From e44f724a5ce007ad789d4688a37d03c4845032c0 Mon Sep 17 00:00:00 2001 From: Luc Van Oostenryck Date: Mon, 6 Jun 2022 23:49:14 +0200 Subject: fix crash when inlining casts of erroneous expressions Sparse do inlining very early, during expansion, just after (type) evaluation and before IR linearization, and is done even if some errors have been found. This means that the inlining must be robust against erroneous code. However, during inlining, a cast expression is always dereferenced and a crash will occur if not valid (in which case it should be null). Fix this by checking for null cast expressions and directly returning NULL, like done for the inlining of the other invalid expressions. Link: https://lore.kernel.org/r/e42698a9-494c-619f-ac16-8ffe2c87e04e@intel.com Reported-by: kernel test robot Reported-by: Yafang Shao Reported-by: Yujie Liu Signed-off-by: Luc Van Oostenryck --- inline.c | 2 ++ validation/inline-early/bug-bad-token.c | 15 +++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 validation/inline-early/bug-bad-token.c diff --git a/inline.c b/inline.c index eceef8ba..0097e4bf 100644 --- a/inline.c +++ b/inline.c @@ -155,6 +155,8 @@ static struct expression * copy_expression(struct expression *expr) /* Cast/sizeof/__alignof__ */ case EXPR_CAST: + if (!expr->cast_expression) + return NULL; if (expr->cast_expression->type == EXPR_INITIALIZER) { struct expression *cast = expr->cast_expression; struct symbol *sym = expr->cast_type; diff --git a/validation/inline-early/bug-bad-token.c b/validation/inline-early/bug-bad-token.c new file mode 100644 index 00000000..9049bdb4 --- /dev/null +++ b/validation/inline-early/bug-bad-token.c @@ -0,0 +1,15 @@ +inline void fun(int x) +{ + (typeof(@)) x; +} + +void foo(void) +{ + fun; +} + +/* + * check-name: bug-bad-token + * check-exit-value: 0 + * check-error-ignore + */ -- cgit 1.2.3-korg From 53e04b3b780bbcf2dd3eb7990c17414742bbfef9 Mon Sep 17 00:00:00 2001 From: Luc Van Oostenryck Date: Tue, 7 Jun 2022 14:22:13 +0200 Subject: allow show_token() on TOKEN_ZERO_IDENT TOKEN_ZERO_IDENTs are created during the evaluation of pre-processor expressions but which otherwise are normal idents and were first tokenized as TOKEN_IDENTs. As such, they could perfectly be displayed by show_token() but are not. So, in error messages they are displayed as "unhandled token type '4'", which is not at all informative. Fix this by letting show_token() process them like usual TOKEN_IDENTs. Idem for quote_token(). Signed-off-by: Luc Van Oostenryck Acked-by: Linus Torvalds --- tokenize.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tokenize.c b/tokenize.c index ea710543..fdaea370 100644 --- a/tokenize.c +++ b/tokenize.c @@ -201,6 +201,7 @@ const char *show_token(const struct token *token) return "end-of-input"; case TOKEN_IDENT: + case TOKEN_ZERO_IDENT: return show_ident(token->ident); case TOKEN_NUMBER: @@ -259,6 +260,7 @@ const char *quote_token(const struct token *token) return "syntax error"; case TOKEN_IDENT: + case TOKEN_ZERO_IDENT: return show_ident(token->ident); case TOKEN_NUMBER: -- cgit 1.2.3-korg