Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite loop in demangler #50749

Closed
borman opened this issue Aug 8, 2021 · 2 comments
Closed

Infinite loop in demangler #50749

borman opened this issue Aug 8, 2021 · 2 comments
Labels
bugzilla Issues migrated from bugzilla tools:llvm-c++filt

Comments

@borman
Copy link
Contributor

borman commented Aug 8, 2021

Bugzilla Link 51407
Resolution FIXED
Resolved on Aug 17, 2021 15:18
Version trunk
OS All
CC @ldionne
Fixed by commit(s) f0fcd42

Extended Description

A libfuzzer run has discovered some inputs for which the demangler does not terminate.

When minimized, it looks like this: _Zcv1BIRT_EIS1_E

Deciphered:
_Z
cv - conversion operator

  * result type

1B - "B"
I - template args begin
R - reference type <.
T_ - forward template reference | *
E - template args end | |
| |
* parameter type | |
I - template args begin | |
S1_ - substitution #​1 * <'
E - template args end

The reason is: template-parameter refs in conversion operator result type create forward-references, while substitutions are instantly resolved via back-references. Together these can create a reference loop. It causes an infinite loop in ReferenceType::collapse().

I see three possible ways to avoid these loops:

  1. check if resolving a forward reference creates a loop and reject the invalid input (hard to traverse AST at this point)
  2. check if a substitution contains a malicious forward reference and reject the invalid input (hard to traverse AST at this point; substitutions are quite common: may affect performance; hard to clearly detect loops at this point)
  3. detect loops in ReferenceType::collapse() (cannot reject the input)
@borman
Copy link
Contributor Author

borman commented Aug 8, 2021

Possible fix: https://reviews.llvm.org/D107712

@ldionne
Copy link
Member

ldionne commented Aug 17, 2021

Fixed by:

commit f0fcd42
Author: Mikhail Borisov borisov.mikhail@gmail.com
Date: Tue Aug 17 18:10:57 2021 -0400

[libc++abi] Fix possible infinite loop in itanium demangler

Thanks a lot!

@llvmbot llvmbot transferred this issue from llvm/llvm-bugzilla-archive Dec 11, 2021
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bugzilla Issues migrated from bugzilla tools:llvm-c++filt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@borman @ldionne