[llvm] r230934 - Fix a crash in the LL parser where it failed to validate that the pointer operand of a GEP was valid.

David Blaikie dblaikie at gmail.com
Mon Mar 2 11:22:29 PST 2015 

On Sun, Mar 1, 2015 at 9:25 PM, Owen Anderson <resistor at mac.com> wrote:

> Author: resistor
> Date: Sun Mar  1 23:25:06 2015
> New Revision: 230934
>
> URL: http://llvm.org/viewvc/llvm-project?rev=230934&view=rev
> Log:
> Fix a crash in the LL parser where it failed to validate that the pointer
> operand of a GEP was valid.
>
> This manifested as an assertion failure in +Asserts builds, and a hard
> crash in -Asserts builds.  Found by fuzzing the LL parser.
>
> Added:
>     llvm/trunk/test/Assembler/getelementptr_invalid_ptr.ll
> Modified:
>     llvm/trunk/lib/AsmParser/LLParser.cpp
>
> Modified: llvm/trunk/lib/AsmParser/LLParser.cpp
> URL:
> http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/AsmParser/LLParser.cpp?rev=230934&r1=230933&r2=230934&view=diff
>
> ==============================================================================
> --- llvm/trunk/lib/AsmParser/LLParser.cpp (original)
> +++ llvm/trunk/lib/AsmParser/LLParser.cpp Sun Mar  1 23:25:06 2015
> @@ -5458,6 +5458,8 @@ int LLParser::ParseGetElementPtr(Instruc
>      return true;
>
>    Type *PtrTy = Ptr->getType();
> +  if (!isa<SequentialType>(PtrTy))
> +    return Error(Loc, "pointer type is not valid");
>

Could drop this down below the vector check (what if the vector's elements
aren't sequential types? That's presumably an error case that's missed here
& would have the same crashy/asserty problem) and then possibly use a
dyn_cast and reuse the result rather than isa + cast? (I can do this, if
you like)


>    if (VectorType *VT = dyn_cast<VectorType>(PtrTy))
>      PtrTy = VT->getElementType();
>    if (Ty != cast<SequentialType>(PtrTy)->getElementType())
>
> Added: llvm/trunk/test/Assembler/getelementptr_invalid_ptr.ll
> URL:
> http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Assembler/getelementptr_invalid_ptr.ll?rev=230934&view=auto
>
> ==============================================================================
> --- llvm/trunk/test/Assembler/getelementptr_invalid_ptr.ll (added)
> +++ llvm/trunk/test/Assembler/getelementptr_invalid_ptr.ll Sun Mar  1
> 23:25:06 2015
> @@ -0,0 +1,11 @@
> +; RUN: not llvm-as < %s >/dev/null 2> %t
> +; RUN: FileCheck %s < %t
>

Not sure about other people, but generally I try to avoid temporary files
(it makes it easier to copy/paste the test command line to reproduce the
test case at least). I guess maybe that does involve just piping
stdout/stderr together, though? (I don't see any test cases that just pipe
stderr, but maybe I'm not searching right)


> +; Test the case of an invalid pointer type on a GEP
> +
> +; CHECK: pointer type is not valid
> +
> +define i32* @foo(i32 %a) {
> +  %gep = getelementptr i32, i32 %a, i32 1
> +  return i32* %gep
> +}
> +
>
>
> _______________________________________________
> llvm-commits mailing list
> llvm-commits at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20150302/862c3832/attachment.html>

More information about the llvm-commits mailing list