This is an archive of the discontinued LLVM Phabricator instance.

Differential D99393

[OCaml] Fix a possible crash in llvm_struct_name
ClosedPublic

Authored by jberdine on Mar 25 2021, 5:04 PM.

Details

Reviewers
vaivaswatha
whitequark
Commits
rG6f77926f464b: [OCaml] Fix a possible crash in llvm_struct_name
Summary

The implementation of llvm_struct_name before this diff calls
caml_copy_string, which allocates, while the result local variable
points to a block allocated by caml_alloc_small that has not yet
been initialized. If the allocation in caml_copy_string triggers a
garbage collection, then the GC root result contains a pointer to
uninitialized data, which may crash the GC or lead to a memory
corruption.

This diff fixes this by allocating and initializing the string first
and then allocating and initializing the option, thereby leaving no
dangling pointers when allocations are made.

The conversion from a C string to an OCaml string option is refactored
into a function, cstr_to_string_option. This function is also used
to simplify the definitions of llvm_get_mdstring and
llvm_string_of_const.

Diff Detail

Event Timeline

jberdine created this revision.Mar 25 2021, 5:04 PM
Herald added a reviewer: whitequark. · View Herald TranscriptMar 25 2021, 5:04 PM
jberdine requested review of this revision.Mar 25 2021, 5:04 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 25 2021, 5:04 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B95814: Diff 333468.Mar 25 2021, 5:13 PM
vaivaswatha added inline comments.Mar 25 2021, 8:06 PM
llvm/bindings/ocaml/llvm/llvm_ocaml.c
888–890

Given that the order of argument evaluation is unspecified in C, if the second argument Len to cstr_to_string_option is evaluated first (at which point it is uninitialized), then an incorrect value gets passed.

1046–1047

Same as the previous change.

1046–1047

Would it be a good idea to define a macro #define OCAML_OPTION_NONE Val_Int(0) to use in such places? I'm not saying we should do it in this patch (if you think it's a good idea to do it at all), but may be in a later one that changes it at all places uniformly.

jberdine updated this revision to Diff 333517.Mar 26 2021, 3:02 AM

fix bug spotted in CR, formatting

llvm/bindings/ocaml/llvm/llvm_ocaml.c
888–890

Gah, yes, of course, thanks!

1046–1047

It might help, but I am also slightly concerned that Val_int(0) is the representation of many other OCaml values too, like []. So it would be a leaky abstraction. It seems that choosing to name the macro after None is arbitrary, and potentially confusing.

Harbormaster completed remote builds in B95851: Diff 333517.Mar 26 2021, 3:03 AM
jberdine marked 2 inline comments as done.Mar 26 2021, 3:04 AM
vaivaswatha accepted this revision.Mar 26 2021, 3:15 AM
This revision is now accepted and ready to land.Mar 26 2021, 3:15 AM
This revision was landed with ongoing or failed builds.Mar 26 2021, 5:02 AM
Closed by commit rG6f77926f464b: [OCaml] Fix a possible crash in llvm_struct_name (authored by jberdine). · Explain Why
This revision was automatically updated to reflect the committed changes.
jberdine added a commit: rG6f77926f464b: [OCaml] Fix a possible crash in llvm_struct_name.

Revision Contents

PathSize
llvm/
bindings/
ocaml/
llvm/
66 lines

Diff 333517

llvm/bindings/ocaml/llvm/llvm_ocaml.c

Show First 20 LinesShow All 50 Lines▼ Show 20 Lines if (Str) {
String = caml_alloc_string(Len); String = caml_alloc_string(Len);
memcpy((char *)String_val(String), Str, Len); memcpy((char *)String_val(String), Str, Len);
} else { } else {
String = caml_alloc_string(0); String = caml_alloc_string(0);
} }
CAMLreturn(String); CAMLreturn(String);
} }
CAMLprim value cstr_to_string_option(const char *CStr, mlsize_t Len) {
CAMLparam0();
CAMLlocal2(Option, String);
if (!CStr)
CAMLreturn(Val_int(0));
String = caml_alloc_string(Len);
memcpy((char *)String_val(String), CStr, Len);
Option = caml_alloc_small(1, 0);
Store_field(Option, 0, (value)String);
CAMLreturn(Option);
}
void llvm_raise(value Prototype, char *Message) { void llvm_raise(value Prototype, char *Message) {
CAMLparam1(Prototype); CAMLparam1(Prototype);
caml_raise_with_arg(Prototype, llvm_string_of_message(Message)); caml_raise_with_arg(Prototype, llvm_string_of_message(Message));
CAMLnoreturn; CAMLnoreturn;
} }
static value llvm_fatal_error_handler; static value llvm_fatal_error_handler;
▲ Show 20 LinesShow All 457 Lines▼ Show 20 LinesCAMLprim value llvm_struct_set_body(LLVMTypeRef Ty,
value ElementTypes, value ElementTypes,
value Packed) { value Packed) {
LLVMStructSetBody(Ty, (LLVMTypeRef *) ElementTypes, LLVMStructSetBody(Ty, (LLVMTypeRef *) ElementTypes,
Wosize_val(ElementTypes), Bool_val(Packed)); Wosize_val(ElementTypes), Bool_val(Packed));
return Val_unit; return Val_unit;
} }
/* lltype -> string option */ /* lltype -> string option */
CAMLprim value llvm_struct_name(LLVMTypeRef Ty) CAMLprim value llvm_struct_name(LLVMTypeRef Ty) {
{ const char *CStr = LLVMGetStructName(Ty);
CAMLparam0(); size_t Len;
CAMLlocal1(result); if (!CStr)
const char *C = LLVMGetStructName(Ty); return Val_int(0);
if (C) { Len = strlen(CStr);
result = caml_alloc_small(1, 0); return cstr_to_string_option(CStr, Len);
Store_field(result, 0, caml_copy_string(C));
CAMLreturn(result);
}
CAMLreturn(Val_int(0));
} }
/* lltype -> lltype array */ /* lltype -> lltype array */
CAMLprim value llvm_struct_element_types(LLVMTypeRef StructTy) { CAMLprim value llvm_struct_element_types(LLVMTypeRef StructTy) {
value Tys = alloc(LLVMCountStructElementTypes(StructTy), 0); value Tys = alloc(LLVMCountStructElementTypes(StructTy), 0);
LLVMGetStructElementTypes(StructTy, (LLVMTypeRef *) Tys); LLVMGetStructElementTypes(StructTy, (LLVMTypeRef *) Tys);
return Tys; return Tys;
} }
▲ Show 20 LinesShow All 321 Lines▼ Show 20 Lines
/* llcontext -> llvalue */ /* llcontext -> llvalue */
CAMLprim LLVMValueRef llvm_mdnull(LLVMContextRef C) { CAMLprim LLVMValueRef llvm_mdnull(LLVMContextRef C) {
return NULL; return NULL;
} }
/* llvalue -> string option */ /* llvalue -> string option */
CAMLprim value llvm_get_mdstring(LLVMValueRef V) { CAMLprim value llvm_get_mdstring(LLVMValueRef V) {
CAMLparam0(); size_t Len;
CAMLlocal2(Option, Str); const char *CStr = LLVMGetMDString(V, &Len);
const char *S; return cstr_to_string_option(CStr, Len);
vaivaswathaUnsubmitted
Done
ReplyInline Actions
unsigned Len;
- return cstr_to_string_option(LLVMGetMDString(V, &Len), Len);
+ const char *Str = LLVMGetMDString(V, &Len);
+ return cstr_to_string_option(Str, Len);
}
CAMLprim value llvm_get_mdnode_operands(LLVMValueRef V) {

Given that the order of argument evaluation is unspecified in C, if the second argument Len to cstr_to_string_option is evaluated first (at which point it is uninitialized), then an incorrect value gets passed.

vaivaswatha: Given that the order of argument evaluation is unspecified in C, if the second argument `Len`…
jberdineAuthorUnsubmitted
Done
ReplyInline Actions

Gah, yes, of course, thanks!

jberdine: Gah, yes, of course, thanks!
unsigned Len;
if ((S = LLVMGetMDString(V, &Len))) {
Str = caml_alloc_string(Len);
memcpy((char *)String_val(Str), S, Len);
Option = alloc(1,0);
Store_field(Option, 0, Str);
CAMLreturn(Option);
}
CAMLreturn(Val_int(0));
} }
CAMLprim value llvm_get_mdnode_operands(LLVMValueRef V) { CAMLprim value llvm_get_mdnode_operands(LLVMValueRef V) {
CAMLparam0(); CAMLparam0();
CAMLlocal1(Operands); CAMLlocal1(Operands);
unsigned int n; unsigned int n;
n = LLVMGetMDNodeNumOperands(V); n = LLVMGetMDNodeNumOperands(V);
▲ Show 20 LinesShow All 139 Lines▼ Show 20 Lines
/* llvalue array -> llvalue */ /* llvalue array -> llvalue */
CAMLprim LLVMValueRef llvm_const_vector(value ElementVals) { CAMLprim LLVMValueRef llvm_const_vector(value ElementVals) {
return LLVMConstVector((LLVMValueRef*) Op_val(ElementVals), return LLVMConstVector((LLVMValueRef*) Op_val(ElementVals),
Wosize_val(ElementVals)); Wosize_val(ElementVals));
} }
/* llvalue -> string option */ /* llvalue -> string option */
CAMLprim value llvm_string_of_const(LLVMValueRef Const) { CAMLprim value llvm_string_of_const(LLVMValueRef Const) {
const char *S;
size_t Len; size_t Len;
CAMLparam0(); const char *CStr;
vaivaswathaUnsubmitted
Done
ReplyInline Actions

Same as the previous change.

vaivaswatha: Same as the previous change.
vaivaswathaUnsubmitted
Not Done
ReplyInline Actions

Would it be a good idea to define a macro #define OCAML_OPTION_NONE Val_Int(0) to use in such places? I'm not saying we should do it in this patch (if you think it's a good idea to do it at all), but may be in a later one that changes it at all places uniformly.

vaivaswatha: Would it be a good idea to define a macro `#define OCAML_OPTION_NONE Val_Int(0)` to use in such…
jberdineAuthorUnsubmitted
Done
ReplyInline Actions

It might help, but I am also slightly concerned that Val_int(0) is the representation of many other OCaml values too, like []. So it would be a leaky abstraction. It seems that choosing to name the macro after None is arbitrary, and potentially confusing.

jberdine: It might help, but I am also slightly concerned that `Val_int(0)` is the representation of many…
CAMLlocal2(Option, Str); if (!LLVMIsAConstantDataSequential(Const) || !LLVMIsConstantString(Const))
return Val_int(0);
if(LLVMIsAConstantDataSequential(Const) && LLVMIsConstantString(Const)) { CStr = LLVMGetAsString(Const, &Len);
S = LLVMGetAsString(Const, &Len); return cstr_to_string_option(CStr, Len);
Str = caml_alloc_string(Len);
memcpy((char *)String_val(Str), S, Len);
Option = alloc(1, 0);
Field(Option, 0) = Str;
CAMLreturn(Option);
} else {
CAMLreturn(Val_int(0));
}
} }
/* llvalue -> int -> llvalue */ /* llvalue -> int -> llvalue */
CAMLprim LLVMValueRef llvm_const_element(LLVMValueRef Const, value N) { CAMLprim LLVMValueRef llvm_const_element(LLVMValueRef Const, value N) {
return LLVMGetElementAsConstant(Const, Int_val(N)); return LLVMGetElementAsConstant(Const, Int_val(N));
} }
/*--... Constant expressions ...............................................--*/ /*--... Constant expressions ...............................................--*/
▲ Show 20 LinesShow All 1,572 LinesShow Last 20 Lines