diff options
| author | Krzysztof Pszeniczny <kpszeniczny@google.com> | 2025-04-28 19:28:56 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-28 19:28:56 +0200 |
| commit | acaf403c6397dc0fcd8f0988bd057b4d5ee2460f (patch) | |
| tree | 55045b3f95ee8e6c1deda6344009937072a4093f /clang/lib/Frontend/CompilerInvocation.cpp | |
| parent | 4e4c6d7e273a91d230389b98c280c9dbde0f6c32 (diff) | |
| download | llvm-acaf403c6397dc0fcd8f0988bd057b4d5ee2460f.zip llvm-acaf403c6397dc0fcd8f0988bd057b4d5ee2460f.tar.gz llvm-acaf403c6397dc0fcd8f0988bd057b4d5ee2460f.tar.bz2 | |
[SampleProfile] Fix UB in Demangler invocation. (#137659)
Currently the backing buffer of a `std::vector<char>` is passed[1] to
`Demangler.getFunctionBaseName`. However, deeply inside the call stack
`OutputBuffer::grow` will call[2] `std::realloc` if it needs to grow the
buffer, leading to UB.
The demangler APIs specify[3] that "`Buf` and `N` behave like the second
and third parameters to `__cxa_demangle`" and the docs for the latter
say[4] that the output buffer must be allocated with `malloc` (but can
also be `NULL` and will then be realloced accordingly).
Note: PR #135863 changed this from a stack array to a `std::vector` and
increased the size to 65K, but this can still lead to a crash if the
demangled name is longer than that - yes, I'm surprised that a >65K-long
function name happens in practice...
[1]:
https://github.com/llvm/llvm-project/blob/d7e631c7cd6d9c13b9519991ec6becf08bc6b8aa/llvm/lib/Transforms/IPO/SampleProfileMatcher.cpp#L744
[2]:
https://github.com/llvm/llvm-project/blob/d7e631c7cd6d9c13b9519991ec6becf08bc6b8aa/llvm/include/llvm/Demangle/Utility.h#L50
[3]:
https://github.com/llvm/llvm-project/blob/d7e631c7cd6d9c13b9519991ec6becf08bc6b8aa/llvm/include/llvm/Demangle/Demangle.h#L92-L93
[4]:
https://gcc.gnu.org/onlinedocs/libstdc++/libstdc++-html-USERS-4.3/a01696.html
Diffstat (limited to 'clang/lib/Frontend/CompilerInvocation.cpp')
0 files changed, 0 insertions, 0 deletions