This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/
-
lib/Support/
-
Support/
5/5
YAMLParser.cpp
-
tools/llvm-yaml-parser-fuzzer/
-
llvm-yaml-parser-fuzzer/
1/3
yaml-parser-fuzzer.cpp
-
unittests/Support/
-
Support/
-
YAMLIOTest.cpp

Differential D84050

[YAMLIO] Support non-null-terminated inputs
ClosedPublic

Authored by scott.linder on Jul 17 2020, 10:08 AM.

Download Raw Diff

Details

Reviewers

bkramer
Bigcheese
arphaman
dexonsmith
arsenm

Commits

rG2980933d850b: [YAMLIO] Support non-null-terminated inputs

Summary

In some places the parser guards against dereferencing End, while in
others it relies on the presence of a trailing '\0' to elide checks.

Add the remaining guards needed to ensure the parser never attempts to
dereference End, making it safe to not require a null-terminated input
buffer.

Update fuzzer harness so that it doesn't ensure null-terminated inputs.

Some of the regression tests were written by inspection, and some are
cases caught by the fuzzer which required additional fixes in the
parser.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

arsenm created this revision.Jul 17 2020, 10:08 AM

Herald added a project: Restricted Project. · View Herald TranscriptJul 17 2020, 10:08 AM

Herald added subscribers: hiraditya, wdng. · View Herald Transcript

arsenm added reviewers: bkramer, Bigcheese, arphaman, dexonsmith.Jul 17 2020, 10:22 AM

ping

The parser used to rely on the \0 being present. Was that fixed?

In D84050#2189370, @bkramer wrote:

The parser used to rely on the \0 being present. Was that fixed?

Do you know where this assumption was? I couldn't find it, but also couldn't find any commits that seemed to "fix" it. I haven't seen a sanitizer error yet

In D84050#2242755, @arsenm wrote:

In D84050#2189370, @bkramer wrote:

The parser used to rely on the \0 being present. Was that fixed?

Do you know where this assumption was? I couldn't find it, but also couldn't find any commits that seemed to "fix" it. I haven't seen a sanitizer error yet

I just did a quick scan and I can't find any such assumption either. @Bigcheese, do remember what the original intent was?

llvm/lib/Support/YAMLParser.cpp
773	Please spell this `/RequiresNullTerminator=/false`.

This revision now requires changes to proceed.Oct 6 2020, 3:32 PM

This should have a unittest probably, if fixes something.

Try to keep the parser from running off the end of the buffer and dereferencing
the result; add some unit tests to try to stress pieces being changed.

scott.linder commandeered this revision.Nov 11 2020, 3:20 PM

scott.linder added a reviewer: arsenm.

I tried to address the issues brought up, but I'm not particularly confident I found every case in the parser where it assumes End is OK to dereference. I think the presence of a null-terminator just made these bugs harder to detect, but as far as I can tell they are in fact bugs (i.e. End is documented as being one-past-the-end, and a lot of other places do guard against Current == End).

I didn't do a stellar job with unit testing either, I essentially just tried to produce at least enough test cases to stress the changes I made. I considered updating all of the existing tests to not use null-terminated buffers, or to check with both, but wanted to see what people thought first.

As a note, the tests will only deterministically fail with ASan enabled, but I don't know a reliable way to avoid that.

Ignore this diff, I thought I had run check-all but evidently I hadn't. I'll look at what I broke in the spec tests and post a revised patch.

Harbormaster completed remote builds in B78535: Diff 304670.Nov 11 2020, 4:20 PM

In D84050#2389985, @scott.linder wrote:

As a note, the tests will only deterministically fail with ASan enabled, but I don't know a reliable way to avoid that.

That's fine, we'll always have ASan bots to catch these. Not ideal, but reasonable for this kind of situation.

In D84050#2315437, @dexonsmith wrote:

In D84050#2242755, @arsenm wrote:

In D84050#2189370, @bkramer wrote:

The parser used to rely on the \0 being present. Was that fixed?

Do you know where this assumption was? I couldn't find it, but also couldn't find any commits that seemed to "fix" it. I haven't seen a sanitizer error yet

I just did a quick scan and I can't find any such assumption either. @Bigcheese, do remember what the original intent was?

All I recall at this point is that I required a null terminator for the same reason Clang does, to remove the constant need to check for Current != End. This probably makes a lot more sense for Clang to do as it's rare to compile source code not in a file, which may not always be true for the YAML parser. I'm fine with removing that assumption.

Restore the correct behavior of Scanner::scanAliasOrAnchor, last version of the patch mistakenly changed Token.Range when only intending to fix the error checking around an empty alias/anchor.

I think this version now removes the assumption that End points to a dereferencable '\0', but I'm not sure how to go about testing this comprehensively.

Harbormaster completed remote builds in B78639: Diff 304874.Nov 12 2020, 10:15 AM

In D84050#2391741, @scott.linder wrote:

Restore the correct behavior of Scanner::scanAliasOrAnchor, last version of the patch mistakenly changed Token.Range when only intending to fix the error checking around an empty alias/anchor.

I think this version now removes the assumption that End points to a dereferencable '\0', but I'm not sure how to go about testing this comprehensively.

One idea would be to hack the parser to always duplicate the input, append a bad character (like '\1'), and parse the new buffer with the original bounds. If something reads too far it would likely get upset at the bad character. Running the test suites for LLVM and Clang with that hack might be enough coverage.

Is there a libfuzzer instance for the yaml parser? That's probably the ideal thing to do, and if it's already set up maybe it's not too hard.

dexonsmith requested changes to this revision.Nov 13 2020, 1:37 PM

dexonsmith added inline comments.

llvm/lib/Support/YAMLParser.cpp
1409–1410	I don't have an opinion on the best order of these two lines, but if you want to flip them please do so in a separate NFC commit (and revert the change from this patch to make it as clean as possible).
1411	Please run `git-clang-format` or similar to fix the spacing on the lines touched.
1424	This looks like a fix for a logic bug, not directly related to null-termination; can it be committed separately ahead of time? Please also add a test that covers it.

This revision now requires changes to proceed.Nov 13 2020, 1:37 PM

Address feedback

Correct a spurious reordering of some lines
Format touched lines
Split off semantically distinct patch for anchor/alias diagnostic bug

scott.linder added a parent revision: D91462: [YAMLIO] Correctly diagnose empty alias/anchor.Nov 13 2020, 2:15 PM

scott.linder marked 3 inline comments as done.

scott.linder added inline comments.

llvm/lib/Support/YAMLParser.cpp
1409–1410	My mistake, I didn't look over the diff closely enough before posting. Fixed!

Harbormaster completed remote builds in B78821: Diff 305264.Nov 13 2020, 2:52 PM

I ran the fuzzer and quickly found two places I had missed. I've been running the fuzzer for about a half hour now and haven't seen another crash, so I am tentatively posting the patch. I'll leave the fuzzer running for as long as I reasonably can to try to find additional cases.

scott.linder added a parent revision: D91573: [YAMLIO] Add a generic YAML fuzzer harness.Nov 16 2020, 3:20 PM

In D84050#2392467, @dexonsmith wrote:

In D84050#2391741, @scott.linder wrote:

Restore the correct behavior of Scanner::scanAliasOrAnchor, last version of the patch mistakenly changed Token.Range when only intending to fix the error checking around an empty alias/anchor.

I think this version now removes the assumption that End points to a dereferencable '\0', but I'm not sure how to go about testing this comprehensively.

One idea would be to hack the parser to always duplicate the input, append a bad character (like '\1'), and parse the new buffer with the original bounds. If something reads too far it would likely get upset at the bad character. Running the test suites for LLVM and Clang with that hack might be enough coverage.

Is there a libfuzzer instance for the yaml parser? That's probably the ideal thing to do, and if it's already set up maybe it's not too hard.

Also thank you for mentioning libFuzzer! It was really painless and feels like the best thing short of a proof to validate the change.

Harbormaster completed remote builds in B79019: Diff 305612.Nov 16 2020, 4:46 PM

dexonsmith added inline comments.Nov 17 2020, 7:10 PM

llvm/tools/llvm-yaml-parser-fuzzer/yaml-parser-fuzzer.cpp

33–50

I wonder if it would also be useful to have logic like this:

auto testYaml = [](const uint8_t *Data, size_t Size) {
  // return true if it parses.
};

// Test that there's no crash when parsing the raw data.
testYaml(Data, Size);

// Test with 0s filtered out.
std::string Input(reinterpret_cast<const char *>(Data), Size);
Input.erase(std::remove(Input.begin(), Input.end(), 0), Input.end());
Size = Input.size();
bool TerminatedBy0 = testYaml(Input.data(), Size);

// Test that an invalid character after the input has no effect.
Input.push_back(1);
if (testYaml(Input.data(), Size) != TerminatedBy0)
  __builtin_trap(...);
return 0;

I added something along the lines of what you proposed, let me know what you
think. I also switched to a vector<uint8_t> to get more explicit control over
the terminator, and to yaml::Stream to be able to directly call validate()
such that every document is checked (in case the fuzzer produces inputs with
multiple documents).

I had also considered trying to duplicate the existing parser to do comparitive
testing, but I wasn't sure the best way to go about it. I could just build the
compiler twice, and then have an instance of the fuzzer feed into both and
compare their results. Let me know if you would find this helpful, and I can
do the test and just not commit the result.

scott.linder marked an inline comment as done.Nov 18 2020, 12:24 PM

I also added calls to vector::shrink_to_fit to maybe make it slightly more likely for a sanitizer without c++ STL annotations to catch out-of-bounds accesses, but if this is just noise I'm happy to remove them.

Remove one redundant call to vector::shrink_to_fit

Harbormaster completed remote builds in B79344: Diff 306184.Nov 18 2020, 12:53 PM

Harbormaster completed remote builds in B79350: Diff 306192.Nov 18 2020, 1:22 PM

This LGTM now, thanks for integrating this into the fuzzer! I have a couple of other suggestions, but it's up to you whether to apply them.

llvm/tools/llvm-yaml-parser-fuzzer/yaml-parser-fuzzer.cpp
11	It may be nice to have a `using namespace llvm;` here and remove the `llvm::`s below. Up to you.
12	This could probably be `isValidYaml` to silence the `clang-tidy` warning. `LLVM_FuzzerTestOneInput` has to be how it us, but we could still modify this.

This revision is now accepted and ready to land.Nov 18 2020, 1:40 PM

dexonsmith mentioned this in D91573: [YAMLIO] Add a generic YAML fuzzer harness.Nov 18 2020, 1:43 PM

This revision was landed with ongoing or failed builds.Nov 18 2020, 3:06 PM

Closed by commit rG2980933d850b: [YAMLIO] Support non-null-terminated inputs (authored by scott.linder). · Explain Why

This revision was automatically updated to reflect the committed changes.

scott.linder added a commit: rG2980933d850b: [YAMLIO] Support non-null-terminated inputs.

Revision Contents

Path

Size

llvm/

lib/

Support/

YAMLParser.cpp

32 lines

tools/

llvm-yaml-parser-fuzzer/

yaml-parser-fuzzer.cpp

24 lines

unittests/

Support/

YAMLIOTest.cpp

90 lines

Diff 306237

llvm/lib/Support/YAMLParser.cpp

Show First 20 Lines • Show All 194 Lines • ▼ Show 20 Lines
/// A length of 0 represents an error.		/// A length of 0 represents an error.
using UTF8Decoded = std::pair<uint32_t, unsigned>;		using UTF8Decoded = std::pair<uint32_t, unsigned>;

static UTF8Decoded decodeUTF8(StringRef Range) {		static UTF8Decoded decodeUTF8(StringRef Range) {
StringRef::iterator Position= Range.begin();		StringRef::iterator Position= Range.begin();
StringRef::iterator End = Range.end();		StringRef::iterator End = Range.end();
// 1 byte: [0x00, 0x7f]		// 1 byte: [0x00, 0x7f]
// Bit pattern: 0xxxxxxx		// Bit pattern: 0xxxxxxx
if ((*Position & 0x80) == 0) {		if (Position < End && (*Position & 0x80) == 0) {
return std::make_pair(*Position, 1);		return std::make_pair(*Position, 1);
}		}
// 2 bytes: [0x80, 0x7ff]		// 2 bytes: [0x80, 0x7ff]
// Bit pattern: 110xxxxx 10xxxxxx		// Bit pattern: 110xxxxx 10xxxxxx
if (Position + 1 != End &&		if (Position + 1 < End && ((*Position & 0xE0) == 0xC0) &&
((*Position & 0xE0) == 0xC0) &&
((*(Position + 1) & 0xC0) == 0x80)) {		((*(Position + 1) & 0xC0) == 0x80)) {
uint32_t codepoint = ((*Position & 0x1F) << 6) \|		uint32_t codepoint = ((*Position & 0x1F) << 6) \|
(*(Position + 1) & 0x3F);		(*(Position + 1) & 0x3F);
if (codepoint >= 0x80)		if (codepoint >= 0x80)
return std::make_pair(codepoint, 2);		return std::make_pair(codepoint, 2);
}		}
// 3 bytes: [0x8000, 0xffff]		// 3 bytes: [0x8000, 0xffff]
// Bit pattern: 1110xxxx 10xxxxxx 10xxxxxx		// Bit pattern: 1110xxxx 10xxxxxx 10xxxxxx
if (Position + 2 != End &&		if (Position + 2 < End && ((*Position & 0xF0) == 0xE0) &&
((*Position & 0xF0) == 0xE0) &&
((*(Position + 1) & 0xC0) == 0x80) &&		((*(Position + 1) & 0xC0) == 0x80) &&
((*(Position + 2) & 0xC0) == 0x80)) {		((*(Position + 2) & 0xC0) == 0x80)) {
uint32_t codepoint = ((*Position & 0x0F) << 12) \|		uint32_t codepoint = ((*Position & 0x0F) << 12) \|
((*(Position + 1) & 0x3F) << 6) \|		((*(Position + 1) & 0x3F) << 6) \|
(*(Position + 2) & 0x3F);		(*(Position + 2) & 0x3F);
// Codepoints between 0xD800 and 0xDFFF are invalid, as		// Codepoints between 0xD800 and 0xDFFF are invalid, as
// they are high / low surrogate halves used by UTF-16.		// they are high / low surrogate halves used by UTF-16.
if (codepoint >= 0x800 &&		if (codepoint >= 0x800 &&
(codepoint < 0xD800 \|\| codepoint > 0xDFFF))		(codepoint < 0xD800 \|\| codepoint > 0xDFFF))
return std::make_pair(codepoint, 3);		return std::make_pair(codepoint, 3);
}		}
// 4 bytes: [0x10000, 0x10FFFF]		// 4 bytes: [0x10000, 0x10FFFF]
// Bit pattern: 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx		// Bit pattern: 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
if (Position + 3 != End &&		if (Position + 3 < End && ((*Position & 0xF8) == 0xF0) &&
((*Position & 0xF8) == 0xF0) &&
((*(Position + 1) & 0xC0) == 0x80) &&		((*(Position + 1) & 0xC0) == 0x80) &&
((*(Position + 2) & 0xC0) == 0x80) &&		((*(Position + 2) & 0xC0) == 0x80) &&
((*(Position + 3) & 0xC0) == 0x80)) {		((*(Position + 3) & 0xC0) == 0x80)) {
uint32_t codepoint = ((*Position & 0x07) << 18) \|		uint32_t codepoint = ((*Position & 0x07) << 18) \|
((*(Position + 1) & 0x3F) << 12) \|		((*(Position + 1) & 0x3F) << 12) \|
((*(Position + 2) & 0x3F) << 6) \|		((*(Position + 2) & 0x3F) << 6) \|
(*(Position + 3) & 0x3F);		(*(Position + 3) & 0x3F);
if (codepoint >= 0x10000 && codepoint <= 0x10FFFF)		if (codepoint >= 0x10000 && codepoint <= 0x10FFFF)
▲ Show 20 Lines • Show All 525 Lines • ▼ Show 20 Lines	void Scanner::init(MemoryBufferRef Buffer) {
Indent = -1;		Indent = -1;
Column = 0;		Column = 0;
Line = 0;		Line = 0;
FlowLevel = 0;		FlowLevel = 0;
IsStartOfStream = true;		IsStartOfStream = true;
IsSimpleKeyAllowed = true;		IsSimpleKeyAllowed = true;
Failed = false;		Failed = false;
std::unique_ptr<MemoryBuffer> InputBufferOwner =		std::unique_ptr<MemoryBuffer> InputBufferOwner =
MemoryBuffer::getMemBuffer(Buffer);		MemoryBuffer::getMemBuffer(Buffer, /RequiresNullTerminator=/false);
		dexonsmithUnsubmitted Done Reply Inline Actions Please spell this `/RequiresNullTerminator=/false`. dexonsmith: Please spell this `/RequiresNullTerminator=/false`.
SM.AddNewSourceBuffer(std::move(InputBufferOwner), SMLoc());		SM.AddNewSourceBuffer(std::move(InputBufferOwner), SMLoc());
}		}

Token &Scanner::peekNext() {		Token &Scanner::peekNext() {
// If the current token is a possible simple key, keep parsing until we		// If the current token is a possible simple key, keep parsing until we
// can confirm.		// can confirm.
bool NeedMore = false;		bool NeedMore = false;
while (true) {		while (true) {
▲ Show 20 Lines • Show All 246 Lines • ▼ Show 20 Lines	if (Indent < ToColumn) {
T.Kind = Kind;		T.Kind = Kind;
T.Range = StringRef(Current, 0);		T.Range = StringRef(Current, 0);
TokenQueue.insert(InsertPoint, T);		TokenQueue.insert(InsertPoint, T);
}		}
return true;		return true;
}		}

void Scanner::skipComment() {		void Scanner::skipComment() {
if (*Current != '#')		if (Current == End \|\| *Current != '#')
return;		return;
while (true) {		while (true) {
// This may skip more than one byte, thus Column is only incremented		// This may skip more than one byte, thus Column is only incremented
// for code points.		// for code points.
StringRef::iterator I = skip_nb_char(Current);		StringRef::iterator I = skip_nb_char(Current);
if (I == Current)		if (I == Current)
break;		break;
Current = I;		Current = I;
++Column;		++Column;
}		}
}		}

void Scanner::scanToNextToken() {		void Scanner::scanToNextToken() {
while (true) {		while (true) {
while (Current == ' ' \|\| Current == '\t') {		while (Current != End && (Current == ' ' \|\| Current == '\t')) {
skip(1);		skip(1);
}		}

skipComment();		skipComment();

// Skip EOL.		// Skip EOL.
StringRef::iterator i = skip_b_break(Current);		StringRef::iterator i = skip_b_break(Current);
if (i == Current)		if (i == Current)
▲ Show 20 Lines • Show All 218 Lines • ▼ Show 20 Lines	do {
++Current;		++Current;
// Repeat until the previous character was not a '\' or was an escaped		// Repeat until the previous character was not a '\' or was an escaped
// backslash.		// backslash.
} while ( Current != End		} while ( Current != End
&& *(Current - 1) == '\\'		&& *(Current - 1) == '\\'
&& wasEscaped(Start + 1, Current));		&& wasEscaped(Start + 1, Current));
} else {		} else {
skip(1);		skip(1);
while (true) {		while (Current != End) {
// Skip a ' followed by another '.		// Skip a ' followed by another '.
if (Current + 1 < End && Current == '\'' && (Current + 1) == '\'') {		if (Current + 1 < End && Current == '\'' && (Current + 1) == '\'') {
skip(2);		skip(2);
continue;		continue;
} else if (*Current == '\'')		} else if (*Current == '\'')
break;		break;
StringRef::iterator i = skip_nb_char(Current);		StringRef::iterator i = skip_nb_char(Current);
if (i == Current) {		if (i == Current) {
Show All 31 Lines
}		}

bool Scanner::scanPlainScalar() {		bool Scanner::scanPlainScalar() {
StringRef::iterator Start = Current;		StringRef::iterator Start = Current;
unsigned ColStart = Column;		unsigned ColStart = Column;
unsigned LeadingBlanks = 0;		unsigned LeadingBlanks = 0;
assert(Indent >= -1 && "Indent must be >= -1 !");		assert(Indent >= -1 && "Indent must be >= -1 !");
unsigned indent = static_cast<unsigned>(Indent + 1);		unsigned indent = static_cast<unsigned>(Indent + 1);
while (true) {		while (Current != End) {
if (*Current == '#')		if (*Current == '#')
break;		break;

while (!isBlankOrBreak(Current)) {		while (Current != End && !isBlankOrBreak(Current)) {
if ( FlowLevel && *Current == ':'		if (FlowLevel && *Current == ':' &&
&& !(isBlankOrBreak(Current + 1) \|\| *(Current + 1) == ',')) {		(Current + 1 == End \|\|
		!(isBlankOrBreak(Current + 1) \|\| *(Current + 1) == ','))) {
setError("Found unexpected ':' while scanning a plain scalar", Current);		setError("Found unexpected ':' while scanning a plain scalar", Current);
return false;		return false;
}		}

// Check for the end of the plain scalar.		// Check for the end of the plain scalar.
if ( (*Current == ':' && isBlankOrBreak(Current + 1))		if ( (*Current == ':' && isBlankOrBreak(Current + 1))
\|\| ( FlowLevel		\|\| ( FlowLevel
&& (StringRef(Current, 1).find_first_of(",:?[]{}")		&& (StringRef(Current, 1).find_first_of(",:?[]{}")
▲ Show 20 Lines • Show All 51 Lines • ▼ Show 20 Lines	bool Scanner::scanPlainScalar() {

IsSimpleKeyAllowed = false;		IsSimpleKeyAllowed = false;

return true;		return true;
}		}

bool Scanner::scanAliasOrAnchor(bool IsAlias) {		bool Scanner::scanAliasOrAnchor(bool IsAlias) {
StringRef::iterator Start = Current;		StringRef::iterator Start = Current;
unsigned ColStart = Column;		unsigned ColStart = Column;
skip(1);		skip(1);
		dexonsmithUnsubmitted Done Reply Inline Actions I don't have an opinion on the best order of these two lines, but if you want to flip them please do so in a separate NFC commit (and revert the change from this patch to make it as clean as possible). dexonsmith: I don't have an opinion on the best order of these two lines, but if you want to flip them…
		scott.linderAuthorUnsubmitted Done Reply Inline Actions My mistake, I didn't look over the diff closely enough before posting. Fixed! scott.linder: My mistake, I didn't look over the diff closely enough before posting. Fixed!
while(true) {		while (Current != End) {
		dexonsmithUnsubmitted Done Reply Inline Actions Please run `git-clang-format` or similar to fix the spacing on the lines touched. dexonsmith: Please run `git-clang-format` or similar to fix the spacing on the lines touched.
if ( Current == '[' \|\| Current == ']'		if ( Current == '[' \|\| Current == ']'
\|\| Current == '{' \|\| Current == '}'		\|\| Current == '{' \|\| Current == '}'
\|\| *Current == ','		\|\| *Current == ','
\|\| *Current == ':')		\|\| *Current == ':')
break;		break;
StringRef::iterator i = skip_ns_char(Current);		StringRef::iterator i = skip_ns_char(Current);
if (i == Current)		if (i == Current)
break;		break;
Current = i;		Current = i;
++Column;		++Column;
}		}

if (Start + 1 == Current) {		if (Start + 1 == Current) {
		dexonsmithUnsubmitted Done Reply Inline Actions This looks like a fix for a logic bug, not directly related to null-termination; can it be committed separately ahead of time? Please also add a test that covers it. dexonsmith: This looks like a fix for a logic bug, not directly related to null-termination; can it be…
setError("Got empty alias or anchor", Start);		setError("Got empty alias or anchor", Start);
return false;		return false;
}		}

Token T;		Token T;
T.Kind = IsAlias ? Token::TK_Alias : Token::TK_Anchor;		T.Kind = IsAlias ? Token::TK_Alias : Token::TK_Anchor;
T.Range = StringRef(Start, Current - Start);		T.Range = StringRef(Start, Current - Start);
TokenQueue.push_back(T);		TokenQueue.push_back(T);
▲ Show 20 Lines • Show All 1,029 Lines • Show Last 20 Lines

llvm/tools/llvm-yaml-parser-fuzzer/yaml-parser-fuzzer.cpp

	//===-- yaml-parser-fuzzer.cpp - Fuzzer for YAML parser -------------------===//			//===-- yaml-parser-fuzzer.cpp - Fuzzer for YAML parser -------------------===//
	//			//
	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.			// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
	// See https://llvm.org/LICENSE.txt for license information.			// See https://llvm.org/LICENSE.txt for license information.
	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception			// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
	//			//
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	#include "llvm/ADT/StringRef.h"			#include "llvm/ADT/StringRef.h"
	#include "llvm/Support/YAMLParser.h"			#include "llvm/Support/YAMLParser.h"

				dexonsmithUnsubmitted Not Done Reply Inline Actions It may be nice to have a `using namespace llvm;` here and remove the `llvm::`s below. Up to you. dexonsmith: It may be nice to have a `using namespace llvm;` here and remove the `llvm::`s below. Up to you.
	using namespace llvm;			using namespace llvm;
				dexonsmithUnsubmitted Not Done Reply Inline Actions This could probably be `isValidYaml` to silence the `clang-tidy` warning. `LLVM_FuzzerTestOneInput` has to be how it us, but we could still modify this. dexonsmith: This could probably be `isValidYaml` to silence the `clang-tidy` warning.

	static bool isValidYaml(const uint8_t *Data, size_t Size) {			static bool isValidYaml(const uint8_t *Data, size_t Size) {
	SourceMgr SM;			SourceMgr SM;
	yaml::Stream Stream(StringRef(reinterpret_cast<const char *>(Data), Size),			yaml::Stream Stream(StringRef(reinterpret_cast<const char *>(Data), Size),
	SM);			SM);
	return Stream.validate();			return Stream.validate();
	}			}

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {			extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
	std::vector<uint8_t> Input(Data, Data + Size);			std::vector<uint8_t> Input(Data, Data + Size);

				// Ensure we don't crash on any arbitrary byte string.
				isValidYaml(Input.data(), Input.size());

				// Ensure we don't crash on byte strings with no null characters.
				Input.erase(std::remove(Input.begin(), Input.end(), 0), Input.end());
				Input.shrink_to_fit();
				bool IsValidWithout0s = isValidYaml(Input.data(), Input.size());

	// Ensure we don't crash on byte strings where the only null character is			// Ensure we don't crash on byte strings where the only null character is
	// one-past-the-end of the actual input to the parser.			// one-past-the-end of the actual input to the parser.
	Input.erase(std::remove(Input.begin(), Input.end(), 0), Input.end());
	Input.push_back(0);			Input.push_back(0);
	Input.shrink_to_fit();			Input.shrink_to_fit();
	isValidYaml(Input.data(), Input.size() - 1);			bool IsValidWhen0Terminated = isValidYaml(Input.data(), Input.size() - 1);

				// Ensure we don't crash on byte strings with no null characters, but with
				// an invalid character one-past-the-end of the actual input to the parser.
				Input.back() = 1;
				bool IsValidWhen1Terminated = isValidYaml(Input.data(), Input.size() - 1);

				// The parser should either accept all of these inputs, or reject all of
				// them, because the parser sees an identical byte string in each case. This
				// should hopefully catch some cases where the parser is sensitive to what is
				// present one-past-the-end of the actual input.
				if (IsValidWithout0s != IsValidWhen0Terminated \|\|
				IsValidWhen0Terminated != IsValidWhen1Terminated)
				LLVM_BUILTIN_TRAP;

				dexonsmithUnsubmitted Done Reply Inline Actions I wonder if it would also be useful to have logic like this: auto testYaml = [](const uint8_t Data, size_t Size) { // return true if it parses. }; // Test that there's no crash when parsing the raw data. testYaml(Data, Size); // Test with 0s filtered out. std::string Input(reinterpret_cast<const char >(Data), Size); Input.erase(std::remove(Input.begin(), Input.end(), 0), Input.end()); Size = Input.size(); bool TerminatedBy0 = testYaml(Input.data(), Size); // Test that an invalid character after the input has no effect. Input.push_back(1); if (testYaml(Input.data(), Size) != TerminatedBy0) __builtin_trap(...); return 0; dexonsmith: I wonder if it would also be useful to have logic like this: ``` auto testYaml = [](const…
	return 0;			return 0;
	}			}

llvm/unittests/Support/YAMLIOTest.cpp

Show First 20 Lines • Show All 3,105 Lines • ▼ Show 20 Lines	TEST(YAMLIO, TestEmptyAlias) {
Input yin("&");		Input yin("&");
EXPECT_FALSE(yin.setCurrentDocument());		EXPECT_FALSE(yin.setCurrentDocument());
EXPECT_TRUE(yin.error());		EXPECT_TRUE(yin.error());
}		}

TEST(YAMLIO, TestEmptyAnchor) {		TEST(YAMLIO, TestEmptyAnchor) {
Input yin("*");		Input yin("*");
EXPECT_FALSE(yin.setCurrentDocument());		EXPECT_FALSE(yin.setCurrentDocument());
		}

		TEST(YAMLIO, TestScannerNoNullEmpty) {
		std::vector<char> str{};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_FALSE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullSequenceOfNull) {
		std::vector<char> str{'-'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_FALSE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullSimpleSequence) {
		std::vector<char> str{'-', ' ', 'a'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_FALSE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullUnbalancedMap) {
		std::vector<char> str{'{'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_TRUE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullEmptyMap) {
		std::vector<char> str{'{', '}'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_FALSE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullUnbalancedSequence) {
		std::vector<char> str{'['};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_TRUE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullEmptySequence) {
		std::vector<char> str{'[', ']'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_FALSE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullScalarUnbalancedDoubleQuote) {
		std::vector<char> str{'"'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_TRUE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullScalarUnbalancedSingleQuote) {
		std::vector<char> str{'\''};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_TRUE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullEmptyAlias) {
		std::vector<char> str{'&'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_TRUE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullEmptyAnchor) {
		std::vector<char> str{'*'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_TRUE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullDecodeInvalidUTF8) {
		std::vector<char> str{'\xef'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
		EXPECT_TRUE(yin.error());
		}

		TEST(YAMLIO, TestScannerNoNullScanPlainScalarInFlow) {
		std::vector<char> str{'{', 'a', ':'};
		Input yin(llvm::StringRef(str.data(), str.size()));
		yin.setCurrentDocument();
EXPECT_TRUE(yin.error());		EXPECT_TRUE(yin.error());
}		}

This is an archive of the discontinued LLVM Phabricator instance.

[YAMLIO] Support non-null-terminated inputsClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 306237

llvm/lib/Support/YAMLParser.cpp

llvm/tools/llvm-yaml-parser-fuzzer/yaml-parser-fuzzer.cpp

llvm/unittests/Support/YAMLIOTest.cpp

[YAMLIO] Support non-null-terminated inputs
ClosedPublic