[Reflection] Put a recursion limit on readTypeFromMetadata.

mikeash · mikeash · commit 4945a5634480 · 2022-10-25T10:35:51.000-04:00
We can end up with a stack overflow if we encounter a very deeply nested type, or bad data that looks like one. Fail gracefully for types that are nested beyond a limit. By default, the limit is 50.

rdar://100847548
diff --git a/include/swift/Remote/MetadataReader.h b/include/swift/Remote/MetadataReader.h
@@ -186,6 +186,8 @@ class MetadataReader {
   using StoredSize = typename Runtime::StoredSize;
   using TargetClassMetadata = TargetClassMetadataType<Runtime>;
 
+  static const int defaultTypeRecursionLimit = 50;
+
 private:
   /// The maximum number of bytes to read when reading metadata. Anything larger
   /// will automatically return failure. This prevents us from reading absurd
@@ -803,12 +805,25 @@ class MetadataReader {
   }
 
   /// Given a remote pointer to metadata, attempt to turn it into a type.
-  BuiltType readTypeFromMetadata(StoredPointer MetadataAddress,
-                                 bool skipArtificialSubclasses = false) {
+  BuiltType
+  readTypeFromMetadata(StoredPointer MetadataAddress,
+                       bool skipArtificialSubclasses = false,
+                       int recursion_limit = defaultTypeRecursionLimit) {
     auto Cached = TypeCache.find(MetadataAddress);
     if (Cached != TypeCache.end())
       return Cached->second;
 
+    if (recursion_limit <= 0) {
+      return nullptr;
+    }
+
+    // readTypeFromMetadata calls out to various other functions which can call
+    // back to readTypeFromMetadata. We only want to bump the recursion limit
+    // down here, not in the other functions, so that we're only counting
+    // recursive calls to readTypeFromMetadata. This decrement is the only place
+    // where we'll subtract 1.
+    recursion_limit--;
+
     // If we see garbage data in the process of building a BuiltType, and get
     // the same metadata address again, we will hit an infinite loop.
     // Insert a negative result into the cache now so that, if we recur with
@@ -821,11 +836,12 @@ class MetadataReader {
 
     switch (Meta->getKind()) {
     case MetadataKind::Class:
-      return readNominalTypeFromClassMetadata(Meta, skipArtificialSubclasses);
+      return readNominalTypeFromClassMetadata(Meta, recursion_limit,
+                                              skipArtificialSubclasses);
     case MetadataKind::Struct:
     case MetadataKind::Enum:
     case MetadataKind::Optional:
-      return readNominalTypeFromMetadata(Meta);
+      return readNominalTypeFromMetadata(Meta, recursion_limit);
     case MetadataKind::Tuple: {
       auto tupleMeta = cast<TargetTupleTypeMetadata<Runtime>>(Meta);
 
@@ -834,7 +850,8 @@ class MetadataReader {
 
       for (unsigned i = 0, n = tupleMeta->NumElements; i != n; ++i) {
         auto &element = tupleMeta->getElement(i);
-        if (auto elementType = readTypeFromMetadata(element.Type))
+        if (auto elementType =
+                readTypeFromMetadata(element.Type, false, recursion_limit))
           elementTypes.push_back(elementType);
         else
           return BuiltType();
@@ -856,7 +873,8 @@ class MetadataReader {
 
       std::vector<FunctionParam<BuiltType>> Parameters;
       for (unsigned i = 0, n = Function->getNumParameters(); i != n; ++i) {
-        auto ParamTypeRef = readTypeFromMetadata(Function->getParameter(i));
+        auto ParamTypeRef = readTypeFromMetadata(Function->getParameter(i),
+                                                 false, recursion_limit);
         if (!ParamTypeRef)
           return BuiltType();
 
@@ -866,7 +884,8 @@ class MetadataReader {
         Parameters.push_back(std::move(Param));
       }
 
-      auto Result = readTypeFromMetadata(Function->ResultType);
+      auto Result =
+          readTypeFromMetadata(Function->ResultType, false, recursion_limit);
       if (!Result)
         return BuiltType();
 
@@ -880,7 +899,8 @@ class MetadataReader {
 
       BuiltType globalActor = BuiltType();
       if (Function->hasGlobalActor()) {
-        globalActor = readTypeFromMetadata(Function->getGlobalActor());
+        globalActor = readTypeFromMetadata(Function->getGlobalActor(), false,
+                                           recursion_limit);
         if (globalActor)
           flags = flags.withGlobalActor(true);
       }
@@ -915,7 +935,8 @@ class MetadataReader {
       BuiltType SuperclassType = BuiltType();
       if (Exist->Flags.hasSuperclassConstraint()) {
         // The superclass is stored after the list of protocols.
-        SuperclassType = readTypeFromMetadata(Exist->getSuperclassConstraint());
+        SuperclassType = readTypeFromMetadata(Exist->getSuperclassConstraint(),
+                                              false, recursion_limit);
         if (!SuperclassType) return BuiltType();
 
         HasExplicitAnyObject = true;
@@ -971,7 +992,7 @@ class MetadataReader {
       std::vector<BuiltType> builtArgs;
       for (unsigned i = 0; i < shapeArgumentCount; ++i) {
         auto remoteArg = Exist->getGeneralizationArguments()[i];
-        auto builtArg = readTypeFromMetadata(remoteArg);
+        auto builtArg = readTypeFromMetadata(remoteArg, false, recursion_limit);
         if (!builtArg)
           return BuiltType();
         builtArgs.push_back(builtArg);
@@ -1036,7 +1057,8 @@ class MetadataReader {
 
     case MetadataKind::Metatype: {
       auto Metatype = cast<TargetMetatypeMetadata<Runtime>>(Meta);
-      auto Instance = readTypeFromMetadata(Metatype->InstanceType);
+      auto Instance =
+          readTypeFromMetadata(Metatype->InstanceType, false, recursion_limit);
       if (!Instance) return BuiltType();
       auto BuiltMetatype = Builder.createMetatypeType(Instance);
       TypeCache[MetadataAddress] = BuiltMetatype;
@@ -1056,7 +1078,8 @@ class MetadataReader {
     }
     case MetadataKind::ExistentialMetatype: {
       auto Exist = cast<TargetExistentialMetatypeMetadata<Runtime>>(Meta);
-      auto Instance = readTypeFromMetadata(Exist->InstanceType);
+      auto Instance =
+          readTypeFromMetadata(Exist->InstanceType, false, recursion_limit);
       if (!Instance) return BuiltType();
       auto BuiltExist = Builder.createExistentialMetatypeType(Instance);
       TypeCache[MetadataAddress] = BuiltExist;
@@ -2948,8 +2971,9 @@ class MetadataReader {
   // TODO: We need to be able to produce protocol conformances for each
   // substitution type as well in order to accurately rebuild bound generic
   // types or types in protocol-constrained inner contexts.
-  std::vector<BuiltType>
-  getGenericSubst(MetadataRef metadata, ContextDescriptorRef descriptor) {
+  std::vector<BuiltType> getGenericSubst(MetadataRef metadata,
+                                         ContextDescriptorRef descriptor,
+                                         int recursion_limit) {
     auto generics = descriptor->getGenericContext();
     if (!generics)
       return {};
@@ -2986,8 +3010,8 @@ class MetadataReader {
             return {};
           }
           genericArgsAddr += sizeof(StoredPointer);
-          
-          auto builtArg = readTypeFromMetadata(arg);
+
+          auto builtArg = readTypeFromMetadata(arg, false, recursion_limit);
           if (!builtArg)
             return {};
           builtSubsts.push_back(builtArg);
@@ -3007,8 +3031,10 @@ class MetadataReader {
     return builtSubsts;
   }
 
-  BuiltType readNominalTypeFromMetadata(MetadataRef origMetadata,
-                                        bool skipArtificialSubclasses = false) {
+  BuiltType
+  readNominalTypeFromMetadata(MetadataRef origMetadata,
+                              int recursion_limit = defaultTypeRecursionLimit,
+                              bool skipArtificialSubclasses = false) {
     auto metadata = origMetadata;
     auto descriptorAddress =
       readAddressOfNominalTypeDescriptor(metadata,
@@ -3038,7 +3064,8 @@ class MetadataReader {
     BuiltType nominal;
     if (descriptor->isGeneric()) {
       // Resolve the generic arguments.
-      auto builtGenerics = getGenericSubst(metadata, descriptor);
+      auto builtGenerics =
+          getGenericSubst(metadata, descriptor, recursion_limit);
       if (builtGenerics.empty())
         return BuiltType();
       nominal = Builder.createBoundGenericType(typeDecl, builtGenerics);
@@ -3060,11 +3087,14 @@ class MetadataReader {
     return nominal;
   }
 
-  BuiltType readNominalTypeFromClassMetadata(MetadataRef origMetadata,
-                                       bool skipArtificialSubclasses = false) {
+  BuiltType
+  readNominalTypeFromClassMetadata(MetadataRef origMetadata,
+                                   int recursion_limit,
+                                   bool skipArtificialSubclasses = false) {
     auto classMeta = cast<TargetClassMetadata>(origMetadata);
     if (classMeta->isTypeMetadata())
-      return readNominalTypeFromMetadata(origMetadata, skipArtificialSubclasses);
+      return readNominalTypeFromMetadata(origMetadata, recursion_limit,
+                                         skipArtificialSubclasses);
 
     std::string className;
     auto origMetadataPtr = getAddress(origMetadata);
@@ -3077,8 +3107,9 @@ class MetadataReader {
       if (!stripSignedPointer(classMeta->Superclass))
         return BuiltType();
 
-      BuiltObjCClass = readTypeFromMetadata(
-          stripSignedPointer(classMeta->Superclass), skipArtificialSubclasses);
+      BuiltObjCClass =
+          readTypeFromMetadata(stripSignedPointer(classMeta->Superclass),
+                               skipArtificialSubclasses, recursion_limit);
     }
 
     TypeCache[origMetadataPtr] = BuiltObjCClass;
diff --git a/validation-test/Reflection/reflect_deep_generic.swift b/validation-test/Reflection/reflect_deep_generic.swift
@@ -0,0 +1,34 @@
+// RUN: %empty-directory(%t)
+// RUN: %target-build-swift -g -lswiftSwiftReflectionTest %s -o %t/reflect_deep_generic
+// RUN: %target-codesign %t/reflect_deep_generic
+
+// RUN: %target-run %target-swift-reflection-test %t/reflect_deep_generic | %FileCheck %s
+
+// REQUIRES: reflection_test_support
+// REQUIRES: executable_test
+// UNSUPPORTED: use_os_stdlib
+
+import SwiftReflectionTest
+
+protocol Nester {
+  func nest() -> Nester
+}
+
+class C<T>: Nester {
+  func nest() -> Nester {
+    return C<Self>()
+  }
+}
+
+var nester: Nester = C<Int>()
+for _ in 0..<10000 {
+  nester = nester.nest()
+}
+
+// This will fail due to the excessively nested type, but we're making sure it
+// fails gracefully and doesn't crash.
+reflect(object: nester as AnyObject)
+
+doneReflecting()
+
+// CHECK: Done.
