[NFC][Clang] Fix potential deref of end iterator #70193
Conversation
This was found by doing bound-checking on SmallVector iterator usage. When the count is 0, the end iterator is dereferenced to get its address. This doesn't seem to be an issue in practice as most of the time, and we are allowed to deref this address, but I don't think this is correct. Signed-off-by: Nathan Gauër <brioche@google.com>
|
CI seems OK, except clang format which complains about an unrelated line. Marking as ready. |
llvmbot
added
clang
|
@llvm/pr-subscribers-clang Author: Nathan Gauër (Keenuts) ChangesThis was found by doing bound-checking on SmallVector iterator usage. When the count is 0, the end iterator is dereferenced to get its address. This doesn't seem to be an issue in practice as most of the time we should be allowed to deref this address, but I don't think this is correct. Full diff: https://github.com/llvm/llvm-project/pull/70193.diff 1 Files Affected:
diff --git a/clang/include/clang/Sema/CXXFieldCollector.h b/clang/include/clang/Sema/CXXFieldCollector.h
index f6ecd9f46e5ebdb..ce066581c93fda7 100644
--- a/clang/include/clang/Sema/CXXFieldCollector.h
+++ b/clang/include/clang/Sema/CXXFieldCollector.h
@@ -65,7 +65,7 @@ class CXXFieldCollector {
/// getCurFields - Pointer to array of fields added to the currently parsed
/// class.
- FieldDecl **getCurFields() { return &*(Fields.end() - getCurNumFields()); }
+ FieldDecl **getCurFields() { return Fields.end() - getCurNumFields(); }
/// FinishClass - Called by Sema::ActOnFinishCXXClassDef.
void FinishClass() {
|
| @@ -65,7 +65,7 @@ class CXXFieldCollector { | |||
|
|
|||
| /// getCurFields - Pointer to array of fields added to the currently parsed | |||
| /// class. | |||
| FieldDecl **getCurFields() { return &*(Fields.end() - getCurNumFields()); } | |||
There was a problem hiding this comment.
Thanks for the review and linked pointers!
This seems to be the case. and generated code does only the pointer arithmetic, no actual load. Closing this as this is not an issue.
btw, I like your C++ trivia on twitter 😊
This was found by doing bound-checking on SmallVector iterator usage. When the count is 0, the end iterator is dereferenced to get its address. This doesn't seem to be an issue in practice as most of the time we should be allowed to deref this address, but I don't think this is correct.