Checking the validity of line range before generating code actions

[henryhchchc]

Added a validity checking of the line range before proceed in GenerateAutoExpandCodeActions.

This can prevent a buffer overflow in AutoExpander::FindAutoKinds() at

verible/verible/verilog/tools/ls/autoexpand.cc

Line 1697 in 7aae5c0

const auto &auto_kinds = range_expander.FindAutoKinds();

This is because when constructing an AutoExpander, the return value of std::distance will be negative when end goes before begin. Which becomes super large when casted into size_t, causing buffer overflow.

verible/verible/verilog/tools/ls/autoexpand.cc

Lines 370 to 373 in 7aae5c0

	const auto begin = text_structure.Lines()[min].begin();
	const auto end = text_structure.Lines()[max].end();
	const size_t length = static_cast<size_t>(std::distance(begin, end));
	expand_span_ = std::string_view(&*begin, length);

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: henryhchchc / name: Henry Chu (05cfd16, 8240142)

[henryhchchc]

A POC for the buffer overflow can be a code action request with the starting line greater than the ending line, and example is as follows

{
  "jsonrpc": "2.0",
  "id": 4,
  "method": "textDocument/codeAction",
  "params": {
    "textDocument": {
      "uri": "file:///path/to/some.sv"
    },
    "range": {
      "start": {
        "line": 94,
        "character": 0
      },
      "end": {
        "line": 0,
        "character": 0
      }
    }
  }
}

The stack trace is as follows

==1371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51d00000db45 at pc 0x0000004c8b9b bp 0x7ffe8c166fb0 sp 0x7ffe8c166780
READ of size 2905 at 0x51d00000db45 thread T0
    #0 0x4c8b9a in memchr (/src/target/verible-verilog-ls+0x4c8b9a) (BuildId: cfa0c791cbc28472)
    #1 0x794b13 in re2::Prog::PrefixAccel_FrontAndBack(void const*, unsigned long) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/prog.cc:1176:39
    #2 0x7a146c in re2::Prog::PrefixAccel(void const*, unsigned long) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/prog.h:254:14
    #3 0x7a146c in bool re2::DFA::InlinedSearchLoop<true, false, true>(re2::DFA::SearchParams*) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/dfa.cc:1396:26
    #4 0x7ac515 in re2::DFA::FastSearchLoop(re2::DFA::SearchParams*) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/dfa.cc:1617:10
    #5 0x7ac515 in re2::DFA::Search(std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, bool, bool, bool, bool*, char const**, re2::SparseSetT<void>*) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/dfa.cc:1793:14
    #6 0x7ace07 in re2::Prog::SearchDFA(std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>, re2::Prog::Anchor, re2::Prog::MatchKind, std::basic_string_view<char, std::char_traits<char>>*, bool*, re2::SparseSetT<void>*) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/dfa.cc:1890:23
    #7 0x75cfb8 in re2::RE2::Match(std::basic_string_view<char, std::char_traits<char>>, unsigned long, unsigned long, re2::RE2::Anchor, std::basic_string_view<char, std::char_traits<char>>*, int) const /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/re2.cc:774:19
    #8 0x75c1a2 in re2::RE2::DoMatch(std::basic_string_view<char, std::char_traits<char>>, re2::RE2::Anchor, unsigned long*, re2::RE2::Arg const* const*, int) const /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/re2.cc:940:8
    #9 0x75ed10 in re2::RE2::FindAndConsumeN(std::basic_string_view<char, std::char_traits<char>>*, re2::RE2 const&, re2::RE2::Arg const* const*, int) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/re2.cc:437:10
    #10 0x5c976b in bool re2::RE2::Apply<bool (*)(std::basic_string_view<char, std::char_traits<char>>*, re2::RE2 const&, re2::RE2::Arg const* const*, int), std::basic_string_view<char, std::char_traits<char>>*, re2::RE2::Arg>(bool (*)(std::basic_string_view<char, std::char_traits<char>>*, re2::RE2 const&, re2::RE2::Arg const* const*, int), std::basic_string_view<char, std::char_traits<char>>*, re2::RE2 const&, re2::RE2::Arg const&) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/re2.h:367:12
    #11 0x5c976b in bool re2::RE2::FindAndConsume<std::basic_string_view<char, std::char_traits<char>>*>(std::basic_string_view<char, std::char_traits<char>>*, re2::RE2 const&, std::basic_string_view<char, std::char_traits<char>>*&&) /proc/self/cwd/external/re2~2024-07-02.bcr.1/re2/re2.h:464:12
    #12 0x5c976b in verilog::(anonymous namespace)::AutoExpander::FindAutoKinds() /proc/self/cwd/verible/verilog/tools/ls/autoexpand.cc:1545:10
    #13 0x5c976b in verilog::GenerateAutoExpandCodeActions(verilog::SymbolTableHandler*, verilog::BufferTracker const*, verible::lsp::CodeActionParams const&) /proc/self/cwd/verible/verilog/tools/ls/autoexpand.cc:1697:43
    #14 0x5c24c4 in verilog::GenerateCodeActions(verilog::SymbolTableHandler*, verilog::BufferTracker const*, verible::lsp::CodeActionParams const&) /proc/self/cwd/verible/verilog/tools/ls/verible-lsp-adapter.cc:220:7
    #15 0x599832 in verilog::VerilogLanguageServer::SetRequestHandlers()::$_2::operator()(verible::lsp::CodeActionParams const&) const /proc/self/cwd/verible/verilog/tools/ls/verilog-language-server.cc:119:16
    #16 0x599832 in std::vector<verible::lsp::CodeAction, std::allocator<verible::lsp::CodeAction>> std::__invoke_impl<std::vector<verible::lsp::CodeAction, std::allocator<verible::lsp::CodeAction>>, verilog::VerilogLanguageServer::SetRequestHandlers()::$_2&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&>(std::__invoke_other, verilog::VerilogLanguageServer::SetRequestHandlers()::$_2&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:61:14
    #17 0x599832 in std::enable_if<is_invocable_r_v<nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void>, verilog::VerilogLanguageServer::SetRequestHandlers()::$_2&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&>, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void>>::type std::__invoke_r<nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void>, verilog::VerilogLanguageServer::SetRequestHandlers()::$_2&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&>(verilog::VerilogLanguageServer::SetRequestHandlers()::$_2&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:114:9
    #18 0x599832 in std::_Function_handler<nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> (nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&), verilog::VerilogLanguageServer::SetRequestHandlers()::$_2>::_M_invoke(std::_Any_data const&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:290:9
    #19 0x8ea79e in std::function<nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> (nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&)>::operator()(nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&) const /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:591:9
    #20 0x8ea79e in verible::lsp::JsonRpcDispatcher::CallRequestHandler(nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /proc/self/cwd/verible/common/lsp/json-rpc-dispatcher.cc:98:33
    #21 0x8e6a82 in verible::lsp::JsonRpcDispatcher::DispatchMessage(std::basic_string_view<char, std::char_traits<char>>) /proc/self/cwd/verible/common/lsp/json-rpc-dispatcher.cc:54:15
    #22 0x917c11 in std::function<void (std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>)>::operator()(std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>) const /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:591:9
    #23 0x917c11 in verible::lsp::MessageStreamSplitter::ProcessContainedMessages(std::basic_string_view<char, std::char_traits<char>>*) /proc/self/cwd/verible/common/lsp/message-stream-splitter.cc:98:5
    #24 0x91729a in verible::lsp::MessageStreamSplitter::ReadInput(std::function<int (char*, int)> const&) /proc/self/cwd/verible/common/lsp/message-stream-splitter.cc:141:3
    #25 0x5b8b22 in verible::lsp::MessageStreamSplitter::PullFrom(std::function<int (char*, int)> const&) /proc/self/cwd/verible/common/lsp/message-stream-splitter.cc:36:10
    #26 0x5b8b22 in verilog::VerilogLanguageServer::Step(std::function<int (char*, int)> const&) /proc/self/cwd/verible/verilog/tools/ls/verilog-language-server.cc:190:27
    #27 0x5b8b22 in verilog::VerilogLanguageServer::Run(std::function<int (char*, int)> const&) /proc/self/cwd/verible/verilog/tools/ls/verilog-language-server.cc:197:14
    #28 0x585ad7 in main /proc/self/cwd/verible/verilog/tools/ls/verible-verilog-ls.cc:69:32
    #29 0x7fa1523b25cf in __libc_start_call_main (/lib64/libc.so.6+0x295cf) (BuildId: 7a40a22c9a82854f3d66767232ae364a99174860)
    #30 0x7fa1523b267f in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x2967f) (BuildId: 7a40a22c9a82854f3d66767232ae364a99174860)
    #31 0x4ab624 in _start (/src/target/verible-verilog-ls+0x4ab624) (BuildId: cfa0c791cbc28472)

0x51d00000db45 is located 0 bytes after 2245-byte region [0x51d00000d280,0x51d00000db45)
allocated by thread T0 here:
    #0 0x546ab3 in malloc (/src/target/verible-verilog-ls+0x546ab3) (BuildId: cfa0c791cbc28472)
    #1 0x7fa152746cbb in operator new(unsigned long) (/lib64/libstdc++.so.6+0xadcbb) (BuildId: 3c0727565aca091d0f3049f9655cb7d223bf62e6)
    #2 0x934895 in verilog::VerilogAnalyzer::AnalyzeAutomaticPreprocessFallback(std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>) /proc/self/cwd/verible/verilog/analysis/verilog-analyzer.cc:223:16
    #3 0x62d48c in verilog::ParsedBuffer::ParsedBuffer(long, std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>) /proc/self/cwd/verible/verilog/tools/ls/lsp-parse-buffer.cc:57:15
    #4 0x62febb in verilog::BufferTracker::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&)::$_0::operator()(std::basic_string_view<char, std::char_traits<char>>) const /proc/self/cwd/verible/verilog/tools/ls/lsp-parse-buffer.cc:74:24
    #5 0x62febb in void std::__invoke_impl<void, verilog::BufferTracker::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&)::$_0&, std::basic_string_view<char, std::char_traits<char>>>(std::__invoke_other, verilog::BufferTracker::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&)::$_0&, std::basic_string_view<char, std::char_traits<char>>&&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:61:14
    #6 0x62febb in std::enable_if<is_invocable_r_v<void, verilog::BufferTracker::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&)::$_0&, std::basic_string_view<char, std::char_traits<char>>>, void>::type std::__invoke_r<void, verilog::BufferTracker::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&)::$_0&, std::basic_string_view<char, std::char_traits<char>>>(verilog::BufferTracker::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&)::$_0&, std::basic_string_view<char, std::char_traits<char>>&&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:111:2
    #7 0x62febb in std::_Function_handler<void (std::basic_string_view<char, std::char_traits<char>>), verilog::BufferTracker::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&)::$_0>::_M_invoke(std::_Any_data const&, std::basic_string_view<char, std::char_traits<char>>&&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:290:9
    #8 0x8e615f in std::function<void (std::basic_string_view<char, std::char_traits<char>>)>::operator()(std::basic_string_view<char, std::char_traits<char>>) const /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:591:9
    #9 0x8e615f in verible::lsp::EditTextBuffer::RequestContent(std::function<void (std::basic_string_view<char, std::char_traits<char>>)> const&) const /proc/self/cwd/verible/common/lsp/lsp-text-buffer.cc:183:3
    #10 0x62f6f8 in verilog::BufferTracker::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&) /proc/self/cwd/verible/verilog/tools/ls/lsp-parse-buffer.cc:73:7
    #11 0x63281a in verilog::BufferTrackerContainer::Update(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const&) /proc/self/cwd/verible/verilog/tools/ls/lsp-parse-buffer.cc:116:27
    #12 0x630def in verilog::BufferTrackerContainer::GetSubscriptionCallback[abi:cxx11]()::$_0::operator()(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*) const /proc/self/cwd/verible/verilog/tools/ls/lsp-parse-buffer.cc:96:42
    #13 0x630def in void std::__invoke_impl<void, verilog::BufferTrackerContainer::GetSubscriptionCallback[abi:cxx11]()::$_0&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*>(std::__invoke_other, verilog::BufferTrackerContainer::GetSubscriptionCallback[abi:cxx11]()::$_0&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*&&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:61:14
    #14 0x630def in std::enable_if<is_invocable_r_v<void, verilog::BufferTrackerContainer::GetSubscriptionCallback[abi:cxx11]()::$_0&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*>, void>::type std::__invoke_r<void, verilog::BufferTrackerContainer::GetSubscriptionCallback[abi:cxx11]()::$_0&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*>(verilog::BufferTrackerContainer::GetSubscriptionCallback[abi:cxx11]()::$_0&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*&&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:111:2
    #15 0x630def in std::_Function_handler<void (std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*), verilog::BufferTrackerContainer::GetSubscriptionCallback()::$_0>::_M_invoke(std::_Any_data const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*&&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:290:9
    #16 0x8e3671 in std::function<void (std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*)>::operator()(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, verible::lsp::EditTextBuffer const*) const /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:591:9
    #17 0x8e3671 in verible::lsp::BufferCollection::didOpenEvent(verible::lsp::DidOpenTextDocumentParams const&) /proc/self/cwd/verible/common/lsp/lsp-text-buffer.cc:156:7
    #18 0x8dc34d in verible::lsp::BufferCollection::BufferCollection(verible::lsp::JsonRpcDispatcher*)::$_0::operator()(verible::lsp::DidOpenTextDocumentParams const&) const /proc/self/cwd/verible/common/lsp/lsp-text-buffer.cc:141:52
    #19 0x8dc34d in void std::__invoke_impl<void, verible::lsp::BufferCollection::BufferCollection(verible::lsp::JsonRpcDispatcher*)::$_0&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&>(std::__invoke_other, verible::lsp::BufferCollection::BufferCollection(verible::lsp::JsonRpcDispatcher*)::$_0&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:61:14
    #20 0x8dc34d in std::enable_if<is_invocable_r_v<void, verible::lsp::BufferCollection::BufferCollection(verible::lsp::JsonRpcDispatcher*)::$_0&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&>, void>::type std::__invoke_r<void, verible::lsp::BufferCollection::BufferCollection(verible::lsp::JsonRpcDispatcher*)::$_0&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&>(verible::lsp::BufferCollection::BufferCollection(verible::lsp::JsonRpcDispatcher*)::$_0&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:111:2
    #21 0x8dc34d in std::_Function_handler<void (nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&), verible::lsp::BufferCollection::BufferCollection(verible::lsp::JsonRpcDispatcher*)::$_0>::_M_invoke(std::_Any_data const&, nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:290:9
    #22 0x8e9d73 in std::function<void (nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&)>::operator()(nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&) const /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:591:9
    #23 0x8e9d73 in verible::lsp::JsonRpcDispatcher::CallNotification(nlohmann::json_abi_v3_11_3::basic_json<std::map, std::vector, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, bool, long, unsigned long, double, std::allocator, nlohmann::json_abi_v3_11_3::adl_serializer, std::vector<unsigned char, std::allocator<unsigned char>>, void> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /proc/self/cwd/verible/common/lsp/json-rpc-dispatcher.cc:77:5
    #24 0x8e6a6f in verible::lsp::JsonRpcDispatcher::DispatchMessage(std::basic_string_view<char, std::char_traits<char>>) /proc/self/cwd/verible/common/lsp/json-rpc-dispatcher.cc:52:15
    #25 0x917c11 in std::function<void (std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>)>::operator()(std::basic_string_view<char, std::char_traits<char>>, std::basic_string_view<char, std::char_traits<char>>) const /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/std_function.h:591:9
    #26 0x917c11 in verible::lsp::MessageStreamSplitter::ProcessContainedMessages(std::basic_string_view<char, std::char_traits<char>>*) /proc/self/cwd/verible/common/lsp/message-stream-splitter.cc:98:5
    #27 0x91729a in verible::lsp::MessageStreamSplitter::ReadInput(std::function<int (char*, int)> const&) /proc/self/cwd/verible/common/lsp/message-stream-splitter.cc:141:3
    #28 0x5b8b22 in verible::lsp::MessageStreamSplitter::PullFrom(std::function<int (char*, int)> const&) /proc/self/cwd/verible/common/lsp/message-stream-splitter.cc:36:10
    #29 0x5b8b22 in verilog::VerilogLanguageServer::Step(std::function<int (char*, int)> const&) /proc/self/cwd/verible/verilog/tools/ls/verilog-language-server.cc:190:27
    #30 0x5b8b22 in verilog::VerilogLanguageServer::Run(std::function<int (char*, int)> const&) /proc/self/cwd/verible/verilog/tools/ls/verilog-language-server.cc:197:14
    #31 0x585ad7 in main /proc/self/cwd/verible/verilog/tools/ls/verible-verilog-ls.cc:69:32
    #32 0x7fa1523b25cf in __libc_start_call_main (/lib64/libc.so.6+0x295cf) (BuildId: 7a40a22c9a82854f3d66767232ae364a99174860)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/target/verible-verilog-ls+0x4c8b9a) (BuildId: cfa0c791cbc28472) in memchr
Shadow bytes around the buggy address:
  0x51d00000d880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51d00000d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51d00000d980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51d00000da00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51d00000da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x51d00000db00: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa
  0x51d00000db80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x51d00000dc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x51d00000dc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51d00000dd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x51d00000dd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1371==ABORTING

[hzeller]

Nice, thanks!
Can you see a way to trigger the problem in a unit test, which then will not trigger with your fix ?
Have a look at autoexpand_test.cc and add a test case.

[henryhchchc]

Sure. It is done.

[hzeller]

Thanks!