Yuseok Jeon created XERCESC-2126:
------------------------------------
Summary: Type Confusion from DTDGrammar to SchemaGrammar
Key: XERCESC-2126
URL: https://issues.apache.org/jira/browse/XERCESC-2126
Project: Xerces-C++
Issue Type: Bug
Components: DOM
Affects Versions: 3.2.0
Environment: Ubuntu 16.04 LTS, Intel(R) Core(TM) i7-6700 CPU @
3.40GHz, 16GB
Reporter: Yuseok Jeon
Attachments: Xerces-C++ Type confusion Report.pdf
Hi all,
Our type confusion detection tool reports a type_confusion error in the
"xercesc/validators/schema/SchemaValidator.cpp"
xercesc/validators/schema/SchemaValidator.cpp line 772
756 void SchemaValidator::preContentValidation(bool, bool validateDefAttr)
758 {
769 RefHashTableOfEnumerator<Grammar> grammarEnum =
fGrammarResolver->getGrammarEnumerator();
770 while (grammarEnum.hasMoreElements())
771 {
{color:red}772 SchemaGrammar& sGrammar = (SchemaGrammar&)
grammarEnum.nextElement();{color}
773 if (sGrammar.getGrammarType() != Grammar::SchemaGrammarType ||
sGrammar.getValidated())
774 continue;
……………
}
In the line 772, grammarEnum.nextElement() indicates object allocated as
DTDGrammar, and it is casted into SchemaGrammar. However, since SchemaGrammar
is not a subobject of DTDGrammar, it is violating C++ standard rules 5.2.9/11
(down casting is undefined if the object that the pointer to be casted points
to is not a suboject of down casting type) and causes undefined behaviors.
There are similar type-confusion cases as below links.
(Xerces-c++) https://issues.apache.org/jira/browse/XERCESC-2088
(libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
(Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280
I attached detail type confusion information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
