Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix null terminator in Demangle function. #1137

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Fix null terminator in Demangle function. #1137

wants to merge 4 commits into from

Conversation

martonka
Copy link

If the demangled name is longer than out_size, the null terminator is missing from the output. This will cause a crash in the DemangleInplace() function (symbolize.cc) when calling strlen on the buffer.

Reproduction Steps:

Use a function with a demangled name longer than 256 characters.
Attempt to log a fatal error with a stack trace.
This will cause a crash.
Example input for DemangleInplace that makes it crash (on Ubuntu):
"ZN4kudu9FsManager9AddTenantERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES8_St8optionalIS6_ESA_SA"

@google-cla Google CLA
Copy link

google-cla bot commented Oct 25, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@codecov-commenter
Copy link

codecov-commenter commented Oct 25, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.08%. Comparing base (2075ae8) to head (f571878).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1137      +/-   ##
==========================================
- Coverage   64.03%   60.08%   -3.95%     
==========================================
  Files          20       16       -4     
  Lines        2580     1794     -786     
  Branches      888      660     -228     
==========================================
- Hits         1652     1078     -574     
+ Misses        663      531     -132     
+ Partials      265      185      -80
Files with missing lines Coverage Δ
src/demangle.cc 100.00% <ø> (+50.00%) ⬆️

... and 12 files with indirect coverage changes

@martonka
Copy link
Author

I added a second commit extending the SymbolizeWithDemangling (just demangle a longer function). It crashes without my fix.

@martonka martonka force-pushed the master branch 3 times, most recently from 530d7a7 to 2fe8a07 Compare October 28, 2024 10:22
sergiud
sergiud requested changes Oct 28, 2024
View reviewed changes
Copy link
Collaborator

@sergiud sergiud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! I have a couple of remarks.

src/demangle.cc Outdated Show resolved Hide resolved
src/symbolize_unittest.cc Outdated Show resolved Hide resolved
src/symbolize_unittest.cc Outdated Show resolved Hide resolved
@martonka martonka requested a review from sergiud October 28, 2024 13:38
sergiud
sergiud requested changes Oct 28, 2024
View reviewed changes
src/demangle.cc Outdated Show resolved Hide resolved
@martonka martonka requested a review from sergiud October 28, 2024 16:03
@martonka
Fix null terminator in Demangle function.
644f0e9 
If the demangled name is longer than out_size, the null terminator is
missing from the output. This will cause a crash in the DemangleInplace()
function (symbolize.cc) when calling strlen on the buffer.
@sergiud
Copy link
Collaborator

sergiud commented Nov 1, 2024

I had another look at the existing unit tests and now I'm not convinced that trimming the output is a good idea. This will possibly result in some sort of ambiguity or even will confuse users.

The easiest way of fixing the issue is to simply return false whenever the buffer size is too small to be consistent with the behavior of the existing demangler. In the long term, however, we should switch to dynamic memory (re)allocation (e.g., by using std::string as the return type) to avoid insufficient buffer size situations.

sergiud
sergiud requested changes Nov 1, 2024
View reviewed changes
src/demangle.cc
@@ -1350,7 +1351,15 @@ bool Demangle(const char* mangled, char* out, size_t out_size) {
return false;
}

std::copy_n(unmangled.get(), std::min(n, out_size), out);
if (out_size > 0) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Return false early if n > out_size.

src/demangle.cc
// n is the size of the allocated buffer, not the length of the string.
// Therefore, it includes the terminating zero (and possibly additional
// space).
std::size_t copy_size = std::min(n, out_size) - 1;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the checks are not necessary after all.

@sergiud
Copy link
Collaborator

sergiud commented Nov 1, 2024

@martonka I pushed some changes to your branch. Make sure to pull these before extending the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergiud sergiud sergiud requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@martonka @codecov-commenter @sergiud