projects / platform / upstream / llvm.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a7716a3) | patch
YAML parser robustness improvements
authorThomas Finch <tfinch@apple.com>
Wed, 6 Nov 2019 05:51:04 +0000 (21:51 -0800)
committerDon Hinton <hintonda@gmail.com>
Wed, 6 Nov 2019 05:51:04 +0000 (21:51 -0800)
commit092452d402d793c731c3861ba920a85c5c4e1fff
treeea2b5fcaf7539695255c4458742213cabfb64b1dtree | snapshot
parenta7716a3c3c9cc2f1d511d93688de5cb9f163d4c2commit | diff
YAML parser robustness improvements

Summary: This patch fixes a number of bugs found in the YAML parser
through fuzzing. In general, this makes the parser more robust against
malformed inputs.

The fixes are mostly improved null checking and returning errors in
more cases. In some cases, asserts were changed to regular errors,
this provides the same robustness but also protects release builds
from the triggering conditions. This also improves the fuzzability of
the YAML parser since asserts can act as a roadblock to further
fuzzing once they're hit.

Each fix has a corresponding test case:
  - TestAnchorMapError - Added proper null pointer handling in
    `Stream::printError` if N is null and `KeyValueNode::getValue` if
    getKey returns null, `Input::createHNodes` `dyn_casts` changed to
    `dyn_cast_or_null` so the null pointer checks are actually able to
    fail
  - TestFlowSequenceTokenErrors - Added case in
    `Document::parseBlockNode` for FlowMappingEnd, FlowSequenceEnd, or
    FlowEntry tokens outside of mappings or sequences
  - TestDirectiveMappingNoValue - Changed assert to regular error
    return in `Scanner::scanValue`
  - TestUnescapeInfiniteLoop - Fixed infinite loop in
    `ScalarNode::unescapeDoubleQuoted` by returning an error for
    unrecognized escape codes
  - TestScannerUnexpectedCharacter - Changed asserts to regular error
    returns in `Scanner::consume`
  - TestUnknownDirective - For both of the inputs the stream doesn't
    fail and correctly returns TK_Error, but there is no valid root
    node for the document. There's no reasonable way to make the
    scanner fail for unknown directives without breaking the YAML spec
    (see spec-07-01.test). I think the assert is unnecessary given
    that an error is still generated for this case.

The `SimpleKeys.clear()` line fixes a bug found by AddressSanitizer
triggered by multiple test cases - when TokenQueue is cleared
SimpleKeys is still holding dangling pointers into it, so SimpleKeys
should be cleared as well.

Patch by Thomas Finch!

Reviewers: chandlerc, Bigcheese, hintonda

Reviewed By: Bigcheese, hintonda

Subscribers: hintonda, kristina, beanz, dexonsmith, hiraditya, llvm-commits

Tags: #llvm

Differential Revision: https://reviews.llvm.org/D61608
llvm/lib/Support/YAMLParser.cpp diff | blob | history
llvm/lib/Support/YAMLTraits.cpp diff | blob | history
llvm/unittests/Support/YAMLIOTest.cpp diff | blob | history
Domain: System / Toolchain;