aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorLuc Van Oostenryck <luc.vanoostenryck@gmail.com>2022-06-06 23:49:14 +0200
committerLuc Van Oostenryck <luc.vanoostenryck@gmail.com>2022-06-07 14:52:37 +0200
commite44f724a5ce007ad789d4688a37d03c4845032c0 (patch)
tree5323db16e47c5b9f4b89b4d7c39f0351358877d5
parentb3cf30ba5b47dfa7414416fe3bc5ae34db6065e7 (diff)
downloadsparse-e44f724a5ce007ad789d4688a37d03c4845032c0.tar.gz
fix crash when inlining casts of erroneous expressions
Sparse do inlining very early, during expansion, just after (type) evaluation and before IR linearization, and is done even if some errors have been found. This means that the inlining must be robust against erroneous code. However, during inlining, a cast expression is always dereferenced and a crash will occur if not valid (in which case it should be null). Fix this by checking for null cast expressions and directly returning NULL, like done for the inlining of the other invalid expressions. Link: https://lore.kernel.org/r/e42698a9-494c-619f-ac16-8ffe2c87e04e@intel.com Reported-by: kernel test robot <lkp@intel.com> Reported-by: Yafang Shao <laoar.shao@gmail.com> Reported-by: Yujie Liu <yujie.liu@intel.com> Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
-rw-r--r--inline.c2
-rw-r--r--validation/inline-early/bug-bad-token.c15
2 files changed, 17 insertions, 0 deletions
diff --git a/inline.c b/inline.c
index eceef8ba..0097e4bf 100644
--- a/inline.c
+++ b/inline.c
@@ -155,6 +155,8 @@ static struct expression * copy_expression(struct expression *expr)
/* Cast/sizeof/__alignof__ */
case EXPR_CAST:
+ if (!expr->cast_expression)
+ return NULL;
if (expr->cast_expression->type == EXPR_INITIALIZER) {
struct expression *cast = expr->cast_expression;
struct symbol *sym = expr->cast_type;
diff --git a/validation/inline-early/bug-bad-token.c b/validation/inline-early/bug-bad-token.c
new file mode 100644
index 00000000..9049bdb4
--- /dev/null
+++ b/validation/inline-early/bug-bad-token.c
@@ -0,0 +1,15 @@
+inline void fun(int x)
+{
+ (typeof(@)) x;
+}
+
+void foo(void)
+{
+ fun;
+}
+
+/*
+ * check-name: bug-bad-token
+ * check-exit-value: 0
+ * check-error-ignore
+ */