[jira] [Updated] (XERCESC-2126) Type Confusion from DTDGrammar to SchemaGrammar

Yuseok Jeon (JIRA) Sat, 09 Dec 2017 05:44:30 -0800

     [ 
https://issues.apache.org/jira/browse/XERCESC-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Yuseok Jeon updated XERCESC-2126:
---------------------------------
    Description: 
Hi all,

Our type confusion detection tool reports a type_confusion error in the 
"xercesc/validators/schema/SchemaValidator.cpp"

xercesc/validators/schema/SchemaValidator.cpp line 772 
756 void SchemaValidator::preContentValidation(bool, bool validateDefAttr)
758 {
769    RefHashTableOfEnumerator<Grammar> grammarEnum = 
fGrammarResolver->getGrammarEnumerator();
770    while (grammarEnum.hasMoreElements())
771    {
{color:red}772        SchemaGrammar& sGrammar = (SchemaGrammar&) 
grammarEnum.nextElement();{color}
773        if (sGrammar.getGrammarType() != Grammar::SchemaGrammarType || 
sGrammar.getValidated())
774             continue;
                 ……………
          }

In the line 772, grammarEnum.nextElement() indicates object allocated as 
DTDGrammar, and it is casted into SchemaGrammar. However, since SchemaGrammar 
is not a subobject of DTDGrammar, it is violating C++ standard rules 5.2.9/11 
(down casting is undefined if the object that the pointer to be casted points 
to is not a suboject of down casting type) and causes undefined behaviors.

There are similar type-confusion cases as below links.
- (Xerces-c++) https://issues.apache.org/jira/browse/XERCESC-2088
- (libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
- (Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280

I attached detail type confusion information.

  was:
Hi all,
Our type confusion detection tool reports a type_confusion error in the 
"xercesc/validators/schema/SchemaValidator.cpp"
xercesc/validators/schema/SchemaValidator.cpp line 772 
756 void SchemaValidator::preContentValidation(bool, bool validateDefAttr)
758 {
769    RefHashTableOfEnumerator<Grammar> grammarEnum = 
fGrammarResolver->getGrammarEnumerator();
770    while (grammarEnum.hasMoreElements())
771    {
{color:red}772        SchemaGrammar& sGrammar = (SchemaGrammar&) 
grammarEnum.nextElement();{color}
773        if (sGrammar.getGrammarType() != Grammar::SchemaGrammarType || 
sGrammar.getValidated())
774             continue;
                 ……………
          }

In the line 772, grammarEnum.nextElement() indicates object allocated as 
DTDGrammar, and it is casted into SchemaGrammar. However, since SchemaGrammar 
is not a subobject of DTDGrammar, it is violating C++ standard rules 5.2.9/11 
(down casting is undefined if the object that the pointer to be casted points 
to is not a suboject of down casting type) and causes undefined behaviors.
There are similar type-confusion cases as below links.
(Xerces-c++) https://issues.apache.org/jira/browse/XERCESC-2088
(libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
(Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280
I attached detail type confusion information.


> Type Confusion from DTDGrammar to SchemaGrammar
> -----------------------------------------------
>
>                 Key: XERCESC-2126
>                 URL: https://issues.apache.org/jira/browse/XERCESC-2126
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: DOM
>    Affects Versions: 3.2.0
>         Environment: Ubuntu 16.04 LTS, Intel(R) Core(TM) i7-6700 CPU @ 
> 3.40GHz, 16GB
>            Reporter: Yuseok Jeon
>         Attachments: Xerces-C++ Type confusion Report.pdf
>
>
> Hi all,
> Our type confusion detection tool reports a type_confusion error in the 
> "xercesc/validators/schema/SchemaValidator.cpp"
> xercesc/validators/schema/SchemaValidator.cpp line 772 
> 756 void SchemaValidator::preContentValidation(bool, bool validateDefAttr)
> 758 {
> 769    RefHashTableOfEnumerator<Grammar> grammarEnum = 
> fGrammarResolver->getGrammarEnumerator();
> 770    while (grammarEnum.hasMoreElements())
> 771    {
> {color:red}772        SchemaGrammar& sGrammar = (SchemaGrammar&) 
> grammarEnum.nextElement();{color}
> 773        if (sGrammar.getGrammarType() != Grammar::SchemaGrammarType || 
> sGrammar.getValidated())
> 774             continue;
>                  ……………
>           }
> In the line 772, grammarEnum.nextElement() indicates object allocated as 
> DTDGrammar, and it is casted into SchemaGrammar. However, since SchemaGrammar 
> is not a subobject of DTDGrammar, it is violating C++ standard rules 5.2.9/11 
> (down casting is undefined if the object that the pointer to be casted points 
> to is not a suboject of down casting type) and causes undefined behaviors.
> There are similar type-confusion cases as below links.
> - (Xerces-c++) https://issues.apache.org/jira/browse/XERCESC-2088
> - (libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
> - (Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280
> I attached detail type confusion information.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org

[jira] [Updated] (XERCESC-2126) Type Confusion from DTDGrammar to SchemaGrammar

Reply via email to