[all-commits] [llvm/llvm-project] acaf40: [SampleProfile] Fix UB in Demangler invocation. (#...

Mon Apr 28 10:29:18 PDT 2025

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: acaf403c6397dc0fcd8f0988bd057b4d5ee2460f
      https://github.com/llvm/llvm-project/commit/acaf403c6397dc0fcd8f0988bd057b4d5ee2460f
  Author: Krzysztof Pszeniczny <kpszeniczny at google.com>
  Date:   2025-04-28 (Mon, 28 Apr 2025)

  Changed paths:
    M llvm/lib/Transforms/IPO/SampleProfileMatcher.cpp

  Log Message:
  -----------
  [SampleProfile] Fix UB in Demangler invocation. (#137659)

Currently the backing buffer of a `std::vector<char>` is passed[1] to
`Demangler.getFunctionBaseName`. However, deeply inside the call stack
`OutputBuffer::grow` will call[2] `std::realloc` if it needs to grow the
buffer, leading to UB.

The demangler APIs specify[3] that "`Buf` and `N` behave like the second
and third parameters to `__cxa_demangle`" and the docs for the latter
say[4] that the output buffer must be allocated with `malloc` (but can
also be `NULL` and will then be realloced accordingly).

Note: PR #135863 changed this from a stack array to a `std::vector` and
increased the size to 65K, but this can still lead to a crash if the
demangled name is longer than that - yes, I'm surprised that a >65K-long
function name happens in practice...

[1]:
https://github.com/llvm/llvm-project/blob/d7e631c7cd6d9c13b9519991ec6becf08bc6b8aa/llvm/lib/Transforms/IPO/SampleProfileMatcher.cpp#L744
[2]:
https://github.com/llvm/llvm-project/blob/d7e631c7cd6d9c13b9519991ec6becf08bc6b8aa/llvm/include/llvm/Demangle/Utility.h#L50
[3]:
https://github.com/llvm/llvm-project/blob/d7e631c7cd6d9c13b9519991ec6becf08bc6b8aa/llvm/include/llvm/Demangle/Demangle.h#L92-L93
[4]:
https://gcc.gnu.org/onlinedocs/libstdc++/libstdc++-html-USERS-4.3/a01696.html

To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications