This is an archive of the discontinued LLVM Phabricator instance.

clang/lib/Sema/SemaTemplate.cpp
4866	two concerns here: it's not clear to me whether it's best to recover from this failed invariant or make a change elsewhere to ensure it holds IIUC we should only return true if an error has been emitted. We've got some suggestion that it already has, but no smoking gun - maybe there are cases we've missed. (The failure mode here is clang exits with an error status but prints no errors)
clang/test/Parser/cxx-template-decl.cpp
296	If I understand right, AddObservationFn gets typo-corrected to AddObservation (the function). When we go to check whether it's valid, we look up the name and get the type instead (injected-class-name). so we figure "missing typename" but actually everything's just totally confused. The "best" solution I guess would be not allowing typo-correction to the shadowed name. But I think the next best thing is just not to allow "insert typename and recover" if the expression we're inserting around already has errors - this seems like we have low confidence at this point. So does requiring !Arg.getAsExpr().containsErrors() in the check for inserting typename work? My hope is this would result in "undeclared identifier AddObservationFn, did you mean AddObservation" ... "template argument must be a type". (Which is "wrong" in the sense that AddObservation is a type, but that bug is in the typo-correction logic, not here)

refine the fix.

hokein added inline comments.Jul 2 2020, 2:44 AM

clang/lib/Sema/SemaTemplate.cpp
4866	yeah, the current fix is not quite ideal. thinking more about this, I think we should not recover if the arg is `DeclRefExpr`, reasons: looks like most important cases are covered by `DependentScopeDeclRefExpr` and `CXXDependentScopeMemberExpr` already (no failing tests, though the test coverage is weak) if the arg is a `DeclRefExpr` (no typo correction), we'll never into this branch - the lookup should find the responding ValueDecl, which is not a TypeDecl if the arg is a `DeclRefExpr` (from typo correction), we might run into this branch, but we're less certain, and it might violate the assumption (NSS must be non-null). dropping it doesn't seem bad.
clang/test/Parser/cxx-template-decl.cpp
296	If I understand right, AddObservationFn gets typo-corrected to AddObservation (the function). When we go to check whether it's valid, we look up the name and get the type instead (injected-class-name). so we figure "missing typename" but actually everything's just totally confused. Yes, exactly. The inconsistence between different decls resolved by typo correction (function) and the name lookup (class) leads to the crash. The "best" solution I guess would be not allowing typo-correction to the shadowed name. it might be possible, but I'm not sure this would fit the design of typo-correction, or make it worse in particular, TypoCorrection core emits all visible decls for a typo (in this case, both the function and the class) TypoCorrection API provides flexibility (e.g. `CorrectionCandidateCallback` ) to allow the client to do customization of all candidates, e.g. filtering, ranking (in this case, the class decl gets dropped somehow). so, yeah it seems reasonable to fix the typo correction client side, to make it suggest a type decl (rather than a non-type decl) for this particular case. Maybe a better way to fix the issue: improve the typo correction (https://reviews.llvm.org/D83025) make `SemaTemplate.cpp` robust, see my another comment either 1 or 2 can fix this particular crash case (1 will improve the diagnostic), but I think we need both -- as we can't guarantee there is no typo correction running into that code path. But I think the next best thing is just not to allow "insert typename and recover" if the expression we're inserting around already has errors - this seems like we have low confidence at this point. So does requiring !Arg.getAsExpr().containsErrors() in the check for inserting typename work? unfortunately, this is not possible at the moment -- the error-bit isn't propagated from TypoExpr to the corrected Expr, this is because the transformation of TypoExpr -> Expr is not straightforward, a particular code path (in parsing a template argument): we see an identifier token `AddObservationFn`, and we clarify (in `Sema::ClassifyName`) it to determine it is a type, an expr, etc during the classify section, we perform a name lookup, but don't find anything. ok, let's try the typo correction. we find a typo-corrected candidate (`AddObservation` function), so we annotate the current token is non-type (by setting the function decl) in the later parsing step, we build a DeclRefExpr which points to the function decl if we want to propagate the error-bit from typo-expr to the built DeclRefExpr, we need to carry the error-bit through the above code path somehow, which seems non-trivial.

Harbormaster failed remote builds in B62638: Diff 275027!Jul 2 2020, 3:43 AM

Yeah, I think you're right, and this small version of the patch seems good.

if the arg is a DeclRefExpr (no typo correction), we'll never into this branch - the lookup should find the responding ValueDecl, which is not a TypeDecl

I think this is true but I don't feel certain. @rsmith could think of an exception if anyone can. (Only important if the exception is common enough we really need to offer the typename recovery.

Agree that if we've already done typo correction then offering further recovery isn't necessary and in fact often does more harm than good.

clang/lib/Sema/SemaTemplate.cpp
4866	Assertion message doesn't really say anything more than the assertion itself. Instead of saying what, can we say why? (DependentScopeDeclRefExpr must be relative to some specified scope!)

This revision is now accepted and ready to land.Jul 2 2020, 5:10 AM

Closed by commit rG8c5133f18557: [clang] Fix a null-NSS-access crash in DependentNameType. (authored by hokein). · Explain WhyJul 2 2020, 6:26 AM

This revision was automatically updated to reflect the committed changes.

hokein marked an inline comment as done.

Revision Contents

Path

Size

clang/

lib/

Sema/

SemaTemplate.cpp

6 lines

test/

Parser/

cxx-template-decl.cpp

14 lines

Diff 275090

clang/lib/Sema/SemaTemplate.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 4,838 Lines • ▼ Show 20 Lines	case TemplateArgument::TemplateExpansion: {
return true;		return true;
}		}
case TemplateArgument::Expression: {		case TemplateArgument::Expression: {
// We have a template type parameter but the template argument is an		// We have a template type parameter but the template argument is an
// expression; see if maybe it is missing the "typename" keyword.		// expression; see if maybe it is missing the "typename" keyword.
CXXScopeSpec SS;		CXXScopeSpec SS;
DeclarationNameInfo NameInfo;		DeclarationNameInfo NameInfo;

if (DeclRefExpr *ArgExpr = dyn_cast<DeclRefExpr>(Arg.getAsExpr())) {		if (DependentScopeDeclRefExpr *ArgExpr =
SS.Adopt(ArgExpr->getQualifierLoc());
NameInfo = ArgExpr->getNameInfo();
} else if (DependentScopeDeclRefExpr *ArgExpr =
dyn_cast<DependentScopeDeclRefExpr>(Arg.getAsExpr())) {		dyn_cast<DependentScopeDeclRefExpr>(Arg.getAsExpr())) {
SS.Adopt(ArgExpr->getQualifierLoc());		SS.Adopt(ArgExpr->getQualifierLoc());
NameInfo = ArgExpr->getNameInfo();		NameInfo = ArgExpr->getNameInfo();
} else if (CXXDependentScopeMemberExpr *ArgExpr =		} else if (CXXDependentScopeMemberExpr *ArgExpr =
dyn_cast<CXXDependentScopeMemberExpr>(Arg.getAsExpr())) {		dyn_cast<CXXDependentScopeMemberExpr>(Arg.getAsExpr())) {
if (ArgExpr->isImplicitAccess()) {		if (ArgExpr->isImplicitAccess()) {
SS.Adopt(ArgExpr->getQualifierLoc());		SS.Adopt(ArgExpr->getQualifierLoc());
NameInfo = ArgExpr->getMemberNameInfo();		NameInfo = ArgExpr->getMemberNameInfo();
}		}
}		}

if (auto *II = NameInfo.getName().getAsIdentifierInfo()) {		if (auto *II = NameInfo.getName().getAsIdentifierInfo()) {
LookupResult Result(*this, NameInfo, LookupOrdinaryName);		LookupResult Result(*this, NameInfo, LookupOrdinaryName);
LookupParsedName(Result, CurScope, &SS);		LookupParsedName(Result, CurScope, &SS);

if (Result.getAsSingle<TypeDecl>() \|\|		if (Result.getAsSingle<TypeDecl>() \|\|
Result.getResultKind() ==		Result.getResultKind() ==
LookupResult::NotFoundInCurrentInstantiation) {		LookupResult::NotFoundInCurrentInstantiation) {
		assert(SS.getScopeRep() && "dependent scope expr must has a scope!");
		sammccallUnsubmitted Not Done Reply Inline Actions two concerns here: it's not clear to me whether it's best to recover from this failed invariant or make a change elsewhere to ensure it holds IIUC we should only return true if an error has been emitted. We've got some suggestion that it already has, but no smoking gun - maybe there are cases we've missed. (The failure mode here is clang exits with an error status but prints no errors) sammccall: two concerns here: - it's not clear to me whether it's best to recover from this failed…
		hokeinAuthorUnsubmitted Done Reply Inline Actions yeah, the current fix is not quite ideal. thinking more about this, I think we should not recover if the arg is `DeclRefExpr`, reasons: looks like most important cases are covered by `DependentScopeDeclRefExpr` and `CXXDependentScopeMemberExpr` already (no failing tests, though the test coverage is weak) if the arg is a `DeclRefExpr` (no typo correction), we'll never into this branch - the lookup should find the responding ValueDecl, which is not a TypeDecl if the arg is a `DeclRefExpr` (from typo correction), we might run into this branch, but we're less certain, and it might violate the assumption (NSS must be non-null). dropping it doesn't seem bad. hokein: yeah, the current fix is not quite ideal. thinking more about this, I think we should not…
		sammccallUnsubmitted Done Reply Inline Actions Assertion message doesn't really say anything more than the assertion itself. Instead of saying what, can we say why? (DependentScopeDeclRefExpr must be relative to some specified scope!) sammccall: Assertion message doesn't really say anything more than the assertion itself. Instead of saying…
// Suggest that the user add 'typename' before the NNS.		// Suggest that the user add 'typename' before the NNS.
SourceLocation Loc = AL.getSourceRange().getBegin();		SourceLocation Loc = AL.getSourceRange().getBegin();
Diag(Loc, getLangOpts().MSVCCompat		Diag(Loc, getLangOpts().MSVCCompat
? diag::ext_ms_template_type_arg_missing_typename		? diag::ext_ms_template_type_arg_missing_typename
: diag::err_template_arg_must_be_type_suggest)		: diag::err_template_arg_must_be_type_suggest)
<< FixItHint::CreateInsertion(Loc, "typename ");		<< FixItHint::CreateInsertion(Loc, "typename ");
Diag(Param->getLocation(), diag::note_template_param_here);		Diag(Param->getLocation(), diag::note_template_param_here);

▲ Show 20 Lines • Show All 6,065 Lines • Show Last 20 Lines

clang/test/Parser/cxx-template-decl.cpp

	Show First 20 Lines • Show All 280 Lines • ▼ Show 20 Lines
	}			}

	namespace PR45239 {			namespace PR45239 {
	// Ensure we don't crash here. We used to deallocate the TemplateIdAnnotation			// Ensure we don't crash here. We used to deallocate the TemplateIdAnnotation
	// before we'd parsed it.			// before we'd parsed it.
	template<int> int b;			template<int> int b;
	template<int> auto f() -> b<0>; // expected-error +{{}}			template<int> auto f() -> b<0>; // expected-error +{{}}
	}			}

				namespace NoCrashOnNullNNSTypoCorrection {

				int AddObservation(); // expected-note {{declared here}}

				template <typename T, typename... Args> // expected-note {{template parameter is declared here}}
				class UsingImpl {};
				class AddObservation {
				sammccallUnsubmitted Not Done Reply Inline Actions If I understand right, AddObservationFn gets typo-corrected to AddObservation (the function). When we go to check whether it's valid, we look up the name and get the type instead (injected-class-name). so we figure "missing typename" but actually everything's just totally confused. The "best" solution I guess would be not allowing typo-correction to the shadowed name. But I think the next best thing is just not to allow "insert typename and recover" if the expression we're inserting around already has errors - this seems like we have low confidence at this point. So does requiring !Arg.getAsExpr().containsErrors() in the check for inserting typename work? My hope is this would result in "undeclared identifier AddObservationFn, did you mean AddObservation" ... "template argument must be a type". (Which is "wrong" in the sense that AddObservation is a type, but that bug is in the typo-correction logic, not here) sammccall: If I understand right, AddObservationFn gets typo-corrected to AddObservation (the function).
				hokeinAuthorUnsubmitted Done Reply Inline Actions If I understand right, AddObservationFn gets typo-corrected to AddObservation (the function). When we go to check whether it's valid, we look up the name and get the type instead (injected-class-name). so we figure "missing typename" but actually everything's just totally confused. Yes, exactly. The inconsistence between different decls resolved by typo correction (function) and the name lookup (class) leads to the crash. The "best" solution I guess would be not allowing typo-correction to the shadowed name. it might be possible, but I'm not sure this would fit the design of typo-correction, or make it worse in particular, TypoCorrection core emits all visible decls for a typo (in this case, both the function and the class) TypoCorrection API provides flexibility (e.g. `CorrectionCandidateCallback` ) to allow the client to do customization of all candidates, e.g. filtering, ranking (in this case, the class decl gets dropped somehow). so, yeah it seems reasonable to fix the typo correction client side, to make it suggest a type decl (rather than a non-type decl) for this particular case. Maybe a better way to fix the issue: improve the typo correction (https://reviews.llvm.org/D83025) make `SemaTemplate.cpp` robust, see my another comment either 1 or 2 can fix this particular crash case (1 will improve the diagnostic), but I think we need both -- as we can't guarantee there is no typo correction running into that code path. But I think the next best thing is just not to allow "insert typename and recover" if the expression we're inserting around already has errors - this seems like we have low confidence at this point. So does requiring !Arg.getAsExpr().containsErrors() in the check for inserting typename work? unfortunately, this is not possible at the moment -- the error-bit isn't propagated from TypoExpr to the corrected Expr, this is because the transformation of TypoExpr -> Expr is not straightforward, a particular code path (in parsing a template argument): we see an identifier token `AddObservationFn`, and we clarify (in `Sema::ClassifyName`) it to determine it is a type, an expr, etc during the classify section, we perform a name lookup, but don't find anything. ok, let's try the typo correction. we find a typo-corrected candidate (`AddObservation` function), so we annotate the current token is non-type (by setting the function decl) in the later parsing step, we build a DeclRefExpr which points to the function decl if we want to propagate the error-bit from typo-expr to the built DeclRefExpr, we need to carry the error-bit through the above code path somehow, which seems non-trivial. hokein: > If I understand right, AddObservationFn gets typo-corrected to AddObservation (the function).
				using Using =
				UsingImpl<AddObservationFn, const int>; // expected-error {{use of undeclared identifier 'AddObservationFn'; did you mean}} \
				expected-error {{template argument for template type parameter must be a type}}
				};

				}

This is an archive of the discontinued LLVM Phabricator instance.

[clang] Fix a null-NSS-access crash in DependentNameType.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 275090

clang/lib/Sema/SemaTemplate.cpp

clang/test/Parser/cxx-template-decl.cpp

[clang] Fix a null-NSS-access crash in DependentNameType.
ClosedPublic