Merge pull request #12256 from Vexu/stage2

stage2 typeInfo UAF fix + more
2026-02-13 04:48:20 +00:00 · 2022-07-27 16:11:07 -07:00 · 2022-07-27 16:11:07 -07:00 · dfc7493dcb
commit dfc7493dcb
parent 90f23e131e 793db63746
5 changed files with 49 additions and 10 deletions
--- a/src/AstGen.zig
+++ b/src/AstGen.zig
@ -751,6 +751,7 @@ fn expr(gz: *GenZir, scope: *Scope, rl: ResultLoc, node: Ast.Node.Index) InnerEr
        },

        .unreachable_literal => {
+            try emitDbgNode(gz, node);
            _ = try gz.addAsIndex(.{
                .tag = .@"unreachable",
                .data = .{ .@"unreachable" = .{
@ -7443,7 +7444,6 @@ fn builtinCall(
        .bool_to_int           => return simpleUnOp(gz, scope, rl, node, bool_rl,                             params[0], .bool_to_int),
        .embed_file            => return simpleUnOp(gz, scope, rl, node, .{ .ty = .const_slice_u8_type },     params[0], .embed_file),
        .error_name            => return simpleUnOp(gz, scope, rl, node, .{ .ty = .anyerror_type },           params[0], .error_name),
-        .panic                 => return simpleUnOp(gz, scope, rl, node, .{ .ty = .const_slice_u8_type },     params[0], if (gz.force_comptime) .panic_comptime else .panic),
        .set_cold              => return simpleUnOp(gz, scope, rl, node, bool_rl,                             params[0], .set_cold),
        .set_runtime_safety    => return simpleUnOp(gz, scope, rl, node, bool_rl,                             params[0], .set_runtime_safety),
        .sqrt                  => return simpleUnOp(gz, scope, rl, node, .none,                               params[0], .sqrt),
@ -7476,6 +7476,10 @@ fn builtinCall(
        .truncate     => return typeCast(gz, scope, rl, node, params[0], params[1], .truncate),
        // zig fmt: on

+        .panic => {
+            try emitDbgNode(gz, node);
+            return simpleUnOp(gz, scope, rl, node, .{ .ty = .const_slice_u8_type }, params[0], if (gz.force_comptime) .panic_comptime else .panic);
+        },
        .error_to_int => {
            const operand = try expr(gz, scope, .none, params[0]);
            const result = try gz.addExtendedPayload(.error_to_int, Zir.Inst.UnNode{
--- a/src/Module.zig
+++ b/src/Module.zig
@ -1220,6 +1220,7 @@ pub const Union = struct {
        };
        const node = owner_decl.relativeToNodeIndex(u.node_offset);
        const node_tags = tree.nodes.items(.tag);
+        var buf: [2]Ast.Node.Index = undefined;
        switch (node_tags[node]) {
            .container_decl,
            .container_decl_trailing,
@ -1231,6 +1232,15 @@ pub const Union = struct {
            .container_decl_arg,
            .container_decl_arg_trailing,
            => return queryFieldSrc(tree.*, query, file, tree.containerDeclArg(node)),
+            .tagged_union,
+            .tagged_union_trailing,
+            => return queryFieldSrc(tree.*, query, file, tree.taggedUnion(node)),
+            .tagged_union_two,
+            .tagged_union_two_trailing,
+            => return queryFieldSrc(tree.*, query, file, tree.taggedUnionTwo(&buf, node)),
+            .tagged_union_enum_tag,
+            .tagged_union_enum_tag_trailing,
+            => return queryFieldSrc(tree.*, query, file, tree.taggedUnionEnumTag(node)),
            else => unreachable,
        }
    }
--- a/src/Sema.zig
+++ b/src/Sema.zig
@ -5695,6 +5695,7 @@ fn analyzeCall(
                    sema.inst_map.clearRetainingCapacity();
                    const decl = sema.mod.declPtr(block.src_decl);
                    child_block.src_decl = block.src_decl;
+                    arg_i = 0;
                    try sema.analyzeInlineCallArg(
                        block,
                        &child_block,
@ -12864,7 +12865,7 @@ fn zirTypeInfo(sema: *Sema, block: *Block, inst: Zir.Inst.Index) CompileError!Ai
                else
                    try Value.Tag.opt_payload.create(
                        params_anon_decl.arena(),
-                        try Value.Tag.ty.create(params_anon_decl.arena(), param_ty),
+                        try Value.Tag.ty.create(params_anon_decl.arena(), try param_ty.copy(params_anon_decl.arena())),
                    );

                const param_fields = try params_anon_decl.arena().create([3]Value);
@ -15441,8 +15442,17 @@ fn zirReify(sema: *Sema, block: *Block, inst: Zir.Inst.Index) CompileError!Air.I
            const is_allowzero_val = struct_val[6];
            const sentinel_val = struct_val[7];

+            const abi_align = @intCast(u29, alignment_val.toUnsignedInt(target)); // TODO: Validate this value.
+
            var buffer: Value.ToTypeBuffer = undefined;
-            const child_ty = child_val.toType(&buffer);
+            const unresolved_elem_ty = child_val.toType(&buffer);
+            const elem_ty = if (abi_align == 0)
+                unresolved_elem_ty
+            else t: {
+                const elem_ty = try sema.resolveTypeFields(block, src, unresolved_elem_ty);
+                try sema.resolveTypeLayout(block, src, elem_ty);
+                break :t elem_ty;
+            };

            const ptr_size = size_val.toEnum(std.builtin.Type.Pointer.Size);

@ -15454,7 +15464,7 @@ fn zirReify(sema: *Sema, block: *Block, inst: Zir.Inst.Index) CompileError!Air.I
                const sentinel_ptr_val = sentinel_val.castTag(.opt_payload).?.data;
                const ptr_ty = try Type.ptr(sema.arena, mod, .{
                    .@"addrspace" = .generic,
-                    .pointee_type = child_ty,
+                    .pointee_type = try elem_ty.copy(sema.arena),
                });
                actual_sentinel = (try sema.pointerDeref(block, src, sentinel_ptr_val, ptr_ty)).?;
            }
@ -15463,9 +15473,9 @@ fn zirReify(sema: *Sema, block: *Block, inst: Zir.Inst.Index) CompileError!Air.I
                .size = ptr_size,
                .mutable = !is_const_val.toBool(),
                .@"volatile" = is_volatile_val.toBool(),
-                .@"align" = @intCast(u29, alignment_val.toUnsignedInt(target)), // TODO: Validate this value.
+                .@"align" = abi_align,
                .@"addrspace" = address_space_val.toEnum(std.builtin.AddressSpace),
-                .pointee_type = try child_ty.copy(sema.arena),
+                .pointee_type = try elem_ty.copy(sema.arena),
                .@"allowzero" = is_allowzero_val.toBool(),
                .sentinel = actual_sentinel,
            });
@ -26626,7 +26636,7 @@ fn getBuiltinType(
 ) CompileError!Type {
    const ty_inst = try sema.getBuiltin(block, src, name);
    const result_ty = try sema.analyzeAsType(block, src, ty_inst);
-    try sema.queueFullTypeResolution(result_ty);
+    try sema.resolveTypeFully(block, src, result_ty); // Should not fail
    return result_ty;
 }

--- a/test/cases/fn_typeinfo_passed_to_comptime_fn.zig
+++ b/test/cases/fn_typeinfo_passed_to_comptime_fn.zig
@ -0,0 +1,17 @@
+const std = @import("std");
+
+test {
+    try foo(@typeInfo(@TypeOf(someFn)));
+}
+
+fn someFn(arg: ?*c_int) f64 {
+    _ = arg;
+    return 8;
+}
+fn foo(comptime info: std.builtin.Type) !void {
+    try std.testing.expect(info.Fn.args[0].arg_type.? == ?*c_int);
+}
+
+// run
+// is_test=1
+//
--- a/test/standalone.zig
+++ b/test/standalone.zig
@ -60,9 +60,7 @@ pub fn addCases(cases: *tests.StandaloneContext) void {
    }
    // Try to build and run a PIE executable.
    if (builtin.os.tag == .linux) {
-        if (builtin.zig_backend == .stage1) { // https://github.com/ziglang/zig/issues/12223
-            cases.addBuildFile("test/standalone/pie/build.zig", .{});
-        }
+        cases.addBuildFile("test/standalone/pie/build.zig", .{});
    }

    // Ensure the development tools are buildable.