From: Luc Van Oostenryck <lucvoo@kernel.org>
To: linux-sparse@vger.kernel.org
Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>,
kernel test robot <lkp@intel.com>,
Yafang Shao <laoar.shao@gmail.com>,
Yujie Liu <yujie.liu@intel.com>
Subject: [PATCH] fix crash when inlining casts of erroneous expressions
Date: Tue, 7 Jun 2022 14:43:33 +0200 [thread overview]
Message-ID: <20220607124333.23988-1-lucvoo@kernel.org> (raw)
From: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
Sparse do inlining very early, during expansion, just after (type)
evaluation and before IR linearization, and is done even if some
errors have been found. This means that the inlining must be robust
against erroneous code.
However, during inlining, a cast expression is always dereferenced and
a crash will occur if not valid (in which case it should be null).
Fix this by checking for null cast expressions and directly returning
NULL, like done for the inlining of the other invalid expressions.
Link: https://lore.kernel.org/r/e42698a9-494c-619f-ac16-8ffe2c87e04e@intel.com
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Yafang Shao <laoar.shao@gmail.com>
Reported-by: Yujie Liu <yujie.liu@intel.com>
Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
---
inline.c | 2 ++
validation/inline-early/bug-bad-token.c | 15 +++++++++++++++
2 files changed, 17 insertions(+)
create mode 100644 validation/inline-early/bug-bad-token.c
diff --git a/inline.c b/inline.c
index eceef8ba0443..0097e4bf620a 100644
--- a/inline.c
+++ b/inline.c
@@ -155,6 +155,8 @@ static struct expression * copy_expression(struct expression *expr)
/* Cast/sizeof/__alignof__ */
case EXPR_CAST:
+ if (!expr->cast_expression)
+ return NULL;
if (expr->cast_expression->type == EXPR_INITIALIZER) {
struct expression *cast = expr->cast_expression;
struct symbol *sym = expr->cast_type;
diff --git a/validation/inline-early/bug-bad-token.c b/validation/inline-early/bug-bad-token.c
new file mode 100644
index 000000000000..9049bdb48ab0
--- /dev/null
+++ b/validation/inline-early/bug-bad-token.c
@@ -0,0 +1,15 @@
+inline void fun(int x)
+{
+ (typeof(@)) x;
+}
+
+void foo(void)
+{
+ fun;
+}
+
+/*
+ * check-name: bug-bad-token
+ * check-exit-value: 0
+ * check-error-ignore
+ */
--
2.36.1
reply other threads:[~2022-06-07 12:47 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220607124333.23988-1-lucvoo@kernel.org \
--to=lucvoo@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=linux-sparse@vger.kernel.org \
--cc=lkp@intel.com \
--cc=luc.vanoostenryck@gmail.com \
--cc=yujie.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).