summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-06-15Refactor snprintf supportArseny Kapoulkine
Instead of branching code at each invocation site, use variadic macros to create a wrapping macro that use snprintf for the buffer of a statically known size. Variadic macros are supported by all C++11 compilers, as is snprintf; on MSVC 2005+ we don't necessarily have snprintf, but we can use _snprintf_s with _TRUNCATE to get the same behavior. In all other cases we fall back to sprintf, that (theoretically) can lead to a stack buffer overflow. In practice all snprintfs used in pugixml use buffers that should be large enough to never be overflown but snprintf is safe even if this is not the case.
2017-06-15Use buffer with a static size in convert_number_to_mantissa_exponentArseny Kapoulkine
We use references to arrays elsewhere in the codebase and there's just one caller for this function so it's easier to fix the size. This will simplify snprintf refactoring.
2017-06-15Merge pull request #145 from noresources/snprintfArseny Kapoulkine
use snprintf instead of sprintf
2017-06-15Merge pull request #149 from zeux/test-pathArseny Kapoulkine
Improve code coverage
2017-06-15Exclude unreachable lines from code coverageArseny Kapoulkine
codecov.io does not seem to support lcov regex customization; additionally, we can't just replace unreachable with LCOV_LINE_EXCL in gcov file - so we have to patch the ##### indicator (which suggests the line hasn't been hit) with 1. See also https://github.com/codecov/support/issues/144
2017-06-15Mark all assert(false) statements as unreachableArseny Kapoulkine
Now we can exclude these from code coverage since it's logically impossible to hit them in tests.
2017-06-15tests: Add tests for loading special filesArseny Kapoulkine
New tests try to load a folder as an XML document, and a device. Both are intended to exercise some otherwise non-hittable error paths in load_file implementation.
2017-06-14tests: Increase compact_pointer coverageArseny Kapoulkine
This adds tests that complete branch coverage in compact pointer encoding/decoding code (previously first_attribute was always encoded using compact encoding in the entire test suite).
2017-06-14Increase the minimum CMake version to 2.8.12Arseny Kapoulkine
This is a followup to 198900eff403982f080958459f1ccb45cdefe9a4. target_include_directories was introduced in 2.8.12, thus CMake 2.6 no longer works.
2017-06-11use snprintf if available, _snprintf or sprintf otherwiseRenaud Guillard
2017-06-05use _snprintf if MSVCRenaud Guillard
2017-06-04use snprintf instead of sprintfRenaud Guillard
2017-04-03Work around -fsanitize=integer issuesArseny Kapoulkine
Integer sanitizer is flagging unsigned integer overflow in several functions in pugixml; unsigned integer overflow is well defined but it may not necessarily be intended. Apart from hash functions, both string_to_integer and integer_to_string use unsigned overflow - string_to_integer uses it to perform two-complement negation so that the bulk of the operation can run using unsigned integers. This makes it possible to simplify overflow checking. Similarly integer_to_string negates the number before generating a decimal representation, but negating is impossible without unsigned overflow or special-casing certain integer limits. For now just silence the integer overflow using a special attribute; also move unsigned overflow into string_to_integer from get_value_* so that we have fewer functions marked with the attribute. Fixes #133.
2017-04-03Move libFuzzer build to MakefileArseny Kapoulkine
Now the only thing fuzz_setup.sh does is installing new clang; if system clang supports -fsanitize-coverage then fuzz_setup.sh is not required.
2017-04-03tests: Fix fuzz_setup.shArseny Kapoulkine
The script only worked if clang folder was already created.
2017-03-21Add missing PUGI__FN to string_to_integerArseny Kapoulkine
2017-03-21Revert "Fix gcc-4.8 compilation warning when using -Wstrict-overflow"Arseny Kapoulkine
This reverts commit 79109a8546f963d17522d75112cffcfd8cbe35fc. This warning does not happen on gcc-4.8.4; the workaround introduces an unsigned integer overflow which results in a runtime error when compiled with integer sanitizer.
2017-03-21tests: Do not use unsigned underflow in test codeArseny Kapoulkine
This triggers a runtime error under integer sanitizer
2017-03-21tests: Fix invalid buffer sizeArseny Kapoulkine
This was triggering an buffer read overflow with asan.
2017-03-21Fix path to fuzzing corpusArseny Kapoulkine
2017-03-06Merge pull request #134 from ogdf/explicit-fallthroughsArseny Kapoulkine
Silence g++ 7.0.1 -Wimplicit-fallthrough warnings
2017-03-05Silence g++ 7.0.1 -Wimplicit-fallthrough warningsStephan Beyer
This is accomplished by putting a // fallthrough comment at the right place. This seems to be more portable than an attribute-based solution like [[fallthrough]] or __attribute__((fallthrough)).
2017-03-03Simplify compact_hash_table implementationArseny Kapoulkine
Instead of a separate implementation for find/insert, use just one that can do both. This reduces the code size and simplifies code coverage; the resulting code is close to what we had in terms of performance and since hash table is a fall back should not affect any real workloads.
2017-02-11Merge pull request #132 from zeux/fuzzArseny Kapoulkine
Improve fuzzing support
2017-02-11tests: Fix fuzz_setup.shArseny Kapoulkine
Make the file executable, fix Windows newlines and fix clang setup.
2017-02-11tests: Add fuzzing dictionariesArseny Kapoulkine
Hopefully this will allow for better fuzzing coverage
2017-02-09tests: Add XPath fuzzingArseny Kapoulkine
Only fuzz the parser for now.
2017-02-09tests: Add a script to set up fuzzing toolsArseny Kapoulkine
This downloads a clang build that has support for instrumentation, and also downloads and compiles libFuzzer.a.
2017-02-09fuzz: Use libFuzzer instead of afl-fuzzArseny Kapoulkine
This allows us to have faster fuzz cycles since the fuzzer is in-process.
2017-02-09tests: Increase the number of translate callsArseny Kapoulkine
This should make the test fail on a 32-bit target.
2017-02-09tests: Fix clang buildArseny Kapoulkine
2017-02-09tests: Add more XPath out of memory testsArseny Kapoulkine
2017-02-09Add invalid type assertion for offset_debugArseny Kapoulkine
This will make sure we don't forget to implement offset_debug for new node types if they ever happen (really it's mostly for consistency).
2017-02-08tests: Increase the number of translate callsArseny Kapoulkine
This should make the test fail on a 32-bit target.
2017-02-08tests: Fix clang buildArseny Kapoulkine
2017-02-08tests: Add more XPath out of memory testsArseny Kapoulkine
2017-02-07Add invalid type assertion for offset_debugArseny Kapoulkine
This will make sure we don't forget to implement offset_debug for new node types if they ever happen (really it's mostly for consistency).
2017-02-07XPath: Simplify sorting implementationArseny Kapoulkine
Instead of a complicated partitioning scheme that tries to maintain the equal area in the middle, use a scheme where we keep the equal area in the left part of the array and then move it to the middle. Since generally sorted arrays don't contain many duplicates this extra copy is not too expensive, and it significantly simplifies the logic and maintains good complexity for sorting arrays with many equal elements nonetheless (unlike Hoare partitioning). Instead of a median of 9 just use a median of 3 - it performs pretty much identically on some internal performance tests, despite having a bit more comparisons in some cases. Finally, change the insertion sort threshold to 16 elements since that appears to have slightly better performance.
2017-02-06XPath: Optimize insertion_sortArseny Kapoulkine
The previous implementation opted for doing two comparisons per element in the sorted case in order to remove one iterator bounds check per moved element when we actually need to copy. In our case however the comparator is pretty expensive (except for remove_duplicates which is fast as it is) so an extra object comparison hurts much more than an iterator comparison saves. This makes sorting by document order up to 3% faster for random sequences.
2017-02-05XPath: Remove redundant calls from xml_node::select_nodes et alArseny Kapoulkine
Instead of delegating to a method that just forwards the call to xpath_query call the relevant method directly.
2017-02-05XPath: Remove evaluate_string_implArseny Kapoulkine
It adds one stack frame to string query evaluation and does not really simplify the code.
2017-02-05Merge pull request #131 from zeux/xpath-noehArseny Kapoulkine
XPath: Remove exceptional control flow
2017-02-05tests: Add more XPath sorting testsArseny Kapoulkine
Cover empty node case - no XPath query can result in that but it's possible to create a node set with empty nodes manually.
2017-02-03XPath: Simplify evaluation error flowArseny Kapoulkine
Instead of having two checks for out-of-memory when exceptions are enabled, do just one and decide what to do based on whether we can throw.
2017-02-02XPath: Clean up out-of-memory parse error handlingArseny Kapoulkine
Instead of relying on a specific string in the parse result, use allocator error state to report the error and then convert it to a string if necessary. We currently have to manually trigger the OOM error in two places because we use global allocator in rare cases; we don't really need to do this so this will be cleaned up later.
2017-02-02tests: Add more out of memory tests for XPath evaluationArseny Kapoulkine
2017-02-02tests: Add more embed_pcdata testsArseny Kapoulkine
2017-02-01tests: Improve parsing coverageArseny Kapoulkine
Add tests for PI erroring exactly at the buffer boundary with non-zero-terminated buffers (so we have to clear the last character which changes the parsing flow slightly) and a test that makes sure parse_embed_pcdata works properly with XML fragments where PCDATA can be at the root level but can't be embedded into the document node.
2017-02-01Remove redundant branch from xml_node::path()Arseny Kapoulkine
The code works fine regardless of the *j->name check, and omitting this makes the code more symmetric between the "count" and "write" stage; additionally this improves coverage - due to how strcpy_insitu works it's not really possible to get an empty non-NULL name in the node.
2017-02-01tests: Remove redundant coverage testArseny Kapoulkine
The only point was to try to test all paths where we can run out of memory while decoding something. It seems like it may be impossible to actually do this given that we can't run all paths as wchar_t size detection is done at runtime...