This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
src/
8
cxa_demangle.cpp
-
test/
-
test_demangle.pass.cpp

Differential D33368

[libcxxabi][demangler] Fix a crash in the demangler
ClosedPublic

Authored by erik.pilkington on May 19 2017, 2:15 PM.

Download Raw Diff

Details

Reviewers

dexonsmith
compnerd
EricWF

Commits

rG17dfebcc3900: [demangler] Fix a crash in the demangler during parsing of a lamdba
rCXXA303718: [demangler] Fix a crash in the demangler during parsing of a lamdba
rL303718: [demangler] Fix a crash in the demangler during parsing of a lamdba

Summary

This patch fixes a bug in the demangler where a pack expansion template parameter substitution with more than one element in a lambda's parameter list resulted in either a misdemangle or a crash. I'll commit this change to ItaniumDemangle.cpp as well, as it has the same problem.

rdar://32098667

Thanks for taking a look,
Erik

Diff Detail

Event Timeline

erik.pilkington created this revision.May 19 2017, 2:15 PM

Herald added a reviewer: EricWF. · View Herald TranscriptMay 19 2017, 2:15 PM

compnerd requested changes to this revision.May 21 2017, 8:27 PM

compnerd added inline comments.

src/cxa_demangle.cpp
3036	I'm not sure how `k1` can be `<` than `k0`. Isn't this effectively always going down the `==` path? If I'm just mistaken, then I think that this needs a comment.
3042–3051	I think that using a bit of algorithm here might be nice. std::ostringstream oss(db.names[lambda_pos]); std::copy_if(db.names[k0], db.names[k1], std::ostream_iterator<std::string>(oss, ", "), [](const std::string &s) -> bool { return !s.empty(); });

This revision now requires changes to proceed.May 21 2017, 8:27 PM

dexonsmith added inline comments.May 21 2017, 10:43 PM

src/cxa_demangle.cpp
3042–3051	Introducing a dependency on `std::ostream` would be awkward. libc++abi.dylib cannot link against libc++.dylib, and it would bloat libc++abi.dylib to use custom traits to pull in a full copy.

erik.pilkington added inline comments.May 22 2017, 9:45 AM

src/cxa_demangle.cpp
3036	I agree that it should be impossible, but the previous version handled this case with the `if (db.names.size() < 2)` check, when really `db.names.size()` can only be 1 or greater. I think it makes more sense to be paranoid here, I trust this file about as far as I can throw it (And I can't throw it very far, its not a tangible object).

compnerd added inline comments.May 22 2017, 9:17 PM

src/cxa_demangle.cpp
3036	Hmm, how about being paranoid, and converting that to an assertion and then doing the `==` check? This code is already incredibly complicated, so adding additional things like this only makes it harder to understand whats going on.
3042–3051	Ugh, thats a good point. Very well. However, there doesnt seem to be any iterator invalidation here, so we can still just iterate over a slice here, which would be nicer.

In this new patch:

Add the testcase from https://reviews.llvm.org/D33393
Add an assert() that k0 <= k1
Use std::for_each instead of the for loop

Thanks for taking a look,
Erik

compnerd accepted this revision.May 23 2017, 5:45 PM

This revision is now accepted and ready to land.May 23 2017, 5:45 PM

dexonsmith added inline comments.May 23 2017, 7:08 PM

src/cxa_demangle.cpp
3036	There's no `#include <cassert>` in this file. Depending on the standard library you're building against, you made need that here.

erik.pilkington added inline comments.May 23 2017, 10:43 PM

src/cxa_demangle.cpp
3036	Sure, I'll commit this with that change.

Closed by commit rL303718: [demangler] Fix a crash in the demangler during parsing of a lamdba (authored by epilk). · Explain WhyMay 23 2017, 10:44 PM

This revision was automatically updated to reflect the committed changes.

oss-fuzz finds the assertion failure in this new code:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1834

r303806 removes the assertion (instead just returning first). I though this should never happen, I'm looking into this testcase to see if there is another bug here.
Thanks,
Erik

I also encourage you to run the fuzzer on every change in this code.

Also, are you now maintaining this code?
I am trying to find someone who wants to be CC-ed to other demangler bugs automatically reported by oss-fuzz.

Also, are you now maintaining this code?
I am trying to find someone who wants to be CC-ed to other demangler bugs automatically reported by oss-fuzz.

I don’t think I’ll accept the title of maintainer, (I only have one commit in this file!) but I have some plans to work on it and would be interested in hearing about any bugs found in the fuzzer.
Can you add erik.pilkington@gmail.com to your CC list?

Done (see https://github.com/google/oss-fuzz/blob/master/projects/llvm_libcxxabi/project.yaml)

Revision Contents

Path

Size

src/

cxa_demangle.cpp

51 lines

test/

test_demangle.pass.cpp

1 line

Diff 99625

src/cxa_demangle.cpp

	Show First 20 Lines • Show All 492 Lines • ▼ Show 20 Lines
	db.names.pop_back();			db.names.pop_back();
	return first;			return first;
	}			}
	first = t0 + 1;			first = t0 + 1;
	}			}
	break;			break;
	case 'l':			case 'l':
	{			{
				size_t lambda_pos = db.names.size();
	db.names.push_back(typename C::String("'lambda'("));			db.names.push_back(typename C::String("'lambda'("));
	const char* t0 = first+2;			const char* t0 = first+2;
	if (first[2] == 'v')			if (first[2] == 'v')
	{			{
	db.names.back().first += ')';			db.names.back().first += ')';
	++t0;			++t0;
	}			}
	else			else
	{			{
	const char* t1 = parse_type(t0, last, db);			bool is_first_it = true;
	if (t1 == t0)
	{
	if(!db.names.empty())
	db.names.pop_back();
	return first;
	}
	if (db.names.size() < 2)
	return first;
	auto tmp = db.names.back().move_full();
	db.names.pop_back();
	db.names.back().first.append(tmp);
	t0 = t1;
	while (true)			while (true)
	{			{
	t1 = parse_type(t0, last, db);			size_t k0 = db.names.size();
				const char* t1 = parse_type(t0, last, db);
				size_t k1 = db.names.size();
	if (t1 == t0)			if (t1 == t0)
	break;			break;
	if (db.names.size() < 2)			if (k1 <= k0)
				compnerdUnsubmitted Not Done Reply Inline Actions I'm not sure how `k1` can be `<` than `k0`. Isn't this effectively always going down the `==` path? If I'm just mistaken, then I think that this needs a comment. compnerd: I'm not sure how `k1` can be `<` than `k0`. Isn't this effectively always going down the `==`…
				erik.pilkingtonAuthorUnsubmitted Not Done Reply Inline Actions I agree that it should be impossible, but the previous version handled this case with the `if (db.names.size() < 2)` check, when really `db.names.size()` can only be 1 or greater. I think it makes more sense to be paranoid here, I trust this file about as far as I can throw it (And I can't throw it very far, its not a tangible object). erik.pilkington: I agree that it should be impossible, but the previous version handled this case with the `if…
				compnerdUnsubmitted Not Done Reply Inline Actions Hmm, how about being paranoid, and converting that to an assertion and then doing the `==` check? This code is already incredibly complicated, so adding additional things like this only makes it harder to understand whats going on. compnerd: Hmm, how about being paranoid, and converting that to an assertion and then doing the `==`…
				dexonsmithUnsubmitted Not Done Reply Inline Actions There's no `#include <cassert>` in this file. Depending on the standard library you're building against, you made need that here. dexonsmith: There's no `#include <cassert>` in this file. Depending on the standard library you're…
				erik.pilkingtonAuthorUnsubmitted Not Done Reply Inline Actions Sure, I'll commit this with that change. erik.pilkington: Sure, I'll commit this with that change.
	return first;			return first;
	tmp = db.names.back().move_full();			// If the call to parse_type above found a pack expansion
	db.names.pop_back();			// substitution, then multiple names could have been
	if (!tmp.empty())			// inserted into the name table. Walk through the names,
	{			// appending each onto the lambda's parameter list.
	db.names.back().first.append(", ");			for (size_t k = k0; k < k1; ++k) {
	db.names.back().first.append(tmp);			auto tmp = db.names[k].move_full();
				if (!tmp.empty())
				{
				if (!is_first_it)
				db.names[lambda_pos].first.append(", ");
				is_first_it = false;
				db.names[lambda_pos].first.append(tmp);
				}
	}			}
				compnerdUnsubmitted Not Done Reply Inline Actions I think that using a bit of algorithm here might be nice. std::ostringstream oss(db.names[lambda_pos]); std::copy_if(db.names[k0], db.names[k1], std::ostream_iterator<std::string>(oss, ", "), [](const std::string &s) -> bool { return !s.empty(); }); compnerd: I think that using a bit of algorithm here might be nice. std::ostringstream oss(db.names…
				dexonsmithUnsubmitted Not Done Reply Inline Actions Introducing a dependency on `std::ostream` would be awkward. libc++abi.dylib cannot link against libc++.dylib, and it would bloat libc++abi.dylib to use custom traits to pull in a full copy. dexonsmith: Introducing a dependency on `std::ostream` would be awkward. libc++abi.dylib cannot link…
				compnerdUnsubmitted Not Done Reply Inline Actions Ugh, thats a good point. Very well. However, there doesnt seem to be any iterator invalidation here, so we can still just iterate over a slice here, which would be nicer. compnerd: Ugh, thats a good point. Very well. However, there doesnt seem to be any iterator…
				db.names.erase(db.names.begin() +
				static_cast<long>(lambda_pos) + 1,
				db.names.end());
	t0 = t1;			t0 = t1;
	}			}
	if(db.names.empty())			if (is_first_it)
				{
				if (!db.names.empty())
				db.names.pop_back();
				return first;
				}
				if (db.names.empty() \|\| db.names.size() - 1 != lambda_pos)
	return first;			return first;
	db.names.back().first.append(")");			db.names.back().first.append(")");
	}			}
	if (t0 == last \|\| *t0 != 'E')			if (t0 == last \|\| *t0 != 'E')
	{			{
	if (!db.names.empty())			if (!db.names.empty())
	db.names.pop_back();			db.names.pop_back();
	return first;			return first;
	▲ Show 20 Lines • Show All 492 Lines • Show Last 20 Lines

test/test_demangle.pass.cpp

	Show First 20 Lines • Show All 492 Lines • ▼ Show 20 Lines
	{"i", "int"},			{"i", "int"},

	{"PKFvRiE", "void (*)(int&) const"},			{"PKFvRiE", "void (*)(int&) const"},
	// FIXME(compnerd) pretty print this as void (*)(unsigned long &) volatile &&			// FIXME(compnerd) pretty print this as void (*)(unsigned long &) volatile &&
	{"PVFvRmOE", "void (*)(unsigned long&) volatile&&"},			{"PVFvRmOE", "void (*)(unsigned long&) volatile&&"},
	{"PFvRmOE", "void (*)(unsigned long&) &&"},			{"PFvRmOE", "void (*)(unsigned long&) &&"},
	{"_ZTW1x", "thread-local wrapper routine for x"},			{"_ZTW1x", "thread-local wrapper routine for x"},
	{"_ZTHN3fooE", "thread-local initialization routine for foo"},			{"_ZTHN3fooE", "thread-local initialization routine for foo"},
				{"_Z4algoIJiiiEEvZ1gEUlT_E_", "void algo<int, int, int>(g::'lambda'(int, int, int))"},
	};			};

	const unsigned N = sizeof(cases) / sizeof(cases[0]);			const unsigned N = sizeof(cases) / sizeof(cases[0]);

	struct FPLiteralCase {			struct FPLiteralCase {
	const char *mangled;			const char *mangled;
	// There are four possible demanglings of a given float.			// There are four possible demanglings of a given float.
	std::string expecting[4];			std::string expecting[4];
	▲ Show 20 Lines • Show All 182 Lines • Show Last 20 Lines