This is an archive of the discontinued LLVM Phabricator instance.

Differential D90303

[ASTMatchers] Made isExpandedFromMacro Polymorphic
ClosedPublic

Authored by njames93 on Oct 28 2020, 6:05 AM.

Details

Reviewers
klimek
aaron.ballman
Commits
rGb091af790f19: [ASTMatchers] Made isExpandedFromMacro Polymorphic
Summary

Made the isExpandedFromMacro matcher work on Stmt's, TypeLocs and Decls in line with the other macro expansion matchers.
Also tweaked it to take a std::string instead of a StringRef.
This prevents potential use-after-free bugs if the matcher is created with a string thats destroyed before the matcher finishes matching.

Diff Detail

Unit TestsFailed

TimeTest
370 mslinux > HWAddressSanitizer-x86_64.TestCases::sizes.cpp

Event Timeline

njames93 created this revision.Oct 28 2020, 6:05 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 28 2020, 6:05 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
njames93 requested review of this revision.Oct 28 2020, 6:05 AM
Harbormaster completed remote builds in B76714: Diff 301258.Oct 28 2020, 6:37 AM
aaron.ballman added inline comments.Nov 2 2020, 6:25 AM
clang/include/clang/ASTMatchers/ASTMatchers.h
313

You mentioned that the change from StringRef to std::string was to avoid lifetime issues while matching, but I'm wondering if you can expound on that situation a bit more. I would have assumed that any memoization that involves StringRef would be responsible for the lifetime issues rather than the matchers themselves, but maybe I'm thinking about a different way you can hit lifetime issues than you are.

clang/unittests/ASTMatchers/ASTMatchersNarrowingTest.cpp
150

Can you also add a test for type-based matching?

njames93 added inline comments.Nov 2 2020, 6:20 PM
clang/include/clang/ASTMatchers/ASTMatchers.h
313

Take this as contrived, however using ASAN reports a heap-use-after-free for this code when isExpandedFromMacro takes a StringRef but works fine when using std::string.

TEST(IsExpandedFromMacro, IsExpandedFromMacro_MatchesDecls) {
  auto Matcher = isExpandedFromMacro(std::string("MY_MACRO_OVERFLOW_SMALL_STRING_SIZE"));// <-Temporary string created and destroyed here.
  StringRef input = R"cc(
#define MY_MACRO_OVERFLOW_SMALL_STRING_SIZE(a) int i = a;
    void Test() { MY_MACRO_OVERFLOW_SMALL_STRING_SIZE(4); }
  )cc";
  EXPECT_TRUE(matches(input, varDecl(Matcher))); // <- heap-use-after-free detected down the callstack from here.
}

Obviously this is very contrived to ensure asan detects the use-after-free and to ensure the temporary string is destroyed before the matcher. For these tests it doesn't look like a problem, but in other instances these matchers will outlive a string being passed to them

void addVarFromMacro(ASTMatchFinder* Finder, std::string MacroName) {
  Finder->addMatcher(varDecl(isExpandedFromMacro(MacroName)), this);
}
aaron.ballman accepted this revision.Nov 3 2020, 4:48 AM

LGTM aside from testing request.

clang/include/clang/ASTMatchers/ASTMatchers.h
313

Oh, how interesting! I can see now where the lifetime issues come in to play, thanks!

This revision is now accepted and ready to land.Nov 3 2020, 4:48 AM
This revision was landed with ongoing or failed builds.Nov 3 2020, 6:37 AM
Closed by commit rGb091af790f19: [ASTMatchers] Made isExpandedFromMacro Polymorphic (authored by njames93). · Explain Why
This revision was automatically updated to reflect the committed changes.
njames93 added a commit: rGb091af790f19: [ASTMatchers] Made isExpandedFromMacro Polymorphic.

Revision Contents

PathSize
clang/
docs/
23 lines
include/
clang/
ASTMatchers/
7 lines
lib/
ASTMatchers/
4 lines
unittests/
ASTMatchers/
8 lines

Diff 301258

clang/docs/LibASTMatchersReference.html

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 3,036 Lines▼ Show 20 Lines
Given Given
__attribute__((device)) void f() { ... } __attribute__((device)) void f() { ... }
decl(hasAttr(clang::attr::CUDADevice)) matches the function declaration of decl(hasAttr(clang::attr::CUDADevice)) matches the function declaration of
f. If the matcher is used from clang-query, attr::Kind parameter should be f. If the matcher is used from clang-query, attr::Kind parameter should be
passed as a quoted string. e.g., hasAttr("attr::CUDADevice"). passed as a quoted string. e.g., hasAttr("attr::CUDADevice").
</pre></td></tr> </pre></td></tr>
<tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Decl.html">Decl</a>&gt;</td><td class="name" onclick="toggle('isExpandedFromMacro0')"><a name="isExpandedFromMacro0Anchor">isExpandedFromMacro</a></td><td>std::string MacroName</td></tr>
<tr><td colspan="4" class="doc" id="isExpandedFromMacro0"><pre>Matches statements that are (transitively) expanded from the named macro.
Does not match if only part of the statement is expanded from that macro or
if different parts of the the statement are expanded from different
appearances of the macro.
</pre></td></tr>
<tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Decl.html">Decl</a>&gt;</td><td class="name" onclick="toggle('isExpansionInFileMatching0')"><a name="isExpansionInFileMatching0Anchor">isExpansionInFileMatching</a></td><td>StringRef RegExp, Regex::RegexFlags Flags = NoFlags</td></tr> <tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Decl.html">Decl</a>&gt;</td><td class="name" onclick="toggle('isExpansionInFileMatching0')"><a name="isExpansionInFileMatching0Anchor">isExpansionInFileMatching</a></td><td>StringRef RegExp, Regex::RegexFlags Flags = NoFlags</td></tr>
<tr><td colspan="4" class="doc" id="isExpansionInFileMatching0"><pre>Matches AST nodes that were expanded within files whose name is <tr><td colspan="4" class="doc" id="isExpansionInFileMatching0"><pre>Matches AST nodes that were expanded within files whose name is
partially matching a given regex. partially matching a given regex.
Example matches Y but not X Example matches Y but not X
(matcher = cxxRecordDecl(isExpansionInFileMatching("AST.*")) (matcher = cxxRecordDecl(isExpansionInFileMatching("AST.*"))
#include "ASTMatcher.h" #include "ASTMatcher.h"
class X {}; class X {};
▲ Show 20 LinesShow All 1,235 Lines▼ Show 20 Lines
<tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Stmt.html">Stmt</a>&gt;</td><td class="name" onclick="toggle('equalsNode1')"><a name="equalsNode1Anchor">equalsNode</a></td><td>const Stmt* Other</td></tr> <tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Stmt.html">Stmt</a>&gt;</td><td class="name" onclick="toggle('equalsNode1')"><a name="equalsNode1Anchor">equalsNode</a></td><td>const Stmt* Other</td></tr>
<tr><td colspan="4" class="doc" id="equalsNode1"><pre>Matches if a node equals another node. <tr><td colspan="4" class="doc" id="equalsNode1"><pre>Matches if a node equals another node.
Stmt has pointer identity in the AST. Stmt has pointer identity in the AST.
</pre></td></tr> </pre></td></tr>
<tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Stmt.html">Stmt</a>&gt;</td><td class="name" onclick="toggle('isExpandedFromMacro0')"><a name="isExpandedFromMacro0Anchor">isExpandedFromMacro</a></td><td>llvm::StringRef MacroName</td></tr> <tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Stmt.html">Stmt</a>&gt;</td><td class="name" onclick="toggle('isExpandedFromMacro1')"><a name="isExpandedFromMacro1Anchor">isExpandedFromMacro</a></td><td>std::string MacroName</td></tr>
<tr><td colspan="4" class="doc" id="isExpandedFromMacro0"><pre>Matches statements that are (transitively) expanded from the named macro. <tr><td colspan="4" class="doc" id="isExpandedFromMacro1"><pre>Matches statements that are (transitively) expanded from the named macro.
Does not match if only part of the statement is expanded from that macro or Does not match if only part of the statement is expanded from that macro or
if different parts of the the statement are expanded from different if different parts of the the statement are expanded from different
appearances of the macro. appearances of the macro.
FIXME: Change to be a polymorphic matcher that works on any syntactic
node. There's nothing `Stmt`-specific about it.
</pre></td></tr> </pre></td></tr>
<tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Stmt.html">Stmt</a>&gt;</td><td class="name" onclick="toggle('isExpansionInFileMatching1')"><a name="isExpansionInFileMatching1Anchor">isExpansionInFileMatching</a></td><td>StringRef RegExp, Regex::RegexFlags Flags = NoFlags</td></tr> <tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1Stmt.html">Stmt</a>&gt;</td><td class="name" onclick="toggle('isExpansionInFileMatching1')"><a name="isExpansionInFileMatching1Anchor">isExpansionInFileMatching</a></td><td>StringRef RegExp, Regex::RegexFlags Flags = NoFlags</td></tr>
<tr><td colspan="4" class="doc" id="isExpansionInFileMatching1"><pre>Matches AST nodes that were expanded within files whose name is <tr><td colspan="4" class="doc" id="isExpansionInFileMatching1"><pre>Matches AST nodes that were expanded within files whose name is
partially matching a given regex. partially matching a given regex.
Example matches Y but not X Example matches Y but not X
▲ Show 20 LinesShow All 173 Lines▼ Show 20 Lines
Given Given
template&lt;typename T&gt; struct C {}; template&lt;typename T&gt; struct C {};
C&lt;int&gt; c; C&lt;int&gt; c;
classTemplateSpecializationDecl(templateArgumentCountIs(1)) classTemplateSpecializationDecl(templateArgumentCountIs(1))
matches C&lt;int&gt;. matches C&lt;int&gt;.
</pre></td></tr> </pre></td></tr>
<tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1TypeLoc.html">TypeLoc</a>&gt;</td><td class="name" onclick="toggle('isExpandedFromMacro2')"><a name="isExpandedFromMacro2Anchor">isExpandedFromMacro</a></td><td>std::string MacroName</td></tr>
<tr><td colspan="4" class="doc" id="isExpandedFromMacro2"><pre>Matches statements that are (transitively) expanded from the named macro.
Does not match if only part of the statement is expanded from that macro or
if different parts of the the statement are expanded from different
appearances of the macro.
</pre></td></tr>
<tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1TypeLoc.html">TypeLoc</a>&gt;</td><td class="name" onclick="toggle('isExpansionInFileMatching2')"><a name="isExpansionInFileMatching2Anchor">isExpansionInFileMatching</a></td><td>StringRef RegExp, Regex::RegexFlags Flags = NoFlags</td></tr> <tr><td>Matcher&lt;<a href="https://clang.llvm.org/doxygen/classclang_1_1TypeLoc.html">TypeLoc</a>&gt;</td><td class="name" onclick="toggle('isExpansionInFileMatching2')"><a name="isExpansionInFileMatching2Anchor">isExpansionInFileMatching</a></td><td>StringRef RegExp, Regex::RegexFlags Flags = NoFlags</td></tr>
<tr><td colspan="4" class="doc" id="isExpansionInFileMatching2"><pre>Matches AST nodes that were expanded within files whose name is <tr><td colspan="4" class="doc" id="isExpansionInFileMatching2"><pre>Matches AST nodes that were expanded within files whose name is
partially matching a given regex. partially matching a given regex.
Example matches Y but not X Example matches Y but not X
(matcher = cxxRecordDecl(isExpansionInFileMatching("AST.*")) (matcher = cxxRecordDecl(isExpansionInFileMatching("AST.*"))
#include "ASTMatcher.h" #include "ASTMatcher.h"
class X {}; class X {};
▲ Show 20 LinesShow All 3,526 LinesShow Last 20 Lines

clang/include/clang/ASTMatchers/ASTMatchers.h

Show First 20 LinesShow All 302 Lines▼ Show 20 LinesAST_POLYMORPHIC_MATCHER_REGEX(isExpansionInFileMatching,
auto Filename = FileEntry->getName(); auto Filename = FileEntry->getName();
return RegExp->match(Filename); return RegExp->match(Filename);
} }
/// Matches statements that are (transitively) expanded from the named macro. /// Matches statements that are (transitively) expanded from the named macro.
/// Does not match if only part of the statement is expanded from that macro or /// Does not match if only part of the statement is expanded from that macro or
/// if different parts of the the statement are expanded from different /// if different parts of the the statement are expanded from different
/// appearances of the macro. /// appearances of the macro.
/// AST_POLYMORPHIC_MATCHER_P(isExpandedFromMacro,
/// FIXME: Change to be a polymorphic matcher that works on any syntactic AST_POLYMORPHIC_SUPPORTED_TYPES(Decl, Stmt, TypeLoc),
/// node. There's nothing `Stmt`-specific about it. std::string, MacroName) {
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

You mentioned that the change from StringRef to std::string was to avoid lifetime issues while matching, but I'm wondering if you can expound on that situation a bit more. I would have assumed that any memoization that involves StringRef would be responsible for the lifetime issues rather than the matchers themselves, but maybe I'm thinking about a different way you can hit lifetime issues than you are.

aaron.ballman: You mentioned that the change from `StringRef` to `std::string` was to avoid lifetime issues…
njames93AuthorUnsubmitted
Done
ReplyInline Actions

Take this as contrived, however using ASAN reports a heap-use-after-free for this code when isExpandedFromMacro takes a StringRef but works fine when using std::string.

TEST(IsExpandedFromMacro, IsExpandedFromMacro_MatchesDecls) {
  auto Matcher = isExpandedFromMacro(std::string("MY_MACRO_OVERFLOW_SMALL_STRING_SIZE"));// <-Temporary string created and destroyed here.
  StringRef input = R"cc(
#define MY_MACRO_OVERFLOW_SMALL_STRING_SIZE(a) int i = a;
    void Test() { MY_MACRO_OVERFLOW_SMALL_STRING_SIZE(4); }
  )cc";
  EXPECT_TRUE(matches(input, varDecl(Matcher))); // <- heap-use-after-free detected down the callstack from here.
}

Obviously this is very contrived to ensure asan detects the use-after-free and to ensure the temporary string is destroyed before the matcher. For these tests it doesn't look like a problem, but in other instances these matchers will outlive a string being passed to them

void addVarFromMacro(ASTMatchFinder* Finder, std::string MacroName) {
  Finder->addMatcher(varDecl(isExpandedFromMacro(MacroName)), this);
}
njames93: Take this as contrived, however using ASAN reports a heap-use-after-free for this code when…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Oh, how interesting! I can see now where the lifetime issues come in to play, thanks!

aaron.ballman: Oh, how interesting! I can see now where the lifetime issues come in to play, thanks!
AST_MATCHER_P(Stmt, isExpandedFromMacro, llvm::StringRef, MacroName) {
// Verifies that the statement' beginning and ending are both expanded from // Verifies that the statement' beginning and ending are both expanded from
// the same instance of the given macro. // the same instance of the given macro.
auto& Context = Finder->getASTContext(); auto& Context = Finder->getASTContext();
llvm::Optional<SourceLocation> B = llvm::Optional<SourceLocation> B =
internal::getExpansionLocOfMacro(MacroName, Node.getBeginLoc(), Context); internal::getExpansionLocOfMacro(MacroName, Node.getBeginLoc(), Context);
if (!B) return false; if (!B) return false;
llvm::Optional<SourceLocation> E = llvm::Optional<SourceLocation> E =
internal::getExpansionLocOfMacro(MacroName, Node.getEndLoc(), Context); internal::getExpansionLocOfMacro(MacroName, Node.getEndLoc(), Context);
▲ Show 20 LinesShow All 7,146 LinesShow Last 20 Lines

clang/lib/ASTMatchers/GtestMatchers.cpp

Show First 20 LinesShow All 83 Lines▼ Show 20 Lines
// macro. The more uncommon the identified elements, the more efficient this // macro. The more uncommon the identified elements, the more efficient this
// process will be. // process will be.
// //
// We use this approach to implement the derived matchers gtestAssert and // We use this approach to implement the derived matchers gtestAssert and
// gtestExpect. // gtestExpect.
internal::BindableMatcher<Stmt> gtestAssert(GtestCmp Cmp, StatementMatcher Left, internal::BindableMatcher<Stmt> gtestAssert(GtestCmp Cmp, StatementMatcher Left,
StatementMatcher Right) { StatementMatcher Right) {
return callExpr(callee(getComparisonDecl(Cmp)), return callExpr(callee(getComparisonDecl(Cmp)),
isExpandedFromMacro(getAssertMacro(Cmp)), isExpandedFromMacro(getAssertMacro(Cmp).str()),
hasArgument(2, Left), hasArgument(3, Right)); hasArgument(2, Left), hasArgument(3, Right));
} }
internal::BindableMatcher<Stmt> gtestExpect(GtestCmp Cmp, StatementMatcher Left, internal::BindableMatcher<Stmt> gtestExpect(GtestCmp Cmp, StatementMatcher Left,
StatementMatcher Right) { StatementMatcher Right) {
return callExpr(callee(getComparisonDecl(Cmp)), return callExpr(callee(getComparisonDecl(Cmp)),
isExpandedFromMacro(getExpectMacro(Cmp)), isExpandedFromMacro(getExpectMacro(Cmp).str()),
hasArgument(2, Left), hasArgument(3, Right)); hasArgument(2, Left), hasArgument(3, Right));
} }
} // end namespace ast_matchers } // end namespace ast_matchers
} // end namespace clang } // end namespace clang

clang/unittests/ASTMatchers/ASTMatchersNarrowingTest.cpp

Show First 20 LinesShow All 136 Lines▼ Show 20 Lines
TEST_P(ASTMatchersTest, IsExpandedFromMacro_NotMatchesDifferentInstances) { TEST_P(ASTMatchersTest, IsExpandedFromMacro_NotMatchesDifferentInstances) {
StringRef input = R"cc( StringRef input = R"cc(
#define FOUR 4 #define FOUR 4
void Test() { FOUR + FOUR; } void Test() { FOUR + FOUR; }
)cc"; )cc";
EXPECT_TRUE(notMatches(input, binaryOperator(isExpandedFromMacro("FOUR")))); EXPECT_TRUE(notMatches(input, binaryOperator(isExpandedFromMacro("FOUR"))));
} }
TEST(IsExpandedFromMacro, IsExpandedFromMacro_MatchesDecls) {
StringRef input = R"cc(
#define MY_MACRO(a) int i = a;
void Test() { MY_MACRO(4); }
)cc";
EXPECT_TRUE(matches(input, varDecl(isExpandedFromMacro("MY_MACRO"))));
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Can you also add a test for type-based matching?

aaron.ballman: Can you also add a test for type-based matching?
}
TEST_P(ASTMatchersTest, AllOf) { TEST_P(ASTMatchersTest, AllOf) {
const char Program[] = "struct T { };" const char Program[] = "struct T { };"
"int f(int, struct T*, int, int);" "int f(int, struct T*, int, int);"
"void g(int x) { struct T t; f(x, &t, 3, 4); }"; "void g(int x) { struct T t; f(x, &t, 3, 4); }";
EXPECT_TRUE(matches( EXPECT_TRUE(matches(
Program, callExpr(allOf(callee(functionDecl(hasName("f"))), Program, callExpr(allOf(callee(functionDecl(hasName("f"))),
hasArgument(0, declRefExpr(to(varDecl()))))))); hasArgument(0, declRefExpr(to(varDecl())))))));
EXPECT_TRUE(matches( EXPECT_TRUE(matches(
▲ Show 20 LinesShow All 3,727 LinesShow Last 20 Lines