This is an archive of the discontinued LLVM Phabricator instance.

Differential D61608

YAML parser robustness improvements
ClosedPublic

Authored by thomasfinch on May 6 2019, 1:18 PM.

Details

Reviewers
chandlerc
Bigcheese
hintonda
Commits
rG092452d402d7: YAML parser robustness improvements
Summary

This patch fixes a number of bugs found in the YAML parser through fuzzing. In general, this makes the parser more robust against malformed inputs.

The fixes are mostly improved null checking and returning errors in more cases. In some cases, asserts were changed to regular errors, this provides the same robustness but also protects release builds from the triggering conditions. This also improves the fuzzability of the YAML parser since asserts can act as a roadblock to further fuzzing once they're hit.

Each fix has a corresponding test case:

  • TestAnchorMapError - Added proper null pointer handling in Stream::printError if N is null and KeyValueNode::getValue if getKey returns null, Input::createHNodes dyn_casts changed to dyn_cast_or_null so the null pointer checks are actually able to fail
  • TestFlowSequenceTokenErrors - Added case in Document::parseBlockNode for FlowMappingEnd, FlowSequenceEnd, or FlowEntry tokens outside of mappings or sequences
  • TestDirectiveMappingNoValue - Changed assert to regular error return in Scanner::scanValue
  • TestUnescapeInfiniteLoop - Fixed infinite loop in ScalarNode::unescapeDoubleQuoted by returning an error for unrecognized escape codes
  • TestScannerUnexpectedCharacter - Changed asserts to regular error returns in Scanner::consume
  • TestUnknownDirective - For both of the inputs the stream doesn't fail and correctly returns TK_Error, but there is no valid root node for the document. There's no reasonable way to make the scanner fail for unknown directives without breaking the YAML spec (see spec-07-01.test). I think the assert is unnecessary given that an error is still generated for this case.

The SimpleKeys.clear() line fixes a bug found by AddressSanitizer triggered by multiple test cases - when TokenQueue is cleared SimpleKeys is still holding dangling pointers into it, so SimpleKeys should be cleared as well.

Diff Detail

Event Timeline

thomasfinch created this revision.May 6 2019, 1:18 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 6 2019, 1:18 PM
Herald added subscribers: llvm-commits, hiraditya. · View Herald Transcript
Harbormaster completed remote builds in B31471: Diff 198328.May 6 2019, 1:18 PM
thomasfinch edited the summary of this revision. (Show Details)May 6 2019, 1:23 PM
thomasfinch added a reviewer: chandlerc.
thomasfinch added a reviewer: Bigcheese.May 6 2019, 2:48 PM
Herald added a subscriber: dexonsmith. · View Herald TranscriptMay 6 2019, 2:48 PM
beanz added a subscriber: beanz.May 21 2019, 9:53 AM

@Bigcheese, ping?

Bigcheese requested changes to this revision.May 29 2019, 3:36 PM

Thanks for finding this!

I don't think this is the correct fix though, as all of the provided inputs should emit an error. I believe the issue is that parseBlockNode is missing a case for unexpected tokens. Let me know if you need any more info or if you want me to take a look at fixing it.

This revision now requires changes to proceed.May 29 2019, 3:36 PM
thomasfinch updated this revision to Diff 203901.EditedJun 10 2019, 2:43 PM

Move error checking to Document::parseBlockNode, make sure Document::skip doesn't crash if getRoot returns null.

thomasfinch updated this revision to Diff 218944.Sep 5 2019, 10:27 AM
thomasfinch retitled this revision from Fix YAML parser's Document::skip for null nodes to YAML parser robustness improvements.
thomasfinch edited the summary of this revision. (Show Details)

Split test cases apart, added a few more bug fixes

Bigcheese added inline comments.Sep 5 2019, 2:28 PM
lib/Support/YAMLParser.cpp
937

This error and the one below should be something closer to: "Unable to parse non-ascii here".

1235–1238

I realize you changed this so fuzzing works, but this isn't how this case should be handled. setError should be for user error, this is a programming error as the situation should never happen.

1949

We shouldn't use ! in error messages.

Bigcheese added a comment.Sep 5 2019, 2:29 PM

Also, please use -U999999 for patches so there's full context.

thomasfinch updated this revision to Diff 219973.Sep 12 2019, 12:39 PM

Update diff based on feedback.

  • Update error message in Scanner::consume
  • Update error message in ScalarNode::unescapeDoubleQuoted
  • Remove setError call when failing to find a SimpleKey in the token queue
Herald added a subscriber: kristina. · View Herald TranscriptSep 12 2019, 12:40 PM
Harbormaster completed remote builds in B38067: Diff 219973.Sep 12 2019, 12:41 PM
thomasfinch updated this revision to Diff 219977.Sep 12 2019, 12:44 PM

Remove trailing spaces in KeyValueNode::getValue

Harbormaster completed remote builds in B38071: Diff 219977.Sep 12 2019, 12:45 PM
Bigcheese accepted this revision.Oct 30 2019, 2:18 PM

lgtm, sorry for the delay, I didn't see the updates for some reason.

This revision is now accepted and ready to land.Oct 30 2019, 2:18 PM
thomasfinch added a comment.Oct 30 2019, 2:48 PM

@Bigcheese Thanks! Could you please merge this, I don't have commit access.

llvm/lib/Support/YAMLParser.cpp
2401 ↗(On Diff #203901)

@Bigcheese should I be calling setError here as well?

hintonda added a subscriber: hintonda.Nov 1 2019, 10:34 AM
thomasfinch updated this revision to Diff 227744.Nov 4 2019, 11:02 AM

Rebasing on monorepo

Harbormaster completed remote builds in B40488: Diff 227744.Nov 4 2019, 11:07 AM
hintonda requested changes to this revision.Nov 4 2019, 4:14 PM
hintonda added inline comments.
llvm/lib/Support/YAMLTraits.cpp
373 ↗(On Diff #227744)

Since createHNodes is an internal function and only ever called 3 times within Input:: (and nowhere else), and N is already checked before each of those calls, there's no need add _of_null to these dyn_cast calls and check for null again each time.

To enforce this, I'd suggest you make createHNodes and setError private which will make the class more robust, e.g.:

index f365d60b3ff..fe2fe8c56da 100644
--- a/llvm/include/llvm/Support/YAMLTraits.h
+++ b/llvm/include/llvm/Support/YAMLTraits.h
@@ -1509,6 +1509,7 @@ private:
     std::vector<std::unique_ptr<HNode>> Entries;
   };

+private:
   std::unique_ptr<Input::HNode> createHNodes(Node *node);
   void setError(HNode *hnode, const Twine &message);
   void setError(Node *node, const Twine &message);

However, KeyNode on line 396 could be null, so either checking or adding _or_null to the call is definitely needed there.

This revision now requires changes to proceed.Nov 4 2019, 4:14 PM
thomasfinch updated this revision to Diff 227806.Nov 4 2019, 6:02 PM
  • Revert uses of dyn_cast_or_null
Harbormaster completed remote builds in B40501: Diff 227806.Nov 4 2019, 6:02 PM
hintonda accepted this revision.Nov 4 2019, 6:40 PM

Great, LGTM..

I'll go ahead and land this for you tomorrow unless @Bigcheese has any objections.

This revision is now accepted and ready to land.Nov 4 2019, 6:40 PM
Closed by commit rG092452d402d7: YAML parser robustness improvements (authored by thomasfinch, committed by hintonda). · Explain WhyNov 5 2019, 9:56 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
Support/
52 lines
11 lines
unittests/
Support/
52 lines

Diff 219973

lib/Support/YAMLParser.cpp

Show First 20 LinesShow All 783 Lines▼ Show 20 Lines
Token &Scanner::peekNext() { Token &Scanner::peekNext() {
// If the current token is a possible simple key, keep parsing until we // If the current token is a possible simple key, keep parsing until we
// can confirm. // can confirm.
bool NeedMore = false; bool NeedMore = false;
while (true) { while (true) {
if (TokenQueue.empty() || NeedMore) { if (TokenQueue.empty() || NeedMore) {
if (!fetchMoreTokens()) { if (!fetchMoreTokens()) {
TokenQueue.clear(); TokenQueue.clear();
SimpleKeys.clear();
TokenQueue.push_back(Token()); TokenQueue.push_back(Token());
return TokenQueue.front(); return TokenQueue.front();
} }
} }
assert(!TokenQueue.empty() && assert(!TokenQueue.empty() &&
"fetchMoreTokens lied about getting tokens!"); "fetchMoreTokens lied about getting tokens!");
removeStaleSimpleKeyCandidates(); removeStaleSimpleKeyCandidates();
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Lines if (( *Current == '%'
++Current; ++Current;
++Column; ++Column;
} else } else
break; break;
} }
} }
bool Scanner::consume(uint32_t Expected) { bool Scanner::consume(uint32_t Expected) {
if (Expected >= 0x80) if (Expected >= 0x80) {
report_fatal_error("Not dealing with this yet"); setError("Cannot consume non-ascii characters");
BigcheeseUnsubmitted
Not Done
ReplyInline Actions

This error and the one below should be something closer to: "Unable to parse non-ascii here".

Bigcheese: This error and the one below should be something closer to: "Unable to parse non-ascii here".
return false;
}
if (Current == End) if (Current == End)
return false; return false;
if (uint8_t(*Current) >= 0x80) if (uint8_t(*Current) >= 0x80) {
report_fatal_error("Not dealing with this yet"); setError("Cannot consume non-ascii characters");
return false;
}
if (uint8_t(*Current) == Expected) { if (uint8_t(*Current) == Expected) {
++Current; ++Current;
++Column; ++Column;
return true; return true;
} }
return false; return false;
} }
▲ Show 20 LinesShow All 273 Lines▼ Show 20 Lines if (!SimpleKeys.empty()) {
Token T; Token T;
T.Kind = Token::TK_Key; T.Kind = Token::TK_Key;
T.Range = SK.Tok->Range; T.Range = SK.Tok->Range;
TokenQueueT::iterator i, e; TokenQueueT::iterator i, e;
for (i = TokenQueue.begin(), e = TokenQueue.end(); i != e; ++i) { for (i = TokenQueue.begin(), e = TokenQueue.end(); i != e; ++i) {
if (i == SK.Tok) if (i == SK.Tok)
break; break;
} }
assert(i != e && "SimpleKey not in token queue!"); if (i == e) {
Failed = true;
return false;
}
BigcheeseUnsubmitted
Not Done
ReplyInline Actions

I realize you changed this so fuzzing works, but this isn't how this case should be handled. setError should be for user error, this is a programming error as the situation should never happen.

Bigcheese: I realize you changed this so fuzzing works, but this isn't how this case should be handled.
i = TokenQueue.insert(i, T); i = TokenQueue.insert(i, T);
// We may also need to add a Block-Mapping-Start token. // We may also need to add a Block-Mapping-Start token.
rollIndent(SK.Column, Token::TK_BlockMappingStart, i); rollIndent(SK.Column, Token::TK_BlockMappingStart, i);
IsSimpleKeyAllowed = false; IsSimpleKeyAllowed = false;
} else { } else {
if (!FlowLevel) if (!FlowLevel)
▲ Show 20 LinesShow All 528 Lines▼ Show 20 LinesStream::Stream(MemoryBufferRef InputBuffer, SourceMgr &SM, bool ShowColors,
std::error_code *EC) std::error_code *EC)
: scanner(new Scanner(InputBuffer, SM, ShowColors, EC)), CurrentDoc() {} : scanner(new Scanner(InputBuffer, SM, ShowColors, EC)), CurrentDoc() {}
Stream::~Stream() = default; Stream::~Stream() = default;
bool Stream::failed() { return scanner->failed(); } bool Stream::failed() { return scanner->failed(); }
void Stream::printError(Node *N, const Twine &Msg) { void Stream::printError(Node *N, const Twine &Msg) {
scanner->printError( N->getSourceRange().Start SMRange Range = N ? N->getSourceRange() : SMRange();
scanner->printError( Range.Start
, SourceMgr::DK_Error , SourceMgr::DK_Error
, Msg , Msg
, N->getSourceRange()); , Range);
} }
document_iterator Stream::begin() { document_iterator Stream::begin() {
if (CurrentDoc) if (CurrentDoc)
report_fatal_error("Can only iterate over the stream once"); report_fatal_error("Can only iterate over the stream once");
// Skip Stream-Start. // Skip Stream-Start.
scanner->getNext(); scanner->getNext();
▲ Show 20 LinesShow All 142 Lines▼ Show 20 Lines for (; i != StringRef::npos; i = UnquotedValue.find_first_of("\\\r\n")) {
case '\n': case '\n':
Storage.push_back('\n'); Storage.push_back('\n');
if ( UnquotedValue.size() > 1 if ( UnquotedValue.size() > 1
&& (UnquotedValue[1] == '\r' || UnquotedValue[1] == '\n')) && (UnquotedValue[1] == '\r' || UnquotedValue[1] == '\n'))
UnquotedValue = UnquotedValue.substr(1); UnquotedValue = UnquotedValue.substr(1);
UnquotedValue = UnquotedValue.substr(1); UnquotedValue = UnquotedValue.substr(1);
break; break;
default: default:
if (UnquotedValue.size() == 1) if (UnquotedValue.size() == 1) {
// TODO: Report error. Token T;
break; T.Range = StringRef(UnquotedValue.begin(), 1);
setError("Unrecognized escape code", T);
BigcheeseUnsubmitted
Not Done
ReplyInline Actions

We shouldn't use ! in error messages.

Bigcheese: We shouldn't use ! in error messages.
return "";
}
UnquotedValue = UnquotedValue.substr(1); UnquotedValue = UnquotedValue.substr(1);
switch (UnquotedValue[0]) { switch (UnquotedValue[0]) {
default: { default: {
Token T; Token T;
T.Range = StringRef(UnquotedValue.begin(), 1); T.Range = StringRef(UnquotedValue.begin(), 1);
setError("Unrecognized escape code!", T); setError("Unrecognized escape code", T);
return ""; return "";
} }
case '\r': case '\r':
case '\n': case '\n':
// Remove the new line. // Remove the new line.
if ( UnquotedValue.size() > 1 if ( UnquotedValue.size() > 1
&& (UnquotedValue[1] == '\r' || UnquotedValue[1] == '\n')) && (UnquotedValue[1] == '\r' || UnquotedValue[1] == '\n'))
UnquotedValue = UnquotedValue.substr(1); UnquotedValue = UnquotedValue.substr(1);
▲ Show 20 LinesShow All 119 Lines▼ Show 20 LinesNode *KeyValueNode::getKey() {
// We've got a normal key. // We've got a normal key.
return Key = parseBlockNode(); return Key = parseBlockNode();
} }
Node *KeyValueNode::getValue() { Node *KeyValueNode::getValue() {
if (Value) if (Value)
return Value; return Value;
getKey()->skip();
if (Node* Key = getKey())
Key->skip();
else {
setError("Null key in Key Value.", peekNext());
return Value = new (getAllocator()) NullNode(Doc);
}
if (failed()) if (failed())
return Value = new (getAllocator()) NullNode(Doc); return Value = new (getAllocator()) NullNode(Doc);
// Handle implicit null values. // Handle implicit null values.
{ {
Token &t = peekNext(); Token &t = peekNext();
if ( t.Kind == Token::TK_BlockEnd if ( t.Kind == Token::TK_BlockEnd
|| t.Kind == Token::TK_FlowMappingEnd || t.Kind == Token::TK_FlowMappingEnd
▲ Show 20 LinesShow All 299 Lines▼ Show 20 Lines return new (NodeAllocator)
, MappingNode::MT_Inline); , MappingNode::MT_Inline);
case Token::TK_DocumentStart: case Token::TK_DocumentStart:
case Token::TK_DocumentEnd: case Token::TK_DocumentEnd:
case Token::TK_StreamEnd: case Token::TK_StreamEnd:
default: default:
// TODO: Properly handle tags. "[!!str ]" should resolve to !!str "", not // TODO: Properly handle tags. "[!!str ]" should resolve to !!str "", not
// !!null null. // !!null null.
return new (NodeAllocator) NullNode(stream.CurrentDoc); return new (NodeAllocator) NullNode(stream.CurrentDoc);
case Token::TK_FlowMappingEnd:
case Token::TK_FlowSequenceEnd:
case Token::TK_FlowEntry: {
if (Root && (isa<MappingNode>(Root) || isa<SequenceNode>(Root)))
return new (NodeAllocator) NullNode(stream.CurrentDoc);
setError("Unexpected token", T);
return nullptr;
}
case Token::TK_Error: case Token::TK_Error:
return nullptr; return nullptr;
} }
llvm_unreachable("Control flow shouldn't reach here."); llvm_unreachable("Control flow shouldn't reach here.");
return nullptr; return nullptr;
} }
bool Document::parseDirectives() { bool Document::parseDirectives() {
Show All 38 Lines

lib/Support/YAMLTraits.cpp

Show First 20 LinesShow All 81 Lines▼ Show 20 Lines
bool Input::outputting() const { bool Input::outputting() const {
return false; return false;
} }
bool Input::setCurrentDocument() { bool Input::setCurrentDocument() {
if (DocIterator != Strm->end()) { if (DocIterator != Strm->end()) {
Node *N = DocIterator->getRoot(); Node *N = DocIterator->getRoot();
if (!N) { if (!N) {
assert(Strm->failed() && "Root is NULL iff parsing failed");
EC = make_error_code(errc::invalid_argument); EC = make_error_code(errc::invalid_argument);
return false; return false;
} }
if (isa<NullNode>(N)) { if (isa<NullNode>(N)) {
// Empty files are allowed and ignored // Empty files are allowed and ignored
++DocIterator; ++DocIterator;
return setCurrentDocument(); return setCurrentDocument();
▲ Show 20 LinesShow All 267 Lines▼ Show 20 Lines
void Input::setError(Node *node, const Twine &message) { void Input::setError(Node *node, const Twine &message) {
Strm->printError(node, message); Strm->printError(node, message);
EC = make_error_code(errc::invalid_argument); EC = make_error_code(errc::invalid_argument);
} }
std::unique_ptr<Input::HNode> Input::createHNodes(Node *N) { std::unique_ptr<Input::HNode> Input::createHNodes(Node *N) {
SmallString<128> StringStorage; SmallString<128> StringStorage;
if (ScalarNode *SN = dyn_cast<ScalarNode>(N)) { if (ScalarNode *SN = dyn_cast_or_null<ScalarNode>(N)) {
StringRef KeyStr = SN->getValue(StringStorage); StringRef KeyStr = SN->getValue(StringStorage);
if (!StringStorage.empty()) { if (!StringStorage.empty()) {
// Copy string to permanent storage // Copy string to permanent storage
KeyStr = StringStorage.str().copy(StringAllocator); KeyStr = StringStorage.str().copy(StringAllocator);
} }
return std::make_unique<ScalarHNode>(N, KeyStr); return std::make_unique<ScalarHNode>(N, KeyStr);
} else if (BlockScalarNode *BSN = dyn_cast<BlockScalarNode>(N)) { } else if (BlockScalarNode *BSN = dyn_cast_or_null<BlockScalarNode>(N)) {
StringRef ValueCopy = BSN->getValue().copy(StringAllocator); StringRef ValueCopy = BSN->getValue().copy(StringAllocator);
return std::make_unique<ScalarHNode>(N, ValueCopy); return std::make_unique<ScalarHNode>(N, ValueCopy);
} else if (SequenceNode *SQ = dyn_cast<SequenceNode>(N)) { } else if (SequenceNode *SQ = dyn_cast_or_null<SequenceNode>(N)) {
auto SQHNode = std::make_unique<SequenceHNode>(N); auto SQHNode = std::make_unique<SequenceHNode>(N);
for (Node &SN : *SQ) { for (Node &SN : *SQ) {
auto Entry = createHNodes(&SN); auto Entry = createHNodes(&SN);
if (EC) if (EC)
break; break;
SQHNode->Entries.push_back(std::move(Entry)); SQHNode->Entries.push_back(std::move(Entry));
} }
return std::move(SQHNode); return std::move(SQHNode);
} else if (MappingNode *Map = dyn_cast<MappingNode>(N)) { } else if (MappingNode *Map = dyn_cast_or_null<MappingNode>(N)) {
auto mapHNode = std::make_unique<MapHNode>(N); auto mapHNode = std::make_unique<MapHNode>(N);
for (KeyValueNode &KVN : *Map) { for (KeyValueNode &KVN : *Map) {
Node *KeyNode = KVN.getKey(); Node *KeyNode = KVN.getKey();
ScalarNode *Key = dyn_cast<ScalarNode>(KeyNode); ScalarNode *Key = dyn_cast_or_null<ScalarNode>(KeyNode);
Node *Value = KVN.getValue(); Node *Value = KVN.getValue();
if (!Key || !Value) { if (!Key || !Value) {
if (!Key) if (!Key)
setError(KeyNode, "Map key must be a scalar"); setError(KeyNode, "Map key must be a scalar");
if (!Value) if (!Value)
setError(KeyNode, "Map value must not be empty"); setError(KeyNode, "Map value must not be empty");
break; break;
} }
▲ Show 20 LinesShow All 683 LinesShow Last 20 Lines

unittests/Support/YAMLIOTest.cpp

Show First 20 LinesShow All 2,999 Lines▼ Show 20 Lines std::string intermediate;
EXPECT_EQ(foo->SKind, Scalar::SK_Bool); EXPECT_EQ(foo->SKind, Scalar::SK_Bool);
EXPECT_FALSE(foo->BoolValue); EXPECT_FALSE(foo->BoolValue);
auto bar = llvm::dyn_cast<Scalar>((*map)["bar"].get()); auto bar = llvm::dyn_cast<Scalar>((*map)["bar"].get());
ASSERT_TRUE(bar); ASSERT_TRUE(bar);
EXPECT_EQ(bar->SKind, Scalar::SK_Double); EXPECT_EQ(bar->SKind, Scalar::SK_Double);
EXPECT_EQ(bar->DoubleValue, 2.0); EXPECT_EQ(bar->DoubleValue, 2.0);
} }
} }
TEST(YAMLIO, TestAnchorMapError) {
Input yin("& & &: ");
yin.setCurrentDocument();
EXPECT_TRUE(yin.error());
}
TEST(YAMLIO, TestFlowSequenceTokenErrors) {
Input yin(",");
EXPECT_FALSE(yin.setCurrentDocument());
EXPECT_TRUE(yin.error());
Input yin2("]");
EXPECT_FALSE(yin2.setCurrentDocument());
EXPECT_TRUE(yin2.error());
Input yin3("}");
EXPECT_FALSE(yin3.setCurrentDocument());
EXPECT_TRUE(yin3.error());
}
TEST(YAMLIO, TestDirectiveMappingNoValue) {
Input yin("%YAML\n{5:");
EXPECT_FALSE(yin.setCurrentDocument());
EXPECT_TRUE(yin.error());
Input yin2("%TAG\n'\x98!< :\n");
yin2.setCurrentDocument();
EXPECT_TRUE(yin2.error());
}
TEST(YAMLIO, TestUnescapeInfiniteLoop) {
Input yin("\"\\u\\^#\\\\\"");
yin.setCurrentDocument();
EXPECT_TRUE(yin.error());
}
TEST(YAMLIO, TestScannerUnexpectedCharacter) {
Input yin("!<$\x9F.");
EXPECT_FALSE(yin.setCurrentDocument());
EXPECT_TRUE(yin.error());
}
TEST(YAMLIO, TestUnknownDirective) {
Input yin("%");
EXPECT_FALSE(yin.setCurrentDocument());
EXPECT_TRUE(yin.error());
Input yin2("%)");
EXPECT_FALSE(yin2.setCurrentDocument());
EXPECT_TRUE(yin2.error());
}