Limit symbol length in demangle()

Summary: GCC's `__cxa_demangle()` uses on-stack data structures for the parser state which are linear in the number of components of the symbol. For extremely long symbols, this can cause a stack overflow. This diff introduces an arbitrary symbol length limit above which we just return the mangled name. Reviewed By: philippv Differential Revision: D3641115 fbshipit-source-id: ec360bb20ca499fd0eaf3a06c5bbcbd1e936d845

Limit symbol length in demangle()
Summary: GCC's `__cxa_demangle()` uses on-stack data structures for the parser state which are linear in the number of components of the symbol. For extremely long symbols, this can cause a stack overflow. This diff introduces an arbitrary symbol length limit above which we just return the mangled name. Reviewed By: philippv Differential Revision: D3641115 fbshipit-source-id: ec360bb20ca499fd0eaf3a06c5bbcbd1e936d845
acd8ed50 · Giuseppe Ottaviano · Facebook Github Bot 0 · 342ce9ee · acd8ed50 · acd8ed50
Commit acd8ed50 authored Jul 29, 2016 by Giuseppe Ottaviano Committed by Facebook Github Bot 0 Jul 29, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 62 additions and 1 deletion

folly/Demangle.cpp folly/Demangle.cpp +25 -0

folly/test/DemangleTest.cpp folly/test/DemangleTest.cpp +37 -1

No files found.
--- a/folly/Demangle.cpp
+++ b/folly/Demangle.cpp
@@ -20,6 +20,7 @@
 #include <string.h>

 #include <folly/Malloc.h>
+#include <folly/portability/Config.h>

 #if FOLLY_HAVE_CPLUS_DEMANGLE_V3_CALLBACK
 # include <cxxabi.h>
@@ -60,6 +61,18 @@ namespace folly {
 #if FOLLY_HAVE_CPLUS_DEMANGLE_V3_CALLBACK

 fbstring demangle(const char* name) {
+#ifdef FOLLY_DEMANGLE_MAX_SYMBOL_SIZE
+  // GCC's __cxa_demangle() uses on-stack data structures for the
+  // parser state which are linear in the number of components of the
+  // symbol. For extremely long symbols, this can cause a stack
+  // overflow. We set an arbitrary symbol length limit above which we
+  // just return the mangled name.
+  size_t mangledLen = strlen(name);
+  if (mangledLen > FOLLY_DEMANGLE_MAX_SYMBOL_SIZE) {
+    return fbstring(name, mangledLen);
+  }
+#endif
+
  int status;
  size_t len = 0;
  // malloc() memory for the demangled type name
@@ -92,6 +105,18 @@ void demangleCallback(const char* str, size_t size, void* p) {
 }  // namespace

 size_t demangle(const char* name, char* out, size_t outSize) {
+#ifdef FOLLY_DEMANGLE_MAX_SYMBOL_SIZE
+  size_t mangledLen = strlen(name);
+  if (mangledLen > FOLLY_DEMANGLE_MAX_SYMBOL_SIZE) {
+    if (outSize) {
+      size_t n = std::min(mangledLen, outSize - 1);
+      memcpy(out, name, n);
+      out[n] = '\0';
+    }
+    return mangledLen;
+  }
+#endif
+
  DemangleBuf dbuf;
  dbuf.dest = out;
  dbuf.remaining = outSize ? outSize - 1 : 0;   // leave room for null term

--- a/folly/test/DemangleTest.cpp
+++ b/folly/test/DemangleTest.cpp
@@ -45,7 +45,43 @@ TEST(Demangle, demangle) {
    EXPECT_STREQ("folly_test", buf);
  }
 }
-#endif
+
+#if defined(FOLLY_DEMANGLE_MAX_SYMBOL_SIZE)
+namespace {
+
+template <int I, class T1, class T2>
+struct Node {};
+
+template <int N, int I = 1>
+struct LongSymbol {
+  using arg1 = typename LongSymbol<N / 2, 2 * I>::type;
+  using arg2 = typename LongSymbol<N / 2, 2 * I + 1>::type;
+  using type = Node<I, arg1, arg2>;
+};
+
+template <int I>
+struct LongSymbol<0, I> {
+  using type = void;
+};
+
+} // namespace
+
+TEST(Demangle, LongSymbolFallback) {
+  // The symbol must be at least FOLLY_DEMANGLE_MAX_SYMBOL_SIZE long.
+  using Symbol = LongSymbol<FOLLY_DEMANGLE_MAX_SYMBOL_SIZE>::type;
+  auto name = typeid(Symbol).name();
+
+  EXPECT_STREQ(name, demangle(name).c_str());
+
+  char buf[16];
+  char expected[16];
+  folly::demangle(name, buf, 16);
+  folly::strlcpy(expected, name, 16);
+  EXPECT_STREQ(expected, buf);
+}
+#endif // defined(FOLLY_DEMANGLE_MAX_SYMBOL_SIZE)
+
+#endif // FOLLY_HAVE_CPLUS_DEMANGLE_V3_CALLBACK

 TEST(Demangle, strlcpy) {
  char buf[6];