Result; return Result;
} }

test/Parser/cxx-ambig-paren-expr-asan.cpp

  • This file was added.
// RUN: %clang_cc1 -fsyntax-only -pedantic -verify %s
// This syntax error used to cause use-after free due to token local buffer
// in ParseCXXAmbiguousParenExpression.
int H((int()[)]);
// expected-error@-1 {{expected expression}}
// expected-error@-2 {{expected ']'}}
// expected-note@-3 {{to match this '['}}
// expected-error@-4 {{expected ';' after top level declarator}}