parser heap use after free #36356
Labels
bugzilla
Issues migrated from bugzilla
c++
clang:frontend
Language frontend issues, e.g. anything involving "Sema"
crash-on-invalid
Comments
|
almost reproduced, I made the segfault happen on 6.0.1, but since it doesn't run with address sanitizer I don't see the same error. |
EugeneZelenko
added
the
clang:frontend
|
@llvm/issue-subscribers-clang-frontend |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Extended Description
(Filed on behalf of Jim Meyering)
Here's the minimized reproducer:
printf 'template void ngX() template z()->ngY<>;' | clang -cc1 -x c++
Here's most of the resulting output:
:1:26: error: expected ';' at end of declaration
template void ngX() template z()->ngY<>;
^
;
:1:41: error: no template named 'ngY'; did you mean 'ngX'?
template void ngX() template z()->ngY<>;
^~~
ngX
:1:21: note: 'ngX' declared here
template void ngX() template z()->ngY<>;
^
:1:41: error: expected a type
template void ngX() template z()->ngY<>;
^
:1:41: error: variable cannot be defined in an explicit instantiation; if this declaration is meant to be a variable definition, remove the 'template' keyword
template void ngX() template z()->ngY<>;
~~~~~~~~~ ^
:1:36: error: C++ requires a type specifier for all declarations
template void ngX() template z()->ngY<>;
^
:1:45: error: expected ';' at end of declaration
template void ngX() template z()->ngY<>;
^
;
==3876978==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001a30 at pc 0x000005a27670 bp 0x7ffd8a754350 sp 0x7ffd8a754348
READ of size 4 at 0x607000001a30 thread T0
#0 0x5a2766f in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:3310
#1 0x59f70e3 in clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:922
#2 0x59f6b86 in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:1028
#3 0x59f56f2 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:853
#4 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtrclang::DeclGroupRef&) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
#5 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool) /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
#6 0x3c95c64 in clang::FrontendAction::Execute() /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
#7 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
#8 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
#9 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
#10 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
#11 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
#12 0x7f6051da4c04 in __libc_start_main ??:?
#13 0xe5fe33 in _start ??:?
0x607000001a30 is located 64 bytes inside of 80-byte region [0x6070000019f0,0x607000001a40)
freed by thread T0 here:
#0 0xf372c0 in __interceptor_free.localalias.0 crtstuff.c:?
#1 0x59feac7 in ~DestroyTemplateIdAnnotationsRAIIObj /tmp/llvm/build/../tools/clang/include/clang/Parse/RAIIObjectsForParser.h:459
#2 0x59f580d in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:859
#3 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtrclang::DeclGroupRef&) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
#4 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool) /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
#5 0x3c95c64 in clang::FrontendAction::Execute() /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
#6 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
#7 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
#8 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
#9 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
#10 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
#11 0x7f6051da4c04 in __libc_start_main ??:?
previously allocated by thread T0 here:
#0 0xf374d0 in __interceptor_malloc ??:?
#1 0xfb2b0a in llvm::safe_malloc(unsigned long) /tmp/llvm/build/../include/llvm/Support/Allocator.h:447
#2 0x5aa115c in clang::TemplateIdAnnotation::Create(clang::CXXScopeSpec, clang::SourceLocation, clang::SourceLocation, clang::IdentifierInfo*, clang::OverloadedOperatorKind, clang::OpaquePtrclang::TemplateName, clang::TemplateNameKind, clang::SourceLocation, clang::SourceLocation, llvm::ArrayRefclang::ParsedTemplateArgument, llvm::SmallVectorImplclang::TemplateIdAnnotation*&) /tmp/llvm/build/../tools/clang/include/clang/Sema/ParsedTemplate.h:202
#3 0x5b102e9 in clang::Parser::AnnotateTemplateIdToken(clang::OpaquePtrclang::TemplateName, clang::TemplateNameKind, clang::CXXScopeSpec&, clang::SourceLocation, clang::UnqualifiedId&, bool) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:1042
#4 0x5a8f564 in clang::Parser::ParseOptionalCXXScopeSpecifier(clang::CXXScopeSpec&, clang::OpaquePtrclang::QualType, bool, bool*, bool, clang::IdentifierInfo**, bool) /tmp/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:497
#5 0x59fc010 in clang::Parser::TryAnnotateCXXScopeToken(bool) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:1886
#6 0x5a23ae9 in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:3212
#7 0x5a11ff0 in clang::Parser::ParseSpecifierQualifierList(clang::DeclSpec&, clang::AccessSpecifier, clang::Parser::DeclSpecContext) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:2389
#8 0x5a11c31 in clang::Parser::ParseTypeName(clang::SourceRange*, clang::DeclaratorContext, clang::AccessSpecifier, clang::Decl**, clang::ParsedAttributes*) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:58
#9 0x5a39bcd in clang::Parser::ParseFunctionDeclarator(clang::Declarator&, clang::ParsedAttributes&, clang::BalancedDelimiterTracker&, bool, bool) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:6152
#10 0x5a3692c in clang::Parser::ParseDirectDeclarator(clang::Declarator&) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:5789
#11 0x5a34e6e in clang::Parser::ParseDeclaratorInternal(clang::Declarator&, void (clang::Parser::)(clang::Declarator&)) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:5340
#12 0x5b0b10e in clang::Parser::ParseSingleDeclarationAfterTemplate(clang::DeclaratorContext, clang::Parser::ParsedTemplateInfo const&, clang::ParsingDeclRAIIObject&, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:238
#13 0x5b09d9b in clang::Parser::ParseExplicitInstantiation(clang::DeclaratorContext, clang::SourceLocation, clang::SourceLocation, clang::SourceLocation&, clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:1318
#14 0x5b09b40 in clang::Parser::ParseDeclarationStartingWithTemplate(clang::DeclaratorContext, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:34
#15 0x5a22609 in clang::Parser::ParseDeclaration(clang::DeclaratorContext, clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:1686
#16 0x59f4d97 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:786
#17 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtrclang::DeclGroupRef&) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
#18 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool) /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
#19 0x3c95c64 in clang::FrontendAction::Execute() /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
#20 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
#21 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
#22 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
#23 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
#24 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
#25 0x7f6051da4c04 in __libc_start_main ??:?
The text was updated successfully, but these errors were encountered: