This fixes all the crashers on Darwin (clang+libc++), that I could reproduce with ASAN+libFuzzer. It does not mean that there is no leaks, or that you won’t find more crashes with libstdc++ for instance.
— Mehdi > On Aug 12, 2016, at 5:21 PM, Kostya Serebryany <k...@google.com> wrote: > > Sweet! > Did you fix all of the known crashers? > > > > On Fri, Aug 12, 2016 at 5:02 PM, Mehdi Amini via cfe-commits > <cfe-commits@lists.llvm.org <mailto:cfe-commits@lists.llvm.org>> wrote: > Author: mehdi_amini > Date: Fri Aug 12 19:02:33 2016 > New Revision: 278579 > > URL: http://llvm.org/viewvc/llvm-project?rev=278579&view=rev > <http://llvm.org/viewvc/llvm-project?rev=278579&view=rev> > Log: > Fix ASAN failures in the demangler > > These were found fuzzing with ASAN. > > Modified: > libcxxabi/trunk/src/cxa_demangle.cpp > libcxxabi/trunk/test/test_demangle.pass.cpp > > Modified: libcxxabi/trunk/src/cxa_demangle.cpp > URL: > http://llvm.org/viewvc/llvm-project/libcxxabi/trunk/src/cxa_demangle.cpp?rev=278579&r1=278578&r2=278579&view=diff > > <http://llvm.org/viewvc/llvm-project/libcxxabi/trunk/src/cxa_demangle.cpp?rev=278579&r1=278578&r2=278579&view=diff> > ============================================================================== > --- libcxxabi/trunk/src/cxa_demangle.cpp (original) > +++ libcxxabi/trunk/src/cxa_demangle.cpp Fri Aug 12 19:02:33 2016 > @@ -624,6 +624,8 @@ parse_const_cast_expr(const char* first, > return first; > auto expr = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back() = "const_cast<" + > db.names.back().move_full() + ">(" + expr + ")"; > first = t1; > } > @@ -650,6 +652,8 @@ parse_dynamic_cast_expr(const char* firs > return first; > auto expr = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back() = "dynamic_cast<" + > db.names.back().move_full() + ">(" + expr + ")"; > first = t1; > } > @@ -676,6 +680,8 @@ parse_reinterpret_cast_expr(const char* > return first; > auto expr = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back() = "reinterpret_cast<" + > db.names.back().move_full() + ">(" + expr + ")"; > first = t1; > } > @@ -1294,6 +1300,8 @@ parse_dot_expr(const char* first, const > return first; > auto name = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back().first += "." + name; > first = t1; > } > @@ -2896,6 +2904,8 @@ base_name(String& s) > ++c; > } > } > + if (pe - pf <= 1) > + return String(); > const char* p0 = pe - 1; > for (; p0 != pf; --p0) > { > @@ -3016,7 +3026,8 @@ parse_unnamed_type_name(const char* firs > const char* t1 = parse_type(t0, last, db); > if (t1 == t0) > { > - db.names.pop_back(); > + if(!db.names.empty()) > + db.names.pop_back(); > return first; > } > if (db.names.size() < 2) > @@ -3041,17 +3052,21 @@ parse_unnamed_type_name(const char* firs > } > t0 = t1; > } > + if(db.names.empty()) > + return first; > db.names.back().first.append(")"); > } > if (t0 == last || *t0 != 'E') > { > + if(!db.names.empty()) > db.names.pop_back(); > return first; > } > ++t0; > if (t0 == last) > { > - db.names.pop_back(); > + if(!db.names.empty()) > + db.names.pop_back(); > return first; > } > if (std::isdigit(*t0)) > @@ -3064,7 +3079,8 @@ parse_unnamed_type_name(const char* firs > } > if (t0 == last || *t0 != '_') > { > - db.names.pop_back(); > + if(!db.names.empty()) > + db.names.pop_back(); > return first; > } > first = t0 + 1; > @@ -3251,7 +3267,7 @@ parse_binary_expression(const char* firs > nm += ')'; > first = t2; > } > - else > + else if(!db.names.empty()) > db.names.pop_back(); > } > return first; > @@ -3490,7 +3506,7 @@ parse_expression(const char* first, cons > db.names.back() = "(" + op1 + ")[" + op2 + "]"; > first = t2; > } > - else > + else if (!db.names.empty()) > db.names.pop_back(); > } > } > @@ -3686,11 +3702,13 @@ parse_expression(const char* first, cons > } > else > { > + if (db.names.size() < 2) > + return first; > db.names.pop_back(); > db.names.pop_back(); > } > } > - else > + else if (!db.names.empty()) > db.names.pop_back(); > } > } > @@ -3879,8 +3897,9 @@ parse_template_args(const char* first, c > args += ", "; > args += db.names[k].move_full(); > } > - for (; k1 != k0; --k1) > - db.names.pop_back(); > + for (; k1 > k0; --k1) > + if (!db.names.empty()) > + db.names.pop_back(); > t = t1; > } > first = t + 1; > @@ -3959,6 +3978,8 @@ parse_nested_name(const char* first, con > { > auto name = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > if (!db.names.back().first.empty()) > { > db.names.back().first += "::" + name; > @@ -3978,6 +3999,8 @@ parse_nested_name(const char* first, con > { > auto name = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > if (!db.names.back().first.empty()) > db.names.back().first += "::" + name; > else > @@ -3997,6 +4020,8 @@ parse_nested_name(const char* first, con > { > auto name = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > if (!db.names.back().first.empty()) > db.names.back().first += "::" + name; > else > @@ -4014,6 +4039,8 @@ parse_nested_name(const char* first, con > { > auto name = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back().first += name; > db.subs.push_back(typename C::sub_type(1, > db.names.back(), db.names.get_allocator())); > t0 = t1; > @@ -4033,6 +4060,8 @@ parse_nested_name(const char* first, con > { > auto name = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > if (!db.names.back().first.empty()) > db.names.back().first += "::" + name; > else > @@ -4130,11 +4159,13 @@ parse_local_name(const char* first, cons > return first; > auto name = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back().first.append("::"); > db.names.back().first.append(name); > first = t1; > } > - else > + else if (!db.names.empty()) > db.names.pop_back(); > } > } > @@ -4151,10 +4182,12 @@ parse_local_name(const char* first, cons > return first; > auto name = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back().first.append("::"); > db.names.back().first.append(name); > } > - else > + else if (!db.names.empty()) > db.names.pop_back(); > } > break; > @@ -4219,6 +4252,8 @@ parse_name(const char* first, const char > return first; > auto tmp = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back().first += tmp; > first = t1; > if (ends_with_template_args) > @@ -4241,6 +4276,8 @@ parse_name(const char* first, const char > return first; > auto tmp = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back().first += tmp; > first = t1; > if (ends_with_template_args) > @@ -4399,6 +4436,8 @@ parse_special_name(const char* first, co > return first; > auto left = db.names.back().move_full(); > db.names.pop_back(); > + if (db.names.empty()) > + return first; > db.names.back().first = "construction vtable for > " + > std::move(left) + "-in-" > + > > db.names.back().move_full(); > @@ -4538,6 +4577,9 @@ parse_encoding(const char* first, const > if (ret2.empty()) > ret1 += ' '; > db.names.pop_back(); > + if (db.names.empty()) > + return first; > + > db.names.back().first.insert(0, ret1); > t = t2; > } > @@ -4565,8 +4607,11 @@ parse_encoding(const char* first, const > tmp += ", "; > tmp += db.names[k].move_full(); > } > - for (size_t k = k0; k < k1; ++k) > + for (size_t k = k0; k < k1; ++k) { > + if (db.names.empty()) > + return first; > db.names.pop_back(); > + } > if (!tmp.empty()) > { > if (db.names.empty()) > > Modified: libcxxabi/trunk/test/test_demangle.pass.cpp > URL: > http://llvm.org/viewvc/llvm-project/libcxxabi/trunk/test/test_demangle.pass.cpp?rev=278579&r1=278578&r2=278579&view=diff > > <http://llvm.org/viewvc/llvm-project/libcxxabi/trunk/test/test_demangle.pass.cpp?rev=278579&r1=278578&r2=278579&view=diff> > ============================================================================== > --- libcxxabi/trunk/test/test_demangle.pass.cpp (original) > +++ libcxxabi/trunk/test/test_demangle.pass.cpp Fri Aug 12 19:02:33 2016 > @@ -29591,6 +29591,7 @@ const char* cases[][2] = > {"_ZZ4testvEN1g3fooE5Point", "test()::g::foo(Point)"}, > {"_ZThn12_NSt9strstreamD0Ev", "non-virtual thunk to > std::strstream::~strstream()"}, > {"_ZTv0_n12_NSt9strstreamD0Ev", "virtual thunk to > std::strstream::~strstream()"}, > + {"\x6D", "unsigned long"}, // This use to crash with ASAN > }; > > const unsigned N = sizeof(cases) / sizeof(cases[0]); > @@ -29636,6 +29637,21 @@ const char* invalid_cases[] = > #if !LDBL_FP80 > "_ZN5test01hIfEEvRAcvjplstT_Le4001a000000000000000E_c", > #endif > + // The following test cases were found by libFuzzer+ASAN > + > "\x44\x74\x70\x74\x71\x75\x34\x43\x41\x72\x4D\x6E\x65\x34\x9F\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x34\xD3\x73\x9E\x2A\x37", > + > "\x4D\x41\x72\x63\x4E\x39\x44\x76\x72\x4D\x34\x44\x53\x4B\x6F\x44\x54\x6E\x61\x37\x47\x77\x78\x38\x43\x27\x41\x5F\x73\x70\x69\x45*", > + "\x41\x64\x6E\x32*", > + "\x43\x46\x41\x67\x73*", > + > "\x72\x3A\x4E\x53\x64\x45\x39\x4F\x52\x4E\x1F\x43\x34\x64\x54\x5F\x49\x31\x41\x63\x6C\x37\x2A\x4D\x41\x67\x73\x76\x43\x54\x35\x5F\x49\x4B\x4C\x55\x6C\x73\x4C\x38\x64\x43\x41\x47\x4C\x5A\x28\x4F\x41\x6E\x77\x5F\x53\x6F\x70\x69\x45\x5F\x63\x47\x61\x4C\x31\x4F\x4C\x33\x3E\x41\x4C\x4B\x4C\x55\x6C\x73\x4C\x38\x64\x43\x66\x41\x47\x4C\x5A\x28\x4F\x41\x6E\x77\x5F\x53\x6F\x70\x69\x45\x5F\x37\x41*", > + "\x2D\x5F\x63\x47\x4F\x63\xD3", > + > "\x44\x74\x70\x74\x71\x75\x32\x43\x41\x38\x65\x6E\x9B\x72\x4D\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\xC3\x53\xF9\x5F\x70\x74\x70\x69\x45\x38\xD3\x73\x9E\x2A\x37", > + > "\x4C\x5A\x4C\x55\x6C\x4D\x41\x5F\x41\x67\x74\x71\x75\x34\x4D\x41\x64\x73\x4C\x44\x76\x72\x4D\x34\x44\x4B\x44\x54\x6E\x61\x37\x47\x77\x78\x38\x43\x27\x41\x5F\x73\x70\x69\x45\x6D\x73\x72\x53\x41\x6F\x41\x7B", > + > "\x44\x74\x70\x74\x71\x75\x32\x43\x41\x38\x65\x6E\x9B\x72\x4D\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x2C\x53\xF9\x5F\x70\x74\x70\x69\x45\xB4\xD3\x73\x9F\x2A\x37", > + > "\x4C\x5A\x4C\x55\x6C\x69\x4D\x73\x72\x53\x6F\x7A\x41\x5F\x41\x67\x74\x71\x75\x32\x4D\x41\x64\x73\x39\x28\x76\x72\x4D\x34\x44\x4B\x45\x54\x6E\x61\x37\x47\x77\x78\x38\x43\x27\x41\x5F\x73\x70\x69\x45\x6F\x45\x49\x6D\x1A\x4C\x53\x38\x6A\x7A\x5A", > + "\x44\x74\x63*", > + > "\x44\x74\x71\x75\x35\x2A\xDF\x74\x44\x61\x73\x63\x35\x2A\x3B\x41\x72\x4D\x6E\x65\x34\x9F\xC1\x63\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x33\x44\x76\x35", > + > "\x44\x74\x70\x74\x71\x75\x32\x43\x41\x38\x65\x6E\x9B\x72\x4D\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x38\xD3\x73\x9E\x2A\x37", > + > "\x46\x44\x74\x70\x74\x71\x75\x32\x43\x41\x72\x4D\x6E\x65\x34\x9F\xC1\x43\x41\x72\x4D\x6E\x77\x38\x9A\x8E\x44\x6F\x64\x6C\x53\xF9\x5F\x70\x74\x70\x69\x45\x34\xD3\x73\x9E\x2A\x37\x72\x33\x8E\x3A\x29\x8E\x44\x35", > }; > > const unsigned NI = sizeof(invalid_cases) / sizeof(invalid_cases[0]); > > > _______________________________________________ > cfe-commits mailing list > cfe-commits@lists.llvm.org <mailto:cfe-commits@lists.llvm.org> > http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits > <http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits> >
_______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
