Merge pull request #41035 from beccadax/dont-take-this-literally

Don't import string macros with invalid UTF-8

Author: beccadax

include/swift/Basic/Unicode.h

@@ -68,6 +68,12 @@ bool isSingleUnicodeScalar(StringRef S);
 
 unsigned extractFirstUnicodeScalar(StringRef S);
 
+/// Returns true if \p S does not contain any ill-formed subsequences. This does
+/// not check whether all of the characters in it are actually allocated or
+/// used correctly; it just checks that every byte can be grouped into a code
+/// unit (Unicode scalar).
+bool isWellFormedUTF8(StringRef S);
+
 } // end namespace unicode
 } // end namespace swift
 

lib/Basic/Unicode.cpp

@@ -123,3 +123,8 @@ unsigned swift::unicode::extractFirstUnicodeScalar(StringRef S) {
   (void)Result;
   return Scalar;
 }
+
+bool swift::unicode::isWellFormedUTF8(StringRef S) {
+  const llvm::UTF8 *begin = S.bytes_begin();
+  return llvm::isLegalUTF8String(&begin, S.bytes_end());
+}

lib/ClangImporter/ImportMacro.cpp

@@ -22,6 +22,7 @@
 #include "swift/AST/Stmt.h"
 #include "swift/AST/Types.h"
 #include "swift/Basic/PrettyStackTrace.h"
+#include "swift/Basic/Unicode.h"
 #include "swift/ClangImporter/ClangModule.h"
 #include "clang/AST/ASTContext.h"
 #include "clang/AST/Expr.h"
@@ -194,7 +195,11 @@ static ValueDecl *importStringLiteral(ClangImporter::Implementation &Impl,
   if (!importTy)
     return nullptr;
 
-  return Impl.createConstant(name, DC, importTy, parsed->getString(),
+  StringRef text = parsed->getString();
+  if (!unicode::isWellFormedUTF8(text))
+    return nullptr;
+
+  return Impl.createConstant(name, DC, importTy, text,
                              ConstantConvertKind::None, /*static*/ false,
                              ClangN);
 }

lib/SIL/IR/SILInstructions.cpp

@@ -1045,6 +1045,15 @@ StringLiteralInst::StringLiteralInst(SILDebugLocation Loc, StringRef Text,
   SILNode::Bits.StringLiteralInst.TheEncoding = unsigned(encoding);
   SILNode::Bits.StringLiteralInst.Length = Text.size();
   memcpy(getTrailingObjects<char>(), Text.data(), Text.size());
+
+  // It is undefined behavior to feed ill-formed UTF-8 into `Swift.String`;
+  // however, the compiler creates string literals in many places, so there's a
+  // risk of a mistake. StringLiteralInsts can be optimized into
+  // IntegerLiteralInsts before reaching IRGen, so this constructor is the best
+  // chokepoint to validate *all* string literals that may eventually end up in
+  // a binary.
+  assert((encoding == Encoding::Bytes || unicode::isWellFormedUTF8(Text))
+            && "Created StringLiteralInst with ill-formed UTF-8");
 }
 
 StringLiteralInst *StringLiteralInst::create(SILDebugLocation Loc,

test/ClangImporter/macros.swift

@@ -74,6 +74,12 @@ func testCFString() -> String {
   return str
 }
 
+func testInvalidStringLiterals() {
+  // <rdar://67840900> - assertion/crash from importing a macro with a string
+  // literal containing invalid UTF-8 characters
+  _ = INVALID_UTF8_STRING // expected-error {{cannot find 'INVALID_UTF8_STRING' in scope}}
+}
+
 func testInvalidIntegerLiterals() {
   var l1 = INVALID_INTEGER_LITERAL_1 // expected-error {{cannot find 'INVALID_INTEGER_LITERAL_1' in scope}}
   // FIXME: <rdar://problem/16445608> Swift should set up a DiagnosticConsumer for Clang

test/Inputs/clang-importer-sdk/usr/include/macros.h

@@ -35,6 +35,7 @@
 #define UTF8_STRING u8"Swift 🏃"
 #define OBJC_STRING @"Unicode! ✨"
 #define CF_STRING CFSTR("Swift")
+#define INVALID_UTF8_STRING "\xFF\xFF\xFF\xFF\xFF\xFF"
 
 #define INVALID_INTEGER_LITERAL_1 10_9
 #define INVALID_INTEGER_LITERAL_2 10abc