[
https://issues.apache.org/jira/browse/XERCESC-2088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yuseok Jeon updated XERCESC-2088:
---------------------------------
Description:
Hi all,
Our recently developed type confusion detection tool reports a type_confusion
error in the "xercesc/dom/imple/DOMCasts.hpp"
xercesc/dom/imple/DOMCasts.hpp, line 146
static inline DOMNodeImpl *castToNodeImpl(const DOMNode *p)
{
DOMElementImpl *pE = (DOMElementImpl *)p;
return &(pE->fNode);
}
p is pointing to the object allocated as DOMTextImpl, and it is casted into
DOMElementImpl. However, since DOMElementImpl is not a subobject of
DOMTextImpl, it is violating C++ standard rules 5.2.9/11 (down casting is
undefined if the object that the pointer to be casted points to is not a
suboject of down casting type) and causes undefined behaviors.
There are similar type-confusion cases as below links.
- (libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
- (Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280
I attached a actual type confusion report and object relationship information.
was:
Hi all,
Our recently developed type confusion detection tool reports a type_confusion
error in the "xercesc/dom/imple/DOMCasts.hpp"
xercesc/dom/imple/DOMCasts.hpp, line 146
static inline DOMNodeImpl *castToNodeImpl(const DOMNode *p)
{
DOMElementImpl *pE = (DOMElementImpl *)p;
return &(pE->fNode);
}
p is pointing to the object allocated as DOMTextImpl, and it is casted into
DOMElementImpl. However, since DOMElementImpl is not a subobject of
DOMTextImpl, it is violating C++ standard rules 5.2.9/11--down casting is
undefined if the object that the pointer to be casted points to is not a
suboject of down casting type-- and causes undefined behaviors.
There are similar type-confusion cases as below links.
- (libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
- (Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280
I attached a actual type confusion report and object relationship information.
> Bad casting from DOMTextImpl to DOMElementImpl
> ----------------------------------------------
>
> Key: XERCESC-2088
> URL: https://issues.apache.org/jira/browse/XERCESC-2088
> Project: Xerces-C++
> Issue Type: Bug
> Components: DOM
> Affects Versions: 3.1.1, 3.1.2, 3.1.3, 3.1.4
> Environment: ubuntu 16.04 LTS, Intel(R) Core(TM) i7-6700 CPU @
> 3.40GHz, 16GB
> Reporter: Yuseok Jeon
> Attachments: Actual_result.txt, relationship_tree.jpeg
>
>
> Hi all,
> Our recently developed type confusion detection tool reports a type_confusion
> error in the "xercesc/dom/imple/DOMCasts.hpp"
> xercesc/dom/imple/DOMCasts.hpp, line 146
> static inline DOMNodeImpl *castToNodeImpl(const DOMNode *p)
> {
> DOMElementImpl *pE = (DOMElementImpl *)p;
> return &(pE->fNode);
> }
> p is pointing to the object allocated as DOMTextImpl, and it is casted into
> DOMElementImpl. However, since DOMElementImpl is not a subobject of
> DOMTextImpl, it is violating C++ standard rules 5.2.9/11 (down casting is
> undefined if the object that the pointer to be casted points to is not a
> suboject of down casting type) and causes undefined behaviors.
> There are similar type-confusion cases as below links.
> - (libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
> - (Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280
> I attached a actual type confusion report and object relationship
> information.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
