This is an archive of the discontinued LLVM Phabricator instance.

Differential D55765

Fix use-after-free bug in Tooling.
ClosedPublic

Authored by ymandel on Dec 17 2018, 7:31 AM.

Details

Reviewers
alexfh
Commits
rG973fcc25fb19: Fix use-after-free bug in Tooling.
rC350638: Fix use-after-free bug in Tooling.
rL350638: Fix use-after-free bug in Tooling.
Summary

buildASTFromCodeWithArgs() was creating a memory buffer referencing a
stack-allocated string. This diff changes the implementation to copy the code
string into the memory buffer so that said buffer owns the memory.

Diff Detail

Repository
rL LLVM

Event Timeline

ymandel created this revision.Dec 17 2018, 7:31 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptDec 17 2018, 7:31 AM
Harbormaster completed remote builds in B26065: Diff 178464.Dec 17 2018, 7:31 AM
ymandel updated this revision to Diff 178468.Dec 17 2018, 8:03 AM

Change buildAST functions to take a StringRef instead of a Twine.

In practice, code is almost never constructed on the fly using a Twine, so StringRef is simpler and avoids needing a copy when constructing the MemBuffer.

Harbormaster completed remote builds in B26067: Diff 178468.Dec 17 2018, 8:03 AM
ymandel updated this revision to Diff 178470.Dec 17 2018, 8:05 AM

Change header correspondingly.

Harbormaster completed remote builds in B26068: Diff 178470.Dec 17 2018, 8:05 AM
ymandel updated this revision to Diff 178507.Dec 17 2018, 11:48 AM

Update test that was calling builAST with an actual Twine.

Harbormaster completed remote builds in B26075: Diff 178507.Dec 17 2018, 11:48 AM
alexfh added inline comments.Dec 17 2018, 6:06 PM
include/clang/Tooling/Tooling.h
208 ↗(On Diff #178507)

While we're here, can we change FileName and ToolName to StringRef too?

ymandel updated this revision to Diff 178651.Dec 18 2018, 6:10 AM

Convert other Twine-typed args to StringRef.

Harbormaster completed remote builds in B26102: Diff 178651.Dec 18 2018, 6:10 AM
ymandel updated this revision to Diff 178653.Dec 18 2018, 6:11 AM

Adjust comments.

Harbormaster completed remote builds in B26103: Diff 178653.Dec 18 2018, 6:11 AM
ymandel marked an inline comment as done.Dec 18 2018, 6:13 AM
alexfh accepted this revision.Dec 18 2018, 6:58 AM

LG

This revision is now accepted and ready to land.Dec 18 2018, 6:58 AM
ymandel added a comment.Dec 18 2018, 1:23 PM

Alex, would you mind submitting this since I don't yet have submit privileges? I'll request them shortly, but I'd rather this go one in the meantime.

Closed by commit rL350638: Fix use-after-free bug in Tooling. (authored by alexfh). · Explain WhyJan 8 2019, 8:59 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptJan 8 2019, 8:59 AM

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
Tooling/
8 lines
lib/
Tooling/
18 lines
unittests/
Analysis/
5 lines

Diff 180685

cfe/trunk/include/clang/Tooling/Tooling.h

Show First 20 LinesShow All 199 Lines▼ Show 20 Lines
/// ///
/// \param Code C++ code. /// \param Code C++ code.
/// \param FileName The file name which 'Code' will be mapped as. /// \param FileName The file name which 'Code' will be mapped as.
/// \param PCHContainerOps The PCHContainerOperations for loading and creating /// \param PCHContainerOps The PCHContainerOperations for loading and creating
/// clang modules. /// clang modules.
/// ///
/// \return The resulting AST or null if an error occurred. /// \return The resulting AST or null if an error occurred.
std::unique_ptr<ASTUnit> std::unique_ptr<ASTUnit>
buildASTFromCode(const Twine &Code, const Twine &FileName = "input.cc", buildASTFromCode(StringRef Code, StringRef FileName = "input.cc",
std::shared_ptr<PCHContainerOperations> PCHContainerOps = std::shared_ptr<PCHContainerOperations> PCHContainerOps =
std::make_shared<PCHContainerOperations>()); std::make_shared<PCHContainerOperations>());
/// Builds an AST for 'Code' with additional flags. /// Builds an AST for 'Code' with additional flags.
/// ///
/// \param Code C++ code. /// \param Code C++ code.
/// \param Args Additional flags to pass on. /// \param Args Additional flags to pass on.
/// \param FileName The file name which 'Code' will be mapped as. /// \param FileName The file name which 'Code' will be mapped as.
/// \param ToolName The name of the binary running the tool. Standard library /// \param ToolName The name of the binary running the tool. Standard library
/// header paths will be resolved relative to this. /// header paths will be resolved relative to this.
/// \param PCHContainerOps The PCHContainerOperations for loading and creating /// \param PCHContainerOps The PCHContainerOperations for loading and creating
/// clang modules. /// clang modules.
/// ///
/// \param Adjuster A function to filter the command line arguments as specified. /// \param Adjuster A function to filter the command line arguments as specified.
/// ///
/// \return The resulting AST or null if an error occurred. /// \return The resulting AST or null if an error occurred.
std::unique_ptr<ASTUnit> buildASTFromCodeWithArgs( std::unique_ptr<ASTUnit> buildASTFromCodeWithArgs(
const Twine &Code, const std::vector<std::string> &Args, StringRef Code, const std::vector<std::string> &Args,
const Twine &FileName = "input.cc", const Twine &ToolName = "clang-tool", StringRef FileName = "input.cc", StringRef ToolName = "clang-tool",
std::shared_ptr<PCHContainerOperations> PCHContainerOps = std::shared_ptr<PCHContainerOperations> PCHContainerOps =
std::make_shared<PCHContainerOperations>(), std::make_shared<PCHContainerOperations>(),
ArgumentsAdjuster Adjuster = getClangStripDependencyFileAdjuster()); ArgumentsAdjuster Adjuster = getClangStripDependencyFileAdjuster());
/// Utility to run a FrontendAction in a single clang invocation. /// Utility to run a FrontendAction in a single clang invocation.
class ToolInvocation { class ToolInvocation {
public: public:
/// Create a tool invocation. /// Create a tool invocation.
/// ///
/// \param CommandLine The command line arguments to clang. Note that clang /// \param CommandLine The command line arguments to clang. Note that clang
▲ Show 20 LinesShow All 267 LinesShow Last 20 Lines

cfe/trunk/lib/Tooling/Tooling.cpp

Show First 20 LinesShow All 568 Lines▼ Show 20 Lines
void ClangTool::setRestoreWorkingDir(bool RestoreCWD) { void ClangTool::setRestoreWorkingDir(bool RestoreCWD) {
this->RestoreCWD = RestoreCWD; this->RestoreCWD = RestoreCWD;
} }
namespace clang { namespace clang {
namespace tooling { namespace tooling {
std::unique_ptr<ASTUnit> std::unique_ptr<ASTUnit>
buildASTFromCode(const Twine &Code, const Twine &FileName, buildASTFromCode(StringRef Code, StringRef FileName,
std::shared_ptr<PCHContainerOperations> PCHContainerOps) { std::shared_ptr<PCHContainerOperations> PCHContainerOps) {
return buildASTFromCodeWithArgs(Code, std::vector<std::string>(), FileName, return buildASTFromCodeWithArgs(Code, std::vector<std::string>(), FileName,
"clang-tool", std::move(PCHContainerOps)); "clang-tool", std::move(PCHContainerOps));
} }
std::unique_ptr<ASTUnit> buildASTFromCodeWithArgs( std::unique_ptr<ASTUnit> buildASTFromCodeWithArgs(
const Twine &Code, const std::vector<std::string> &Args, StringRef Code, const std::vector<std::string> &Args, StringRef FileName,
const Twine &FileName, const Twine &ToolName, StringRef ToolName, std::shared_ptr<PCHContainerOperations> PCHContainerOps,
std::shared_ptr<PCHContainerOperations> PCHContainerOps,
ArgumentsAdjuster Adjuster) { ArgumentsAdjuster Adjuster) {
SmallString<16> FileNameStorage;
StringRef FileNameRef = FileName.toNullTerminatedStringRef(FileNameStorage);
std::vector<std::unique_ptr<ASTUnit>> ASTs; std::vector<std::unique_ptr<ASTUnit>> ASTs;
ASTBuilderAction Action(ASTs); ASTBuilderAction Action(ASTs);
llvm::IntrusiveRefCntPtr<llvm::vfs::OverlayFileSystem> OverlayFileSystem( llvm::IntrusiveRefCntPtr<llvm::vfs::OverlayFileSystem> OverlayFileSystem(
new llvm::vfs::OverlayFileSystem(llvm::vfs::getRealFileSystem())); new llvm::vfs::OverlayFileSystem(llvm::vfs::getRealFileSystem()));
llvm::IntrusiveRefCntPtr<llvm::vfs::InMemoryFileSystem> InMemoryFileSystem( llvm::IntrusiveRefCntPtr<llvm::vfs::InMemoryFileSystem> InMemoryFileSystem(
new llvm::vfs::InMemoryFileSystem); new llvm::vfs::InMemoryFileSystem);
OverlayFileSystem->pushOverlay(InMemoryFileSystem); OverlayFileSystem->pushOverlay(InMemoryFileSystem);
llvm::IntrusiveRefCntPtr<FileManager> Files( llvm::IntrusiveRefCntPtr<FileManager> Files(
new FileManager(FileSystemOptions(), OverlayFileSystem)); new FileManager(FileSystemOptions(), OverlayFileSystem));
ToolInvocation Invocation( ToolInvocation Invocation(
getSyntaxOnlyToolArgs(ToolName, Adjuster(Args, FileNameRef), FileNameRef), getSyntaxOnlyToolArgs(ToolName, Adjuster(Args, FileName), FileName),
&Action, Files.get(), std::move(PCHContainerOps)); &Action, Files.get(), std::move(PCHContainerOps));
SmallString<1024> CodeStorage; InMemoryFileSystem->addFile(FileName, 0,
InMemoryFileSystem->addFile(FileNameRef, 0, llvm::MemoryBuffer::getMemBufferCopy(Code));
llvm::MemoryBuffer::getMemBuffer(
Code.toNullTerminatedStringRef(CodeStorage)));
if (!Invocation.run()) if (!Invocation.run())
return nullptr; return nullptr;
assert(ASTs.size() == 1); assert(ASTs.size() == 1);
return std::move(ASTs[0]); return std::move(ASTs[0]);
} }
} // namespace tooling } // namespace tooling
} // namespace clang } // namespace clang

cfe/trunk/unittests/Analysis/ExprMutationAnalyzerTest.cpp

//===---------- ExprMutationAnalyzerTest.cpp ------------------------------===// //===---------- ExprMutationAnalyzerTest.cpp ------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/Analysis/Analyses/ExprMutationAnalyzer.h" #include "clang/Analysis/Analyses/ExprMutationAnalyzer.h"
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/ASTMatchers/ASTMatchers.h" #include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/Tooling/Tooling.h" #include "clang/Tooling/Tooling.h"
#include "llvm/ADT/SmallString.h"
#include "gmock/gmock.h" #include "gmock/gmock.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include <cctype> #include <cctype>
namespace clang { namespace clang {
using namespace clang::ast_matchers; using namespace clang::ast_matchers;
using ::testing::ElementsAre; using ::testing::ElementsAre;
using ::testing::IsEmpty; using ::testing::IsEmpty;
using ::testing::ResultOf; using ::testing::ResultOf;
using ::testing::StartsWith; using ::testing::StartsWith;
using ::testing::Values; using ::testing::Values;
namespace { namespace {
using ExprMatcher = internal::Matcher<Expr>; using ExprMatcher = internal::Matcher<Expr>;
using StmtMatcher = internal::Matcher<Stmt>; using StmtMatcher = internal::Matcher<Stmt>;
std::unique_ptr<ASTUnit> std::unique_ptr<ASTUnit>
buildASTFromCodeWithArgs(const Twine &Code, buildASTFromCodeWithArgs(const Twine &Code,
const std::vector<std::string> &Args) { const std::vector<std::string> &Args) {
auto AST = tooling::buildASTFromCodeWithArgs(Code, Args); SmallString<1024> CodeStorage;
auto AST =
tooling::buildASTFromCodeWithArgs(Code.toStringRef(CodeStorage), Args);
EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred()); EXPECT_FALSE(AST->getDiagnostics().hasErrorOccurred());
return AST; return AST;
} }
std::unique_ptr<ASTUnit> buildASTFromCode(const Twine &Code) { std::unique_ptr<ASTUnit> buildASTFromCode(const Twine &Code) {
return buildASTFromCodeWithArgs(Code, {}); return buildASTFromCodeWithArgs(Code, {});
} }
▲ Show 20 LinesShow All 1,066 LinesShow Last 20 Lines