Fix #12653, #12655 fuzzing crashes (#6339)

Author: chrchr-github

lib/tokenize.cpp

@@ -5514,6 +5514,18 @@ bool Tokenizer::simplifyTokenList1(const char FileName[])
     // @..
     simplifyAt();
 
+    // Remove __declspec()
+    simplifyDeclspec();
+
+    // Remove "inline", "register", and "restrict"
+    simplifyKeyword();
+
+    // Remove [[attribute]]
+    simplifyCPPAttribute();
+
+    // remove __attribute__((?))
+    simplifyAttribute();
+
     // Bail out if code is garbage
     if (mTimerResults) {
         Timer t("Tokenizer::simplifyTokens1::simplifyTokenList1::findGarbageCode", mSettings.showtime, mTimerResults);
@@ -5548,12 +5560,6 @@ bool Tokenizer::simplifyTokenList1(const char FileName[])
     // simplify namespace aliases
     simplifyNamespaceAliases();
 
-    // Remove [[attribute]]
-    simplifyCPPAttribute();
-
-    // remove __attribute__((?))
-    simplifyAttribute();
-
     // simplify cppcheck attributes __cppcheck_?__(?)
     simplifyCppcheckAttribute();
 
@@ -5595,13 +5601,8 @@ bool Tokenizer::simplifyTokenList1(const char FileName[])
     if (Settings::terminated())
         return false;
 
-    // Remove __declspec()
-    simplifyDeclspec();
     validate();
 
-    // Remove "inline", "register", and "restrict"
-    simplifyKeyword();
-
     // simplify simple calculations inside <..>
     if (isCPP()) {
         Token *lt = nullptr;
@@ -8656,7 +8657,7 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "%cop%|= ]") && !(isCPP() && Token::Match(tok->previous(), "%type%|[|,|%num% &|=|> ]")))
             syntaxError(tok);
-        if (Token::Match(tok, "[+-] [;,)]}]") && !(isCPP() && Token::Match(tok->previous(), "operator [+-] ;")))
+        if (Token::Match(tok, "[+-] [;,)]}]") && !(isCPP() && Token::simpleMatch(tok->previous(), "operator")))
             syntaxError(tok);
         if (Token::simpleMatch(tok, ",") &&
             !Token::Match(tok->tokAt(-2), "[ = , &|%name%")) {
@@ -8696,6 +8697,8 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "! %comp%"))
             syntaxError(tok);
+        if (Token::Match(tok, "] %name%") && (!isCPP() || !(tok->tokAt(-1) && Token::simpleMatch(tok->tokAt(-2), "delete ["))))
+            syntaxError(tok);
 
         if (tok->link() && Token::Match(tok, "[([]") && (!tok->tokAt(-1) || !tok->tokAt(-1)->isControlFlowKeyword())) {
             const Token* const end = tok->link();
@@ -9226,7 +9229,7 @@ void Tokenizer::simplifyCppcheckAttribute()
 
 void Tokenizer::simplifyCPPAttribute()
 {
-    if (!isCPP() || mSettings.standards.cpp < Standards::CPP11)
+    if (!isCPP())
         return;
 
     for (Token *tok = list.front(); tok;) {

test/cli/fuzz-crash/crash-9e4f80a23bc966f25e874df655f600478dca3b87

@@ -0,0 +1 @@
+__thread<>e

test/cli/fuzz-crash/crash-a76710eb5c80761456679c5be64482f1ef332556

@@ -0,0 +1 @@
+i n(){$ i;f a;for(i:++)a=[]i;}

test/testgarbage.cpp

@@ -1609,8 +1609,7 @@ class TestGarbage : public TestFixture {
 
     // #8752
     void garbageCode199() {
-        checkCode("d f(){e n00e0[]n00e0&" "0+f=0}");
-        ignore_errout(); // we do not care about the output
+        ASSERT_THROW_INTERNAL(checkCode("d f(){e n00e0[]n00e0&" "0+f=0}"), SYNTAX);
     }
 
     // #8757
@@ -1715,8 +1714,7 @@ class TestGarbage : public TestFixture {
     }
 
     void garbageCode218() { // #8763
-        checkCode("d f(){t n0000 const[]n0000+0!=n0000,(0)}"); // don't crash
-        ignore_errout(); // we are not interested in the output
+        ASSERT_THROW_INTERNAL(checkCode("d f(){t n0000 const[]n0000+0!=n0000,(0)}"), SYNTAX);
     }
     void garbageCode219() { // #10101
         checkCode("typedef void (*func) (addr) ;\n"

test/testleakautovar.cpp

@@ -1540,7 +1540,7 @@ class TestLeakAutoVar : public TestFixture {
               "    delete[] p;\n"
               "    if (x && (p = new char[10]))\n"
               "        delete[] p;\n"
-              "}");
+              "}", /*cpp*/ true);
         ASSERT_EQUALS("", errout_str());
     }
 

test/testmemleak.cpp

@@ -2105,8 +2105,6 @@ class TestMemleakStructMember : public TestFixture {
 
         check(code2, true);
         ASSERT_EQUALS("", errout_str());
-        check(code2, false);
-        ASSERT_EQUALS("", errout_str());
 
         // Test unknown struct. In C++, it might have a destructor
         const char code3[] = "void func() {\n"

test/testsimplifytemplate.cpp

@@ -5273,11 +5273,11 @@ class TestSimplifyTemplate : public TestFixture {
 
     void template_array_type() {
         ASSERT_EQUALS("void foo<int[]> ( int [ ] x ) ; "
-                      "void bar ( ) { int [ 3 ] y ; foo<int[]> ( y ) ; } "
+                      "void bar ( ) { int y [ 3 ] ; foo<int[]> ( y ) ; } "
                       "void foo<int[]> ( int [ ] x ) { }",
                       tok("template <class T> void foo(T x) {};\n"
                           "void bar() {\n"
-                          "  int[3] y;\n"
+                          "  int y[3];\n"
                           "  foo<int[]>(y);\n"
                           "}"));
         ASSERT_EQUALS("struct A<int[2]> ; "

test/testsymboldatabase.cpp

@@ -8603,7 +8603,7 @@ class TestSymbolDatabase : public TestFixture {
                       "    auto lambda = [&]() -> bool\n"
                       "    {\n"
                       "        float x = 1.0f;\n"
-                      "    }\n"
+                      "    };\n"
                       "    lambda();\n"
                       "}");
 
@@ -8618,7 +8618,7 @@ class TestSymbolDatabase : public TestFixture {
 
     void lambda3() {
         GET_SYMBOL_DB("void func() {\n"
-                      "    auto f = []() mutable {}\n"
+                      "    auto f = []() mutable {};\n"
                       "}");
 
         ASSERT(db && db->scopeList.size() == 3);

test/testtokenize.cpp

@@ -5818,21 +5818,14 @@ class TestTokenizer : public TestFixture {
         ASSERT_EQUALS("int f ( ) ;",
                       tokenizeAndStringify("[[deprecated]] int f();"));
 
-        ASSERT_EQUALS("[ [ deprecated ] ] int f ( ) ;",
-                      tokenizeAndStringify("[[deprecated]] int f();", true, Platform::Type::Native, true, Standards::CPP03));
-
-        ASSERT_EQUALS("[ [ deprecated ] ] int f ( ) ;",
-                      tokenizeAndStringify("[[deprecated]] int f();", true, Platform::Type::Native, false));
+        ASSERT_THROW_INTERNAL(tokenizeAndStringify("[[deprecated]] int f();", true, Platform::Type::Native, false), SYNTAX);
 
         ASSERT_EQUALS("template < class T > int f ( ) { }",
                       tokenizeAndStringify("template <class T> [[noreturn]] int f(){}"));
 
         ASSERT_EQUALS("int f ( int i ) ;",
                       tokenizeAndStringify("[[maybe_unused]] int f([[maybe_unused]] int i);"));
 
-        ASSERT_EQUALS("[ [ maybe_unused ] ] int f ( [ [ maybe_unused ] ] int i ) ;",
-                      tokenizeAndStringify("[[maybe_unused]] int f([[maybe_unused]] int i);", true, Platform::Type::Native, true, Standards::CPP03));
-
         ASSERT_EQUALS("struct a ;",
                       tokenizeAndStringify("struct [[]] a;"));