This is an archive of the discontinued LLVM Phabricator instance.

Differential D23852

[SemaObjC] Fix crash while parsing type arguments and protocols
ClosedPublic

Authored by bruno on Aug 24 2016, 1:56 PM.

Details

Reviewers
doug.gregor
Commits
rG218c8743c8d5: [SemaObjC] Be more strict while parsing type arguments and protocols
rC281383: [SemaObjC] Be more strict while parsing type arguments and protocols
Summary

Fix a crash-on-invalid.

When parsing type arguments and protocols, ParseTypeName() tries to find
matching tokens for '[', '(', etc whenever they appear among potential
type names. If unmatched, ParseTypeName() yields a tok::eof token
stream. This leads to crashes since the parsing at this point is not
expected to go beyond the param list closing '>'.

rdar://problem/25063557

Diff Detail

Event Timeline

bruno updated this revision to Diff 69166.Aug 24 2016, 1:56 PM
bruno retitled this revision from to [SemaObjC] Fix crash while parsing type arguments and protocols.
bruno updated this object.
bruno added a reviewer: doug.gregor.
bruno added subscribers: cfe-commits, manmanren.
doug.gregor edited edge metadata.Aug 25 2016, 9:16 AM

This will work, but it's *really* unfortunate to put tentative parsing into this code path because tentative parsing is far from free, and specialized Objective-C types are getting pretty common in Objective-C headers. Why can't the callers be taught to handle EOF and bail out?

bruno updated this revision to Diff 69456.Aug 26 2016, 6:39 PM
bruno updated this object.
bruno edited edge metadata.

Updated patch and changed approach after Doug's comment.

bruno added a comment.Aug 30 2016, 11:37 AM

Ping!

aaron.ballman added a subscriber: aaron.ballman.Aug 30 2016, 11:45 AM
In D23852#525291, @doug.gregor wrote:

This will work, but it's *really* unfortunate to put tentative parsing into this code path because tentative parsing is far from free, and specialized Objective-C types are getting pretty common in Objective-C headers. Why can't the callers be taught to handle EOF and bail out?

The unfortunate part of that is it makes all of the callers fragile -- we have to sprinkle "are we at EOF now" checks all over, or risk running into the same problem later. We don't typically do that (there are only 7 eof checks in the parser currently, this adds 6 more). I don't know which option is worse.

bruno added a comment.Sep 6 2016, 12:00 PM

Ping!

In D23852#529308, @aaron.ballman wrote:
In D23852#525291, @doug.gregor wrote:

This will work, but it's *really* unfortunate to put tentative parsing into this code path because tentative parsing is far from free, and specialized Objective-C types are getting pretty common in Objective-C headers. Why can't the callers be taught to handle EOF and bail out?

The unfortunate part of that is it makes all of the callers fragile -- we have to sprinkle "are we at EOF now" checks all over, or risk running into the same problem later. We don't typically do that (there are only 7 eof checks in the parser currently, this adds 6 more). I don't know which option is worse.

Likewise, I'm not sure what's the best tradeoff. And there's probably more to come: some part of PR23057 is likely the need to properly handle EOFs.

bruno added a comment.Sep 12 2016, 10:45 AM

Ping!

doug.gregor accepted this revision.Sep 12 2016, 3:49 PM
doug.gregor edited edge metadata.

I don't love the fact that it makes callers fragile, but having to do tentative parsing for these otherwise-unambiguous cases is expensive (in compile time). We should only use tentative parsing when we have an actual ambiguity to resolve.

This revision is now accepted and ready to land.Sep 12 2016, 3:49 PM
bruno closed this revision.Sep 13 2016, 1:14 PM

Thanks Doug!

Committed r281383

Revision Contents

PathSize
lib/
Parse/
3 lines
9 lines
4 lines
test/
SemaObjC/
40 lines

Diff 69456

lib/Parse/ParseDecl.cpp

Show First 20 LinesShow All 5,855 Lines▼ Show 20 Lines return !getLangOpts().CPlusPlus
// list. If we are presented with something like: "void foo(intptr x, // list. If we are presented with something like: "void foo(intptr x,
// float y)", we don't want to start parsing the function declarator as // float y)", we don't want to start parsing the function declarator as
// though it is a K&R style declarator just because intptr is an // though it is a K&R style declarator just because intptr is an
// invalid type. // invalid type.
// //
// To handle this, we check to see if the token after the first // To handle this, we check to see if the token after the first
// identifier is a "," or ")". Only then do we parse it as an // identifier is a "," or ")". Only then do we parse it as an
// identifier list. // identifier list.
&& (NextToken().is(tok::comma) || NextToken().is(tok::r_paren)); && (!Tok.is(tok::eof) &&
(NextToken().is(tok::comma) || NextToken().is(tok::r_paren)));
} }
/// ParseFunctionDeclaratorIdentifierList - While parsing a function declarator /// ParseFunctionDeclaratorIdentifierList - While parsing a function declarator
/// we found a K&R-style identifier list instead of a typed parameter list. /// we found a K&R-style identifier list instead of a typed parameter list.
/// ///
/// After returning, ParamInfo will hold the parsed parameters. /// After returning, ParamInfo will hold the parsed parameters.
/// ///
/// identifier-list: [C99 6.7.5] /// identifier-list: [C99 6.7.5]
▲ Show 20 LinesShow All 640 LinesShow Last 20 Lines

lib/Parse/ParseObjc.cpp

Show First 20 LinesShow All 338 Lines▼ Show 20 Lines if (Tok.is(tok::colon)) { // a super class is specified.
// Type arguments for the superclass or protocol conformances. // Type arguments for the superclass or protocol conformances.
if (Tok.is(tok::less)) { if (Tok.is(tok::less)) {
parseObjCTypeArgsOrProtocolQualifiers( parseObjCTypeArgsOrProtocolQualifiers(
nullptr, typeArgsLAngleLoc, typeArgs, typeArgsRAngleLoc, LAngleLoc, nullptr, typeArgsLAngleLoc, typeArgs, typeArgsRAngleLoc, LAngleLoc,
protocols, protocolLocs, EndProtoLoc, protocols, protocolLocs, EndProtoLoc,
/*consumeLastToken=*/true, /*consumeLastToken=*/true,
/*warnOnIncompleteProtocols=*/true); /*warnOnIncompleteProtocols=*/true);
if (Tok.is(tok::eof))
return nullptr;
} }
} }
// Next, we need to check for any protocol references. // Next, we need to check for any protocol references.
if (LAngleLoc.isValid()) { if (LAngleLoc.isValid()) {
if (!ProtocolIdents.empty()) { if (!ProtocolIdents.empty()) {
// We already parsed the protocols named when we thought we had a // We already parsed the protocols named when we thought we had a
// type parameter list. Translate them into actual protocol references. // type parameter list. Translate them into actual protocol references.
for (const auto &pair : ProtocolIdents) { for (const auto &pair : ProtocolIdents) {
protocolLocs.push_back(pair.second); protocolLocs.push_back(pair.second);
} }
▲ Show 20 LinesShow All 1,451 Lines▼ Show 20 Lines parseObjCTypeArgsOrProtocolQualifiers(baseType,
typeArgs, typeArgs,
typeArgsRAngleLoc, typeArgsRAngleLoc,
protocolLAngleLoc, protocolLAngleLoc,
protocols, protocols,
protocolLocs, protocolLocs,
protocolRAngleLoc, protocolRAngleLoc,
consumeLastToken, consumeLastToken,
/*warnOnIncompleteProtocols=*/false); /*warnOnIncompleteProtocols=*/false);
if (Tok.is(tok::eof)) // Nothing else to do here...
return;
// An Objective-C object pointer followed by type arguments // An Objective-C object pointer followed by type arguments
// can then be followed again by a set of protocol references, e.g., // can then be followed again by a set of protocol references, e.g.,
// \c NSArray<NSView><NSTextDelegate> // \c NSArray<NSView><NSTextDelegate>
if ((consumeLastToken && Tok.is(tok::less)) || if ((consumeLastToken && Tok.is(tok::less)) ||
(!consumeLastToken && NextToken().is(tok::less))) { (!consumeLastToken && NextToken().is(tok::less))) {
// If we aren't consuming the last token, the prior '>' is still hanging // If we aren't consuming the last token, the prior '>' is still hanging
// there. Consume it before we parse the protocol qualifiers. // there. Consume it before we parse the protocol qualifiers.
Show All 32 LinesTypeResult Parser::parseObjCTypeArgsAndProtocolQualifiers(
SourceLocation protocolRAngleLoc; SourceLocation protocolRAngleLoc;
// Parse type arguments and protocol qualifiers. // Parse type arguments and protocol qualifiers.
parseObjCTypeArgsAndProtocolQualifiers(type, typeArgsLAngleLoc, typeArgs, parseObjCTypeArgsAndProtocolQualifiers(type, typeArgsLAngleLoc, typeArgs,
typeArgsRAngleLoc, protocolLAngleLoc, typeArgsRAngleLoc, protocolLAngleLoc,
protocols, protocolLocs, protocols, protocolLocs,
protocolRAngleLoc, consumeLastToken); protocolRAngleLoc, consumeLastToken);
if (Tok.is(tok::eof))
return true; // Invalid type result.
// Compute the location of the last token. // Compute the location of the last token.
if (consumeLastToken) if (consumeLastToken)
endLoc = PrevTokLocation; endLoc = PrevTokLocation;
else else
endLoc = Tok.getLocation(); endLoc = Tok.getLocation();
return Actions.actOnObjCTypeArgsAndProtocolQualifiers( return Actions.actOnObjCTypeArgsAndProtocolQualifiers(
getCurScope(), getCurScope(),
▲ Show 20 LinesShow All 1,826 LinesShow Last 20 Lines

lib/Parse/Parser.cpp

Show First 20 LinesShow All 1,507 Lines▼ Show 20 Lines if (getLangOpts().ObjC1 && NextToken().is(tok::less) &&
SourceLocation IdentifierLoc = ConsumeToken(); SourceLocation IdentifierLoc = ConsumeToken();
SourceLocation NewEndLoc; SourceLocation NewEndLoc;
TypeResult NewType TypeResult NewType
= parseObjCTypeArgsAndProtocolQualifiers(IdentifierLoc, Ty, = parseObjCTypeArgsAndProtocolQualifiers(IdentifierLoc, Ty,
/*consumeLastToken=*/false, /*consumeLastToken=*/false,
NewEndLoc); NewEndLoc);
if (NewType.isUsable()) if (NewType.isUsable())
Ty = NewType.get(); Ty = NewType.get();
else if (Tok.is(tok::eof)) // Nothing to do here, bail out...
return ANK_Error;
} }
Tok.setKind(tok::annot_typename); Tok.setKind(tok::annot_typename);
setTypeAnnotation(Tok, Ty); setTypeAnnotation(Tok, Ty);
Tok.setAnnotationEndLoc(Tok.getLocation()); Tok.setAnnotationEndLoc(Tok.getLocation());
Tok.setLocation(BeginLoc); Tok.setLocation(BeginLoc);
PP.AnnotateCachedTokens(Tok); PP.AnnotateCachedTokens(Tok);
return ANK_Success; return ANK_Success;
▲ Show 20 LinesShow All 215 Lines▼ Show 20 Lines if (ParsedType Ty = Actions.getTypeName(
SourceLocation IdentifierLoc = ConsumeToken(); SourceLocation IdentifierLoc = ConsumeToken();
SourceLocation NewEndLoc; SourceLocation NewEndLoc;
TypeResult NewType TypeResult NewType
= parseObjCTypeArgsAndProtocolQualifiers(IdentifierLoc, Ty, = parseObjCTypeArgsAndProtocolQualifiers(IdentifierLoc, Ty,
/*consumeLastToken=*/false, /*consumeLastToken=*/false,
NewEndLoc); NewEndLoc);
if (NewType.isUsable()) if (NewType.isUsable())
Ty = NewType.get(); Ty = NewType.get();
else if (Tok.is(tok::eof)) // Nothing to do here, bail out...
return false;
} }
// This is a typename. Replace the current token in-place with an // This is a typename. Replace the current token in-place with an
// annotation type token. // annotation type token.
Tok.setKind(tok::annot_typename); Tok.setKind(tok::annot_typename);
setTypeAnnotation(Tok, Ty); setTypeAnnotation(Tok, Ty);
Tok.setAnnotationEndLoc(Tok.getLocation()); Tok.setAnnotationEndLoc(Tok.getLocation());
Tok.setLocation(BeginLoc); Tok.setLocation(BeginLoc);
▲ Show 20 LinesShow All 459 LinesShow Last 20 Lines

test/SemaObjC/crash-on-type-args-protocols.m

  • This file was added.
// RUN: %clang_cc1 -DFIRST -fsyntax-only -verify %s
// RUN: %clang_cc1 -DSECOND -fsyntax-only -verify %s
// RUN: %clang_cc1 -DTHIRD -fsyntax-only -verify %s
// RUN: %clang_cc1 -DFOURTH -fsyntax-only -verify %s
@protocol P;
@interface NSObject
@end
@protocol X
@end
@interface X : NSObject <X>
@end
@class A;
#ifdef FIRST
id<X> F1(id<[P> v) { // expected-error {{expected a type}} // expected-error {{use of undeclared identifier 'P'}} // expected-error {{use of undeclared identifier 'v'}} // expected-note {{to match this '('}}
return 0;
}
#endif
#ifdef SECOND
id<X> F2(id<P[X> v) { // expected-error {{unknown type name 'P'}} // expected-error {{unexpected interface name 'X': expected expression}} // expected-error {{use of undeclared identifier 'v'}} // expected-note {{to match this '('}}
return 0;
}
#endif
#ifdef THIRD
id<X> F3(id<P, P *[> v) { // expected-error {{unknown type name 'P'}} // expected-error {{expected expression}} // expected-error {{use of undeclared identifier 'v'}} // expected-note {{to match this '('}}
return 0;
}
#endif
#ifdef FOURTH
id<X> F4(id<P, P *(> v { // expected-error {{unknown type name 'P'}} // expected-error {{expected ')'}} // expected-note {{to match this '('}} // expected-note {{to match this '('}}
return 0;
}
#endif
// expected-error {{expected '>'}} // expected-error {{expected parameter declarator}} // expected-error {{expected ')'}} // expected-error {{expected function body after function declarator}}