Bounds-checking in StringPiece finds OOB access in gn_unittests |
|||
Issue description
I'm adding range checks to StringPiece. It's finding some hits; here's the 3rd:
[42961:42961:0305/141739.727354:3537134061685:FATAL:string_piece.h(223)] Check failed: i < length_.
#0 0x7feed21226ad base::debug::StackTrace::StackTrace()
#1 0x7feed2120b9c base::debug::StackTrace::StackTrace()
#2 0x7feed21a8bca logging::LogMessage::~LogMessage()
#3 0x7feed22b7113 base::BasicStringPiece<>::operator[]()
#4 0x0000007da664 Tokenizer::AdvanceToEndOfToken()
#5 0x0000007d8cd3 Tokenizer::Run()
#6 0x0000007d8afc Tokenizer::Tokenize()
#7 0x000000431d83 (anonymous namespace)::DoExpressionErrorTest()
#8 0x000000433258 Parser_UnaryOp_Test::TestBody()
#9 0x0000005685ee testing::internal::HandleSehExceptionsInMethodIfSupported<>()
#10 0x00000055a102 testing::internal::HandleExceptionsInMethodIfSupported<>()
#11 0x0000005443f6 testing::Test::Run()
#12 0x000000544e1d testing::TestInfo::Run()
#13 0x0000005458cc testing::TestCase::Run()
#14 0x0000005513fe testing::internal::UnitTestImpl::RunAllTests()
#15 0x00000056867e testing::internal::HandleSehExceptionsInMethodIfSupported<>()
#16 0x00000055b762 testing::internal::HandleExceptionsInMethodIfSupported<>()
#17 0x000000551009 testing::UnitTest::Run()
#18 0x000000870421 RUN_ALL_TESTS()
#19 0x00000086d2ab base::TestSuite::Run()
#20 0x0000006fd96d _ZN4base8internal13FunctorTraitsIM9SchedulerFvvEvE6InvokeIPS2_JEEEvS4_OT_DpOT0_
#21 0x0000006fd8e4 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKM9SchedulerFvvEJPS4_EEEvOT_DpOT0_
#22 0x0000006fd895 _ZN4base8internal7InvokerINS0_9BindStateIM9SchedulerFvvEJNS0_17UnretainedWrapperIS3_EEEEEFvvEE7RunImplIRKS5_RKNSt3__15tupleIJS7_EEEJLm0EEEEvOT_OT0_NSE_16integer_sequenceImJXspT1_EEEE
#23 0x0000006fd82c _ZN4base8internal7InvokerINS0_9BindStateIM9SchedulerFvvEJNS0_17UnretainedWrapperIS3_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#24 0x00000065b07d _ZNKR4base17RepeatingCallbackIFvvEE3RunEv
#25 0x00000087e1f7 base::(anonymous namespace)::LaunchUnitTestsInternal()
#26 0x00000087e065 base::LaunchUnitTests()
#27 0x0000008630bd main
#28 0x7feed15702b1 __libc_start_main
#29 0x0000002ed02a _start
[42955:42960:0305/141739.758474:3537134092946:ERROR:kill_posix.cc(84)] Unable to terminate process group 42961: No such process (3)
[1/1] Parser.UnaryOp (CRASHED)
1 test crashed:
Parser.UnaryOp (../../tools/gn/parser_unittest.cc:180)
Similar stack trace for test `Parser.ParenExpression`.
I'd really like to get the bounds checks landed; do you think one of you could hammer this lil bug down, maybe quicker than I could? Thanks!
,
Mar 5 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6783e46fa01a4da9c9b764d1858eb3c3f9b03f9e commit 6783e46fa01a4da9c9b764d1858eb3c3f9b03f9e Author: Chris Palmer <palmer@chromium.org> Date: Mon Mar 05 23:34:29 2018 Correct off-by-one in `Tokenizer::CanIncrement`. It would return true even if you were actually at the end of the input. Bug: 818844 Change-Id: I0ba5be52b568e39a087efc1e8114138ac4c18799 Reviewed-on: https://chromium-review.googlesource.com/949963 Reviewed-by: Dirk Pranke <dpranke@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#540982} [modify] https://crrev.com/6783e46fa01a4da9c9b764d1858eb3c3f9b03f9e/tools/gn/tokenizer.h
,
Mar 5 2018
,
Mar 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c8bccdf109b1dcad454f4e26e868dc3d3af099f0 commit c8bccdf109b1dcad454f4e26e868dc3d3af099f0 Author: Chris Palmer <palmer@chromium.org> Date: Tue Mar 06 01:13:25 2018 Add range checks for `StringPiece`. Range check `operator[]`, `front`, `back`, and `remove_{pre,suf}fix`. Bug: 817982, 818376 , 818844 Change-Id: I3a0b560af273c9b04237a18a1bc0b56283d3d824 Reviewed-on: https://chromium-review.googlesource.com/945049 Commit-Queue: Chris Palmer <palmer@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org> Cr-Commit-Position: refs/heads/master@{#541012} [modify] https://crrev.com/c8bccdf109b1dcad454f4e26e868dc3d3af099f0/base/strings/string_piece.h
,
Mar 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2b0c7b406613114aa86bbe9040756e99fd913518 commit 2b0c7b406613114aa86bbe9040756e99fd913518 Author: Jan Wilken Dörrie <jdoerrie@chromium.org> Date: Tue Mar 06 09:44:42 2018 Revert "Add range checks for `StringPiece`." This reverts commit c8bccdf109b1dcad454f4e26e868dc3d3af099f0. Reason for revert: This change has r540894 as dependency. However, r540894 was reverted in r541006, just before this patch landed. Since this currently causes failures on Mac due to crashpad errors, I am reverting this change for now. Original change's description: > Add range checks for `StringPiece`. > > Range check `operator[]`, `front`, `back`, and `remove_{pre,suf}fix`. > > Bug: 817982, 818376 , 818844 > Change-Id: I3a0b560af273c9b04237a18a1bc0b56283d3d824 > Reviewed-on: https://chromium-review.googlesource.com/945049 > Commit-Queue: Chris Palmer <palmer@chromium.org> > Reviewed-by: Daniel Cheng <dcheng@chromium.org> > Reviewed-by: Mark Mentovai <mark@chromium.org> > Cr-Commit-Position: refs/heads/master@{#541012} TBR=palmer@chromium.org,dcheng@chromium.org,mark@chromium.org Change-Id: I7d5c2ca050869aff8dca4ba6b724761172aa1d83 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 817982, 818376 , 818844 Reviewed-on: https://chromium-review.googlesource.com/950822 Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org> Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org> Cr-Commit-Position: refs/heads/master@{#541060} [modify] https://crrev.com/2b0c7b406613114aa86bbe9040756e99fd913518/base/strings/string_piece.h
,
Mar 6 2018
,
Mar 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e5a6dfada32caaccc93e4f3ca4cb0bd0f6cdd019 commit e5a6dfada32caaccc93e4f3ca4cb0bd0f6cdd019 Author: Chris Palmer <palmer@chromium.org> Date: Tue Mar 06 21:40:08 2018 Reland "Add range checks for `StringPiece`." This reverts commit 2b0c7b406613114aa86bbe9040756e99fd913518. Reason for revert: https://chromium-review.googlesource.com/950466 re-fixed the crashpad bug, so we should be good to land this again. Original change's description: > Revert "Add range checks for `StringPiece`." > > This reverts commit c8bccdf109b1dcad454f4e26e868dc3d3af099f0. > > Reason for revert: This change has r540894 as dependency. However, r540894 was reverted in r541006, just before this patch landed. Since this currently causes failures on Mac due to crashpad errors, I am reverting this change for now. > > Original change's description: > > Add range checks for `StringPiece`. > > > > Range check `operator[]`, `front`, `back`, and `remove_{pre,suf}fix`. > > > > Bug: 817982, 818376 , 818844 > > Change-Id: I3a0b560af273c9b04237a18a1bc0b56283d3d824 > > Reviewed-on: https://chromium-review.googlesource.com/945049 > > Commit-Queue: Chris Palmer <palmer@chromium.org> > > Reviewed-by: Daniel Cheng <dcheng@chromium.org> > > Reviewed-by: Mark Mentovai <mark@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#541012} > > TBR=palmer@chromium.org,dcheng@chromium.org,mark@chromium.org > > Change-Id: I7d5c2ca050869aff8dca4ba6b724761172aa1d83 > No-Presubmit: true > No-Tree-Checks: true > No-Try: true > Bug: 817982, 818376 , 818844 > Reviewed-on: https://chromium-review.googlesource.com/950822 > Reviewed-by: Jan Wilken Dörrie <jdoerrie@chromium.org> > Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org> > Cr-Commit-Position: refs/heads/master@{#541060} TBR=palmer@chromium.org,dcheng@chromium.org,mark@chromium.org,jdoerrie@chromium.org Change-Id: I50637027781401fc96b75bb749c5baa80dcc14a8 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 817982, 818376 , 818844 Reviewed-on: https://chromium-review.googlesource.com/951868 Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#541201} [modify] https://crrev.com/e5a6dfada32caaccc93e4f3ca4cb0bd0f6cdd019/base/strings/string_piece.h
,
Mar 12 2018
This breaks GCC build, at least on arm. You are adding CHECK() inside a constexpr, and CHECK() will eventually include an asm call. That is not allowed in gcc (and is not allowed in C++14 as can be seen in dcl.constexpr/4).
This is one example of the build error we are getting after landing this:
./../../../../../../../../upstream-chromium/src/base/strings/string_piece.h: In member function 'constexpr base::BasicStringPiece<STRING_TYPE>::value_type base::BasicStringPiece<STRING_TYPE>::operator[](base::BasicStringPiece<STRING_TYPE>::size_type) const':
../../../../../../../../../upstream-chromium/src/base/logging.h:542:3: error: 'asm' in 'constexpr' function
asm volatile("bkpt #0; udf %0;" ::"i"(__COUNTER__ % 256))
^
../../../../../../../../../upstream-chromium/src/base/logging.h:557:5: note: in expansion of macro 'TRAP_SEQUENCE'
TRAP_SEQUENCE(); \
^~~~~~~~~~~~~
../../../../../../../../../upstream-chromium/src/base/logging.h:605:28: note: in expansion of macro 'IMMEDIATE_CRASH'
UNLIKELY(!(condition)) ? IMMEDIATE_CRASH() : EAT_STREAM_PARAMETERS
^~~~~~~~~~~~~~~
../../../../../../../../../upstream-chromium/src/base/strings/string_piece.h:223:5: note: in expansion of macro 'CHECK'
CHECK(i < length_);
^~~~~
|
|||
►
Sign in to add a comment |
|||
Comment 1 by palmer@chromium.org
, Mar 5 2018Owner: palmer@chromium.org
Status: Started (was: Untriaged)