[cfe-commits] r56818 - in /cfe/trunk/lib/Lex: LiteralSupport.cpp PPMacroExpansion.cpp

Chris Lattner clattner at apple.com
Tue Sep 30 13:54:14 PDT 2008 

On Sep 29, 2008, at 8:00 PM, Eli Friedman wrote:

> On Mon, Sep 29, 2008 at 4:12 PM, Chris Lattner <sabre at nondot.org>  
> wrote:
>> Author: lattner
>> Date: Mon Sep 29 18:12:31 2008
>> New Revision: 56818
>>
>> URL: http://llvm.org/viewvc/llvm-project?rev=56818&view=rev
>> Log:
>> Fix the root cause of PR2750 instead of the side effect.
>>
>> NumericLiteral parser is not careful about overrun because
>> it should never be possible.
>
> I'm not very confident in the whole thing, but if you think it works,
> that's fine.
>
> It looks like the tokens in question always include some sort of
> terminator; the natural terminator when the token points to the
> source, a space for artificial numeric macros (with this patch), and
> null for tokens created through token pasting (which looks kind of
> suspicious...).  Is there some sort of guarantee about the token
> including some sort of separator after the token?

Yep, that's the intention.  Just to make it very clear, I added an  
assertion to NumericLiteralParser.  It seems useful to document and  
verify assumptions like this :).

> Wait, so if I'm reading this correctly, it doesn't stop the overrun at
> all; is the idea that it's supposed to be legal to overrun the buffer
> by one?

Yep, the character one past the end of the lexed number must be valid  
(this is used elsewhere in the lexer) and must not be a continuation  
of a pp-number.

>  This seems like a bad way to fix this... it seems really
> fragile.

Why?  The lexer as a whole depends on this in many cases, this is why  
it require all file buffers to end with a NUL character (to allow and  
fastpath overrun).

> There's some code which appears to be working completely by accident
> in Sema::ActOnNumericConstant; if PP.getSpelling actually uses the
> buffer (e.g. there's an escaped newline in the number), an overrun
> reads random data from the stack.  Or rather, it would, except that
> SmallVector initializes the relevant part of the buffer to zero.

Wow, great catch!  Fixed (twice):
http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20080929/007860.html
http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20080929/007861.html

-Chris

More information about the cfe-commits mailing list