tokenize.cpp: fixed fuzzing crash in setScopeInfo()
#6092
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lib/checkassert.cpp
Outdated
| @@ -129,6 +129,9 @@ void CheckAssert::checkVariableAssignment(const Token* assignTok, const Scope *a | |||
| if (!assignTok->isAssignmentOp() && assignTok->tokType() != Token::eIncDecOp) | |||
| return; | |||
|
|
|||
| if (!assignTok->astOperand1()) | |||
There was a problem hiding this comment.
I think = must always have both operands, so we should add this to the AST validation.
There was a problem hiding this comment.
Unfortuantely, at least these cases would require special handling though:
auto f() { [=]() { return data; }(); }
class A {
virtual void pure()=0;
};
There was a problem hiding this comment.
So we leave it as is?
There was a problem hiding this comment.
New idea: reject = followed by ; and possibly )|} as garbage?
There was a problem hiding this comment.
Do not ask me. There's a reason I usually do not get involved into the check related stuff...
There was a problem hiding this comment.
IMHO we should fail early and hard on invalid code. Random nullptr checks here and there probably just enable the next crash down the line.
There was a problem hiding this comment.
I split this into #6162.
lib/tokenize.cpp
Outdated
| @@ -2537,7 +2537,7 @@ namespace { | |||
| tok1 = tok1->previous(); | |||
| if (tok1->previous() && (tok1->strAt(-1) == ")" || tok->strAt(-1) == "}")) { | |||
| tok1 = tok1->linkAt(-1); | |||
| if (Token::Match(tok1->previous(), "throw|noexcept (")) { | |||
| if (tok1 && Token::Match(tok1->previous(), "throw|noexcept (")) { | |||
There was a problem hiding this comment.
There is a check for unlinked )|} somewhere, so I wonder why it doesn't fire.
There was a problem hiding this comment.
deleteInvalidTypedef() messes up the links since it runs after createLinks(). Maybeif (!tokOffset || tokOffset->isKeyword()) syntaxError(tok); at tokenize.cpp:1257 is an option.
There was a problem hiding this comment.
The issue does not appear to be fully fixed by my change. Will look into that first and then look into your comment.
There was a problem hiding this comment.
This required a few more checks down the line.
There was a problem hiding this comment.
Maybe
if (!tokOffset || tokOffset->isKeyword()) syntaxError(tok);at tokenize.cpp:1257 is an option.
isControlFlowKeyword() seems to work.
There was a problem hiding this comment.
What line is that now? Or do you want to take over in a new PR?
There was a problem hiding this comment.
tokenize.cpp:1257 is still correct (// check for invalid input),
There was a problem hiding this comment.
That is line 1255 in my tree...but that works.
firewave
changed the title
setScopeInfo()
firewave
changed the title
setScopeInfo()setScopeInfo()
|
With Clang I know get a segmentation fault even with ASAN and UBSAN enabled. Using GCC I get |
firewave
force-pushed
the
fuzz-crash2
branch
3 times, most recently
from
0d0deb2
to
12aff86
Compare
/home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2555:31: runtime error: member call on null pointer of type 'Token'
#0 0x62508946d2b4 in (anonymous namespace)::setScopeInfo(Token*, (anonymous namespace)::ScopeInfo3**, bool) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2555:31
#1 0x6250894629b6 in Tokenizer::simplifyUsing() /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2903:17
danmar#2 0x62508947d6c5 in Tokenizer::simplifyTokenList1(char const*) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:5674:12
danmar#3 0x625089476021 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:3374:14
danmar#4 0x625089f54ca1 in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:937:32
danmar#5 0x625089f44014 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:564:12
danmar#6 0x62508904544b in SingleExecutor::check() /home/user/CLionProjects/cppcheck-rider/cli/singleexecutor.cpp:53:29
danmar#7 0x625088f7f97b in CppCheckExecutor::check_internal(Settings const&) const /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:279:32
danmar#8 0x625088f7e74d in CppCheckExecutor::check_wrapper(Settings const&) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:218:12
danmar#9 0x625088f7d68a in CppCheckExecutor::check(int, char const* const*) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:204:21
danmar#10 0x62508a68c327 in main /home/user/CLionProjects/cppcheck-rider/cli/main.cpp:91:21
danmar#11 0x761e7f21eccf (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
danmar#12 0x761e7f21ed89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
danmar#13 0x625088db79f4 in _start (/home/user/CLionProjects/cppcheck-rider/cmake-build-debug-clang-asan-ubsan/bin/cppcheck+0xf6b9f4) (BuildId: c4d5a113239183a4005a1a2662be02131ded6024)
fixed fuzzing crash in `setScopeInfo()`
/home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2548:51: runtime error: member call on null pointer of type 'Token'
#0 0x5d3809ee7015 in (anonymous namespace)::setScopeInfo(Token*, (anonymous namespace)::ScopeInfo3**, bool) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2548:51
#1 0x5d3809edc9b6 in Tokenizer::simplifyUsing() /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2903:17
danmar#2 0x5d3809ef76a5 in Tokenizer::simplifyTokenList1(char const*) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:5674:12
danmar#3 0x5d3809ef0001 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:3374:14
danmar#4 0x5d380a9cec81 in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:937:32
danmar#5 0x5d380a9bdff4 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:564:12
danmar#6 0x5d3809abf44b in SingleExecutor::check() /home/user/CLionProjects/cppcheck-rider/cli/singleexecutor.cpp:53:29
danmar#7 0x5d38099f997b in CppCheckExecutor::check_internal(Settings const&) const /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:279:32
danmar#8 0x5d38099f874d in CppCheckExecutor::check_wrapper(Settings const&) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:218:12
danmar#9 0x5d38099f768a in CppCheckExecutor::check(int, char const* const*) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:204:21
danmar#10 0x5d380b106307 in main /home/user/CLionProjects/cppcheck-rider/cli/main.cpp:91:21
danmar#11 0x7fe30271fccf (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
danmar#12 0x7fe30271fd89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
danmar#13 0x5d38098319f4 in _start (/home/user/CLionProjects/cppcheck-rider/cmake-build-debug-clang-asan-ubsan/bin/cppcheck+0xf6b9f4) (BuildId: 0e9bdb7f1c43e507f2fcb4d97a15b0f529a13c20)
fixed fuzzing crash in `setScopeInfo()`
/home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2540:44: runtime error: member call on null pointer of type 'Token'
#0 0x5ec589e5f40f in (anonymous namespace)::setScopeInfo(Token*, (anonymous namespace)::ScopeInfo3**, bool) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2540:44
#1 0x5ec589e5505d in Tokenizer::simplifyUsing() /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:2900:17
danmar#2 0x5ec589e6fd25 in Tokenizer::simplifyTokenList1(char const*) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:5671:12
danmar#3 0x5ec589e68681 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:3371:14
danmar#4 0x5ec58a9497ca in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:925:32
danmar#5 0x5ec58a938a97 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:556:12
danmar#6 0x5ec589a36f2b in SingleExecutor::check() /home/user/CLionProjects/cppcheck-rider/cli/singleexecutor.cpp:53:29
danmar#7 0x5ec5899718dc in CppCheckExecutor::check_internal(Settings const&) const /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:277:32
danmar#8 0x5ec58997073d in CppCheckExecutor::check_wrapper(Settings const&) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:216:12
danmar#9 0x5ec58996f67a in CppCheckExecutor::check(int, char const* const*) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:202:21
danmar#10 0x5ec58b0802b7 in main /home/user/CLionProjects/cppcheck-rider/cli/main.cpp:91:21
danmar#11 0x79b410843ccf (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
danmar#12 0x79b410843d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
danmar#13 0x5ec5897aa9f4 in _start (/home/user/CLionProjects/cppcheck-rider/cmake-build-debug-clang-asan-ubsan/bin/cppcheck+0xf6e9f4) (BuildId: 5c2986a23a9dee600c328566a7967a7eba8652c9)
Co-authored-by: chrchr-github <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.