23057 – fuzz clang

LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 23057 - fuzz clang

Summary: fuzz clang

Status:	NEW

Alias:	None

Product:	new-bugs
Classification:	Unclassified
Component:	new bugs (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P normal
Assignee:	Unassigned LLVM Bugs

URL:
Keywords:

Depends on:	21826 21829 21830 21843 21854 21865 21871 21948 21950 21951 21952 21953 21954 21955 21958 21960 21970 21972 21816 21818 21819 21821 21824 21828 21831 21832 21833 21834 21837 21838 21842 21844 21846 21849 21852 21855 21856 21860 21862 21863 21866 21867 21868 21869 21870 21957 21959 21961 21973
Blocks:
	Show dependency tree

Reported:	2015-03-28 16:20 PDT by Kostya Serebryany
Modified:	2016-12-01 05:50 PST (History)
CC List:	14 users (show)

See Also:
Fixed By Commit(s):

Attachments
use-after-free.log (13.60 KB, text/x-log) 2015-03-31 16:59 PDT, Kostya Serebryany	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kostya Serebryany 2015-03-28 16:20:26 PDT

As of r233459 we have a clang fuzzer in the source tree.
Details: llvm/lib/Fuzzer/README.txt

We also have a build bot that runs the fuzzer 24/7
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
(See also bug 23052 for the clang-format fuzzer). 

I propose to track all activities related to fuzzing clang here. 
(There was a significant volume of bugs detected by AFL, 
if someone has the list of revisions/bugs, please attach here).

Comment 1 Kostya Serebryany 2015-03-28 16:22:22 PDT

echo -n "#if 0" | clang -x c++  -

==23545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000006b76 at pc 0x00000bb7006e bp 0x7fffa7ced0f0 sp 0x7fffa7ced0e8
READ of size 1 at 0x604000006b76 thread T0
    #0 0xbb7006d in clang::NumericLiteralParser::ParseNumberStartingWithZero(clang::SourceLocation) tools/clang/lib/Lex/LiteralSupport.cpp:759:12
    #1 0xbb63964 in clang::NumericLiteralParser::NumericLiteralParser(llvm::StringRef, clang::SourceLocation, clang::Preprocessor&) tools/clang/lib/Lex/LiteralSupport.cpp:531:
    #2 0xbc9ced8 in EvaluateValue((anonymous namespace)::PPValue&, clang::Token&, DefinedTracker&, bool, clang::Preprocessor&) tools/clang/lib/Lex/PPExpressions.cpp:220:26
    #3 0xbc9980e in clang::Preprocessor::EvaluateDirectiveExpression(clang::IdentifierInfo*&) tools/clang/lib/Lex/PPExpressions.cpp:758:7
    #4 0xbc59a89 in clang::Preprocessor::HandleIfDirective(clang::Token&, bool) tools/clang/lib/Lex/PPDirectives.cpp:2396:32
    #5 0xbc50c98 in clang::Preprocessor::HandleDirective(clang::Token&) tools/clang/lib/Lex/PPDirectives.cpp:838:14
    #6 0xbb5e82e in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3633:3
    #7 0xbd738ef in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
    #8 0x7dfc1e5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
    #9 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
    #10 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
    #11 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
    #12 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
    #13 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #14 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #15 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #16 0x82473f in main tools/clang/tools/driver/driver.cpp:415
0x604000006b76 is located 0 bytes to the right of 38-byte region [0x604000006b50,0x604000006b76)
allocated by thread T0 here:
    #0 0x81955b in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
    #1 0x4e4741b in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:139:34
    #2 0x4e4b200 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:120:7
    #3 0x4e4b200 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:241
    #4 0x4e48947 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:428:10
    #5 0x56df240 in clang::CompilerInstance::InitializeSourceManager(clang::FrontendInputFile const&, clang::DiagnosticsEngine&, clang::FileManager&, clang::SourceManager&, cl
    #6 0x57d3347 in clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&, clang::FrontendInputFile const&) tools/clang/lib/Frontend/FrontendAction.cpp:308:8
    #7 0x56e3e40 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:806:9
    #8 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #9 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #10 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #11 0x82473f in main tools/clang/tools/driver/driver.cpp:415

Comment 2 Kostya Serebryany 2015-03-28 16:25:56 PDT

echo -n '~a::{' | clang -x c++ 

==23855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000b7c91c6 bp 0x7fffe68c9dd0 sp 0x7fffe68c9dc0 T0)
    #0 0xb7c91c5 in clang::NestedNameSpecifier::getKind() const tools/clang/lib/AST/NestedNameSpecifier.cpp:132:8
    #1 0x88ec340 in clang::Sema::ShouldEnterDeclaratorScope(clang::Scope*, clang::CXXScopeSpec const&) tools/clang/lib/Sema/SemaCXXScopeSpec.cpp:999:11
    #2 0x7ff9f0e in clang::Parser::ParseUnqualifiedId(clang::CXXScopeSpec&, bool, bool, bool, clang::OpaquePtr<clang::QualType>, clang::SourceLocation&, clang::UnqualifiedId&) tools/clang/lib/Parse/ParseExprCXX.cpp:2549:11
    #3 0x7ee34db in clang::Parser::ParseDirectDeclarator(clang::Declarator&) tools/clang/lib/Parse/ParseDecl.cpp:4982:11
    #4 0x7ede076 in clang::Parser::ParseDeclaratorInternal(clang::Declarator&, void (clang::Parser::*)(clang::Declarator&)) tools/clang/lib/Parse/ParseDecl.cpp:4756:7
    #5 0x7e97c3d in ParseDeclarator tools/clang/lib/Parse/ParseDecl.cpp:4651:3
    #6 0x7e97c3d in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, unsigned int, clang::SourceLocation*, clang::Parser::ForRangeInit*) tools/clang/lib/Parse/ParseDecl.cpp:1633
    #7 0x7e24f9d in clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) tools/clang/lib/Parse/Parser.cpp:893:10
    #8 0x7e22340 in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) tools/clang/lib/Parse/Parser.cpp:909:12
    #9 0x7e1873e in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) tools/clang/lib/Parse/Parser.cpp:767:12
    #10 0x7e157c2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) tools/clang/lib/Parse/Parser.cpp:569:12
    #11 0x7dfc2e8 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:134:7
    #12 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
    #13 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
    #14 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
    #15 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
    #16 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #17 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #18 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #19 0x82473f in main tools/clang/tools/driver/driver.cpp:415

Comment 3 Kostya Serebryany 2015-03-28 16:42:20 PDT

Not sure if leaks in clang on invalid inputs are worth fixing. 
If not, we can disable leak detection on the fuzzer bot. 
Here is one leak example:

echo "::(&C" |  clang -x c++ -

Direct leak of 432 byte(s) in 1 object(s) allocated from:
    #0 0x81927b in operator new(unsigned long) projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
    #1 0x7e13b19 in EnterScope tools/clang/lib/Parse/Parser.cpp:358:24
    #2 0x7e13b19 in clang::Parser::Initialize() tools/clang/lib/Parse/Parser.cpp:425
    #3 0x7dfc1e5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
    #4 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
    #5 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
    #6 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
    #7 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
    #8 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #9 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #10 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #11 0x82473f in main tools/clang/tools/driver/driver.cpp:415

Comment 4 Kostya Serebryany 2015-03-28 17:11:59 PDT

The bot is currently running w/o assertions because there are quite a few of them

printf '\n;::(&C' | clang -x c++ -
tools/clang/include/clang/Parse/Parser.h:2166: void clang::Parser::DeclaratorScopeObj::EnterDeclaratorScope(): Assertion 
`!EnteredScope && "Already entered the scope!"' failed.

printf 'x(a::(b)' |  clang -x c++ - 
tools/clang/lib/Lex/PPCaching.cpp:101: void clang::Preprocessor::AnnotatePreviousCachedTokens(const clang::Token &): Assertion `CachedTokens[CachedLexPos-1].getLastLoc() == Tok.getAnnotationEndLoc() && "The annotation should be until the most recent cached token"' failed.

echo ClMKWyK/APABWOsiTD1rW9hs | base64 --decode | clang -x c++ - 
tools/clang/lib/Frontend/TextDiagnostic.cpp:973: void highlightRange(const clang::CharSourceRange &, unsigned int, clang::FileID, const (anonymous namespace)::SourceColumnMap &, std::string &, const clang::SourceManager &, const clang::LangOptions &): Assertion `StartColNo <= map.getSourceLine().size() && "Invalid range!"' failed.

printf   'k80x&::((**\ne::' | clang -x c++ -
tools/clang/include/clang/Parse/Parser.h:2178: clang::Parser::DeclaratorScopeObj::~DeclaratorScopeObj(): Assertion `SS.isSet() && "C++ scope was cleared ?"' failed.

Comment 5 Benjamin Kramer 2015-03-29 10:36:40 PDT

echo -n "#if 0" | clang -x c++ - fixed in r233491.
echo -n '~a::{' | clang -x c++ - fixed in r233492.

Comment 6 Kostya Serebryany 2015-03-29 19:19:08 PDT

echo I1zqGiMAXAoAI7JrCiPR | base64 --decode | clang -x c++ - 
tools/clang/lib/Lex/PPDirectives.cpp:99: void clang::Preprocessor::DiscardUntilEndOfDirective(): Assertion `Tmp.isNot(tok::eof) && "EOF seen while discarding directive tokens"' failed.

W/o asserts causes null deref.

Thanks Benjamin for the fixes!

Comment 7 Sean Silva 2015-03-30 19:01:55 PDT

I added the still-open AFL bugs found by Sami Liedes

Comment 8 Sean Silva 2015-03-30 19:08:45 PDT

(In reply to comment #3)
> Not sure if leaks in clang on invalid inputs are worth fixing. 
> If not, we can disable leak detection on the fuzzer bot. 

I think they are worth fixing. They would adversely affect the stability of long-lived processes that use clang as a library, such as IDE's.

Comment 9 Kostya Serebryany 2015-03-30 21:21:47 PDT

echo zWsoIi+qACrc8o25aFlrW7YkImJL | base64 --decode  | clang -x c++ - -c

==4839==ERROR: AddressSanitizer: negative-size-param: (size=-264)
    #0 0x7e031f in __asan_memset projects/compiler-rt/lib/asan/asan_interceptors.cc:420:3
    #1 0x5a474df in __fill_a<char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_algobase.h:703:7
    #2 0x5a474df in fill<__gnu_cxx::__normal_iterator<char *, std::basic_string<char> >, char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_algobase.h:728
    #3 0x5a474df in highlightRange tools/clang/lib/Frontend/TextDiagnostic.cpp:983
    #4 0x5a474df in clang::TextDiagnostic::emitSnippetAndCaret(clang::SourceLocation, clang::DiagnosticsEngine::Level, llvm::SmallVectorImpl<clang::CharSourceRange>&, llvm::ArrayRef<clang::FixItHint>, clang::SourceManager const&) tools/clang/lib/Frontend/TextDiagnostic.cpp:1125
    #5 0x5a2c599 in emitCaret tools/clang/lib/Frontend/DiagnosticRenderer.cpp:394:3

Comment 10 Kostya Serebryany 2015-03-31 01:04:15 PDT

echo -n "#include<\\"  |  clang -x c++ -c -

==24291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000006bbb at pc 0x00000bb382d1 bp 0x7fff54ea18d0 sp 0x7fff54ea18c8
READ of size 1 at 0x604000006bbb thread T0
    #0 0xbb382d0 in getAndAdvanceChar tools/clang/include/clang/Lex/Lexer.h:529:36
    #1 0xbb382d0 in clang::Lexer::LexAngledStringLiteral(clang::Token&, char const*) tools/clang/lib/Lex/Lexer.cpp:1870
    #2 0xbb56361 in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3387:14
    #3 0xbd7318f in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
    #4 0xbd798e5 in clang::PreprocessorLexer::LexIncludeFilename(clang::Token&) tools/clang/lib/Lex/PreprocessorLexer.cpp:44:5
    #5 0xbc5e998 in clang::Preprocessor::HandleIncludeDirective(clang::SourceLocation, clang::Token&, clang::DirectoryLookup const*, clang::FileEntry const*, bool) 
    #6 0xbc51b36 in clang::Preprocessor::HandleDirective(clang::Token&) tools/clang/lib/Lex/PPDirectives.cpp:853:14
    #7 0xbb5d63e in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3633:3
    #8 0xbd7318f in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
    #9 0x7dfa8f5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
    #10 0x57d763e in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
    #11 0x639214a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
    #12 0x57d5c92 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
    #13 0x56e09d0 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
    #14 0x5a5a00d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #15 0x829a7d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #16 0x824a9f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #17 0x824a9f in main tools/clang/tools/driver/driver.cpp:415
    #18 0x7f21b4643ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287


0x604000006bbb is located 0 bytes to the right of 43-byte region [0x604000006b90,0x604000006bbb)


allocated by thread T0 here:
    #0 0x8198bb in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
    #1 0x4e42fcb in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:139:34
    #2 0x4e46db0 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:120:7
    #3 0x4e46db0 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:241
    #4 0x4e444f7 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:428:10
    #5 0x56dbdb0 in clang::CompilerInstance::InitializeSourceManager(clang::FrontendInputFile const&, clang::DiagnosticsEngine&, clang::FileManager&, clang::SourceM
    #6 0x57cfeb7 in clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&, clang::FrontendInputFile const&) tools/clang/lib/Frontend/FrontendAction.cpp:30
    #7 0x56e09b0 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:806:9
    #8 0x5a5a00d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #9 0x829a7d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #10 0x824a9f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #11 0x824a9f in main tools/clang/tools/driver/driver.cpp:415

Comment 11 Sami Liedes 2015-03-31 07:57:52 PDT

There are probably quite a few unreported ones at http://sli.dy.fi/~sliedes/clang-triage/triage_report.xhtml . I just added a few new test cases there that bumped the number of distinct crashes from 68 to 88. My bot doesn't automatically fuzz; the fuzzing part is manual, but it runs clang trunk against a generated corpus of (currently ~14k, but probably only 5-6k exercise distinct paths) inputs that have at some point crashed clang.

Anyway, glad to hear that there's more advanced fuzzing infrastructure in place now.

Comment 12 Kostya Serebryany 2015-03-31 13:02:17 PDT

>> I think they [leaks] are worth fixing.

Interestingly, all the cases of leaks I observe also fail assertions in a debug build, see #4. So, if we fix those assertions the leaks may disappear as well.

Comment 13 Kostya Serebryany 2015-03-31 13:06:56 PDT

(In reply to comment #11)
> There are probably quite a few unreported ones at
> http://sli.dy.fi/~sliedes/clang-triage/triage_report.xhtml 

This is the reason why the fuzzer bot runs the in-process fuzzer w/o assertions.
With assertions it would be crashing too quickly. 
Your list contains my four assertion failures from c#4 and many more. 
Neat.

Comment 14 Kostya Serebryany 2015-03-31 13:29:35 PDT

Infinite recursion: 

echo "inlineJ33 y8(struct include;  " |  clang -x c++ -c -

    #0 0xb2f7e33 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1220
    #1 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
    #2 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
    #3 0xb2fb560 in getLVForLocalDecl tools/clang/lib/AST/Decl.cpp:1198
    #4 0xb2fb560 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1299
    #5 0xb300b9a in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
    #6 0xb300b9a in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
    #7 0xb300b9a in clang::NamedDecl::getLinkageInternal() const tools/clang/lib/AST/Decl.cpp:1024
    #8 0xb94b1cb in computeCachedProperties tools/clang/lib/AST/Type.cpp:2185:17
    #9 0xb94b1cb in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2137
    #10 0xb94a711 in get tools/clang/lib/AST/Type.cpp:2116:5
    #11 0xb94a711 in get tools/clang/lib/AST/Type.cpp:2112
    #12 0xb94a711 in computeCachedProperties tools/clang/lib/AST/Type.cpp:2222
    #13 0xb94a711 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2137
    #14 0xb949d40 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2129:7
    #15 0xb949b80 in clang::Type::getLinkage() const tools/clang/lib/AST/Type.cpp:2242:3
    #16 0xb34f6c4 in getLVForNamespaceScopeDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:764:11
    #17 0xb2f80b7 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1275:12
    #18 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
    #19 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
    #20 0xb2fb560 in getLVForLocalDecl tools/clang/lib/AST/Decl.cpp:1198

Comment 15 Kostya Serebryany 2015-03-31 13:52:31 PDT

r233726 disables leak detection for clang-fuzzer until c#4 is fixed.

Comment 16 Kostya Serebryany 2015-03-31 16:59:51 PDT

Created attachment 14129 [details]
use-after-free.log

echo "B& ifndef[(double(void} ,&&))nullptr|" |  clang -x c++ -c -

==10808==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000088e0 at pc 0x0000007dfd49 bp 0x7fff87de5a90 sp 0x7fff87de5248
READ of size 20 at 0x6110000088e0 thread T0
    #0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
    #1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
    #2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
    #3 0x7e0c357 in ConsumeParen tools/clang/include/clang/Parse/Parser.h:373:5
    #4 0x7e0c357 in clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:313

Comment 17 Kostya Serebryany 2015-03-31 17:04:35 PDT

echo "g34( struct Yunsignedp char32_t=char32_t_35==ZcregisterZtypename&&S=4autobitand8 &&or*        xor{static_cast&char32_t&welseconst auto" | clang -x c++  -

tools/clang/include/clang/AST/DeclCXX.h:592: struct DefinitionData &clang::CXXRecordDecl::data() const: Assertion `DD && "queried property of class with no definition"' failed.

Leads to a null deref w/o assertions. 
Also present in Sami Liedes's set from c#11

Comment 18 Kostya Serebryany 2015-03-31 17:30:59 PDT

echo "f(){for(a operator==:" | clang -x c++ -c -

Assertion `Val && "isa<> used on a null pointer"' failed.

Sami has this one too. W/o assertions this is another NULL deref.

Comment 19 Kostya Serebryany 2015-04-01 13:01:03 PDT

These two might be variations of c#16 or separate use-after-free bugs. 

echo 'lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnews*public   -=--<*'  | clang -x c++ -c - 

==17685==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e740 at pc 0x0000007dfd49 bp 0x7fff53379ef0 sp 0x7fff533796a8
READ of size 20 at 0x61500000e740 thread T0
    #0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
    #1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
    #2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
    #3 0xbc2fdc1 in clang::Preprocessor::CachingLex(clang::Token&) tools/clang/lib/Lex/PPCaching.cpp:58:3
    #4 0xbd732f6 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:701:7
    #5 0x7e0c23e in ConsumeToken tools/clang/include/clang/Parse/Parser.h:285:5
    #6 0x7e0c23e in clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:340
    #7 0x8039d37 in SkipUntil tools/clang/include/clang/Parse/Parser.h:842:12
    #8 0x8039d37 in clang::Parser::ParseBraceInitializer() tools/clang/lib/Parse/ParseInit.cpp:444



0x61500000e740 is located 192 bytes inside of 456-byte region [0x61500000e680,0x61500000e848)
freed by thread T0 here:
    #0 0x7f6fdb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
    #1 0x802dfa9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:365:7
    #2 0x802dfa9 in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, clang::ColonProtectionRA
    #3 0x7fad534 in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/lib/Parse/ParseExpr.cp
    #4 0x7f9886c in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:681:11
    #5 0x7f83045 in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:437:20
    #6 0x7f83045 in clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:167
    #7 0x7f8fe6a in ParseExpression tools/clang/lib/Parse/ParseExpr.cpp:121:18


echo '*=registerforthisclassxor^u ;conceptBchar32_t=breaku:OB& ifndef[(double(wchar_t nI[3u/23;p*= ,signed))nullptr  error(Rl' | clang -x c++ -c - 


==17945==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e758 at pc 0x0000007dfd49 bp 0x7fffc5bc49b0 sp 0x7fffc5bc4168
READ of size 20 at 0x61500000e758 thread T0
    #0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
    #1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
    #2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
    #3 0x7e05bbf in TryConsumeToken tools/clang/include/clang/Parse/Parser.h:295:5

...
0x61500000e758 is located 216 bytes inside of 456-byte region [0x61500000e680,0x61500000e848)
freed by thread T0 here:
    #0 0x7f6fdb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
    #1 0x802dfa9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:365:7

Comment 20 Kostya Serebryany 2015-04-17 19:08:50 PDT

As of today, issue 22407 is the only one seen on the clang fuzzer bot:a
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/1395

Comment 21 Kostya Serebryany 2015-04-17 19:09:59 PDT

(In reply to comment #20)
> As of today, issue 22407 is the only one seen on the clang fuzzer bot:a
> http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/1395

(the bot uses no-assertions build)

Comment 22 Kostya Serebryany 2015-05-05 23:37:11 PDT

the clang/clang-format fuzzer bot
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
has been extended to run both with and w/o assertions. 
whenever a bug is found, the fuzzer will print the base64-encoded reproducer 
so that one can copy-paste it from the buildbot logs: 
E.g. from the bot logs:
===============
SUMMARY: AddressSanitizer: ...
CRASHED; file written to crash-80193815206841682354717562770799349303
Base64: OiDgO3gKUyYhU0Z4KhFoEztFKGV1bZNTe5Hsk1MmKUMheCoTIWgTO0VTKMFldW2TUzs=
===============

Just do this: 
echo OiDgO3gKUyYhU0Z4KhFoEztFKGV1bZNTe5Hsk1MmKUMheCoTIWgTO0VTKMFldW2TUzs= | base64 -d | clang -x c++ -

Comment 23 Kostya Serebryany 2015-08-10 18:13:27 PDT

Still seen by the fuzzer bot: 

echo w5sKZTtTk1LJKHbBDckJUgksZCg7Kjo6KCooZckokztyyWWROyjJKIM6OsllwSgmQkFyPDooOi87  | base64 --decode | clang++ -x c++ -
tools/clang/include/clang/Parse/Parser.h:2253: void clang::Parser::DeclaratorScopeObj::EnterDeclaratorScope(): Assertion `!EnteredScope && "Already entered the scope!"' failed.

Comment 24 Kostya Serebryany 2015-12-21 22:51:18 PST

some more
echo KAljQyggbCA9ZG8sdXNqb3J0fGI+bGU6eUJwOygJKipDKGxnKGtpID1jQyg5KWRlZmluZSggKkkpMyg= | base64 --decode | clang -x c++ - 

llvm/include/llvm/Support/Casting.h:95: static bool llvm::isa_impl_cl<clang::ExprWithCleanups, const clang::Expr *>::doit(const From *) [To = clang::ExprWithCleanups, From = const clang::Expr *]: Assertion `Val && "isa<> used on a null pointer"' failed.

(null deref follows)

Comment 25 Kostya Serebryany 2015-12-21 22:54:01 PST

echo O2lubGluZSB0ZW1wbGEoCWNDKSgJIGVudW0gbDY7KHRlIG8= | base64 --decode | clang -x c++ - 

==38911==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfb8a2f00 (pc 0x00000cb04169 bp 0x7ffdfb8a30a0 sp 0x7ffdfb8a2f00 T0)
    #0 0xcb04168 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1226
    #1 0xcb5b855 in clang::LinkageComputer::getLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1320:22
    #2 0xcb0b5b5 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1357:10
    #3 0xcb0b5b5 in clang::NamedDecl::getLinkageInternal() const tools/clang/lib/AST/Decl.cpp:1030
    #4 0xd1d98f9 in computeCachedProperties tools/clang/lib/AST/Type.cpp:3163:17
    #5 0xd1d98f9 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:3115
    #6 0xd1d871c in get tools/clang/lib/AST/Type.cpp:3094:5
    #7 0xd1d871c in get tools/clang/lib/AST/Type.cpp:3090
    #8 0xd1d871c in computeCachedProperties tools/clang/lib/AST/Type.cpp:3200

Comment 26 Kostya Serebryany 2015-12-21 23:49:28 PST

stack trace for #24
==14981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000acf5492 bp 0x7ffde0a49d30 sp 0x7ffde0a48340 T0)
    #0 0xacf5491 in getInit tools/clang/include/clang/AST/Decl.h:1089:17
    #1 0xacf5491 in clang::Sema::BuildCXXDefaultArgExpr(clang::SourceLocation, clang::FunctionDecl*, clang::ParmVarDecl*) tools/clang/lib/Sema/SemaExpr.cpp:4330
    #2 0xad02439 in clang::Sema::GatherArgumentsForCall(clang::SourceLocation, clang::FunctionDecl*, clang::FunctionProtoType const*, unsigned int, llvm::ArrayRef<clang::Expr*
    #3 0xacfa0e5 in clang::Sema::ConvertArgumentsForCall(clang::CallExpr*, clang::Expr*, clang::FunctionDecl*, clang::FunctionProtoType const*, llvm::ArrayRef<clang::Expr*>, c
    #4 0xad0a38d in clang::Sema::BuildResolvedCallExpr(clang::Expr*, clang::NamedDecl*, clang::SourceLocation, llvm::ArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr
    #5 0xb6b5f0a in FinishOverloadedCallExpr(clang::Sema&, clang::Scope*, clang::Expr*, clang::UnresolvedLookupExpr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*
    #6 0xb6b4281 in clang::Sema::BuildOverloadedCallExpr(clang::Scope*, clang::Expr*, clang::UnresolvedLookupExpr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>,
    #7 0xac857a7 in clang::Sema::ActOnCallExpr(clang::Scope*, clang::Expr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr*, bo
    #8 0x9828350 in clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) tools/clang/lib/Parse/ParseExpr.cpp:1554:15
    #9 0x9830cb8 in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:1338:10
    #10 0x9819a6c in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20

Comment 27 Kostya Serebryany 2015-12-21 23:51:06 PST

one more:

echo dGVtcGxhdGUgPCF2PmNsYXNzJAlle25tdGwgZSAoIGRvdWxlMipDKXRocm93CyAoKXsgIGUgZDpkKCkhPA== | base64 --decode | clang -x c++ -

==15086==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x0000096ce636 bp 0x7ffd5d700ee0 sp 0x7ffd5d700ac0 T0)
    #0 0x96ce635 in getKind tools/clang/include/clang/AST/DeclBase.h:382:51
    #1 0x96ce635 in classof tools/clang/include/clang/AST/DeclTemplate.h:980
    #2 0x96ce635 in doit include/llvm/Support/Casting.h:56
    #3 0x96ce635 in doit include/llvm/Support/Casting.h:96
    #4 0x96ce635 in doit include/llvm/Support/Casting.h:122
    #5 0x96ce635 in doit include/llvm/Support/Casting.h:112
    #6 0x96ce635 in isa<clang::FunctionTemplateDecl, clang::Decl *> include/llvm/Support/Casting.h:133
    #7 0x96ce635 in dyn_cast<clang::FunctionTemplateDecl, clang::Decl> include/llvm/Support/Casting.h:298
    #8 0x96ce635 in clang::Parser::ParseLexedMethodDeclaration(clang::Parser::LateParsedMethodDeclaration&) tools/clang/lib/Parse/ParseCXXInlineMethods.cpp:415
    #9 0x96ca645 in clang::Parser::ParseLexedMethodDeclarations(clang::Parser::ParsingClass&) tools/clang/lib/Parse/ParseCXXInlineMethods.cpp:287:5
    #10 0x97d7d45 in clang::Parser::ParseCXXMemberSpecification(clang::SourceLocation, clang::SourceLocation, clang::Parser::ParsedAttributesWithRange&, unsigned int, clang::D
    #11 0x97ce06e in clang::Parser::ParseClassSpecifier(clang::tok::TokenKind, clang::SourceLocation, clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::Access
    #12 0x971b6c1 in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecConte
    #13 0x99fecea in clang::Parser::ParseSingleDeclarationAfterTemplate(unsigned int, clang::Parser::ParsedTemplateInfo const&, clang::ParsingDeclRAIIObject&, clang::SourceLoc
    #14 0x99fc432 in clang::Parser::ParseTemplateDeclarationOrSpecialization(unsigned int, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) tools/clang/l
    #15 0x99fa1b6 in clang::Parser::ParseDeclarationStartingWithTemplate(unsigned int, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) tools/clang/lib/P
    #16 0x9715090 in clang::Parser::ParseDeclaration(unsigned int, clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&) tools/clang/lib/Parse/ParseDecl.cpp:1461:
    #17 0x9686c55 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) tools/clang/lib/Parse/Parser.cpp:743:14
    #18 0x96845e2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) tools/clang/lib/Parse/Parser.cpp:593:12

Comment 28 Kostya Serebryany 2015-12-21 23:53:48 PST

tools/clang/lib/AST/DeclBase.cpp:762: bool clang::Decl::AccessDeclContextSanity() const: Assertion `Access != AS_none && "Access specifier is AS_none inside a record decl"' failed.

echo IChkb3dsKiYmQykLKChsYXNzeyAgZmxvZXR1dCgJXkMpKAkgZW51bWwgb21wbDtjPDp4b3JfZXEnOiEpOyc | base64 --decode | clang -x c++ -

Comment 29 Kostya Serebryany 2015-12-21 23:58:41 PST

(In reply to comment #28)
> tools/clang/lib/AST/DeclBase.cpp:762: bool
> clang::Decl::AccessDeclContextSanity() const: Assertion `Access != AS_none
> && "Access specifier is AS_none inside a record decl"' failed.

In an non-assert build causes this: 
==16615==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x00000a239d45 bp 0x7ffd4aa874b0 sp 0x7ffd4aa87480 T0)
    #0 0xa239d44 in getCanonicalDecl tools/clang/include/clang/AST/DeclCXX.h:655:12
    #1 0xa239d44 in (anonymous namespace)::AccessTarget::initialize() tools/clang/lib/Sema/SemaAccess.cpp:247
    #2 0xa223796 in AccessTarget tools/clang/lib/Sema/SemaAccess.cpp:152:5
    #3 0xa223796 in clang::Sema::HandleDelayedAccessCheck(clang::sema::DelayedDiagnostic&, clang::Decl*) tools/clang/lib/Sema/SemaAccess.cpp:1490
    #4 0xa897de4 in clang::Sema::PopParsingDeclaration(clang::Sema::DelayedDiagnosticsState, clang::Decl*) tools/clang/lib/Sema/SemaDeclAttr.cpp:5913:9
    #5 0x97f1a64 in pop tools/clang/lib/Parse/RAIIObjectsForParser.h:168:9
    #6 0x97f1a64 in complete tools/clang/lib/Parse/RAIIObjectsForParser.h:151
    #7 0x97f1a64 in complete tools/clang/lib/Parse/RAIIObjectsForParser.h:222

Comment 30 Kostya Serebryany 2015-12-22 00:07:32 PST

Input (base64): bmFtZXNwYWNlICB7YXV0byBsIChedm9sYXRpbGV7b2lubGF1byBsKT1ee2ZhOiBsIG5hfWUmJmwocyggKGho

llvm/tools/clang/lib/AST/Decl.cpp:2136: clang::APValue *clang::VarDecl::evaluateValue(SmallVectorImpl<PartialDiagnosticAt> &) const: Asse
rtion `!Init->isValueDependent()' failed.


==17999==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000d2b0a79 bp 0x7ffee1d343b0 sp 0x7ffee1d33e40 T0)
    #0 0xd2b0a78 in getTypePtr tools/clang/include/clang/AST/Type.h:5054:26
    #1 0xd2b0a78 in operator-> tools/clang/include/clang/AST/Type.h:635
    #2 0xd2b0a78 in clang::Expr::EvaluateAsInitializer(clang::APValue&, clang::ASTContext const&, clang::VarDecl const*, llvm::SmallVectorImpl<std::pair<clang::SourceLocation,
    #3 0xd096cf4 in clang::VarDecl::evaluateValue(llvm::SmallVectorImpl<std::pair<clang::SourceLocation, clang::PartialDiagnostic> >&) const tools/clang/lib/AST/Decl.cpp:2147:
    #4 0xd0966e8 in clang::VarDecl::evaluateValue() const tools/clang/lib/AST/Decl.cpp:2115:10
    #5 0xcd5e4fd in clang::ASTContext::DeclMustBeEmitted(clang::Decl const*) tools/clang/lib/AST/ASTContext.cpp:8472:8
    #6 0xa596825 in clang::Sema::ShouldWarnIfUnusedFileScopedDecl(clang::DeclaratorDecl const*) const tools/clang/lib/Sema/SemaDecl.cpp:1414:9
    #7 0xa597ebb in clang::Sema::MarkUnusedFileScopedDecl(clang::DeclaratorDecl const*) tools/clang/lib/Sema/SemaDecl.cpp:1446:7
    #8 0xa6ebef8 in clang::Sema::FinalizeDeclaration(clang::Decl*) tools/clang/lib/Sema/SemaDecl.cpp:10222:5

Comment 31 Kostya Serebryany 2015-12-22 01:05:16 PST

and a use-after-free:   

ICB5PS0gJ1QgOih0ICA9eShkb3c6IXN0aGM6PCcqKikrUzs6OiBsM0UgPSp5b3JlaW50SWl3KChjaGFyKHhvcikobyBXLGQmKiZdQykpc3xyZXJwcgs=



==30399==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e538 at pc 0x0000008a4fa9 bp 0x7ffc039791a0 sp 0x7ffc03978958
READ of size 20 at 0x61500000e538 thread T0
    #0 0x8a4fa8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
    #1 0xdbfecf6 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
    #2 0xdbe5c07 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:731:23
    #3 0x96782aa in ConsumeParen tools/clang/include/clang/Parse/Parser.h:383:5
    #4 0x96782aa in clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:334
    #5 0x9828676 in SkipUntil tools/clang/include/clang/Parse/Parser.h:864:12
    #6 0x9828676 in clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) tools/clang/lib/Parse/ParseExpr.cpp:1546
    #7 0x9830cb8 in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:1338:10

0x61500000e538 is located 312 bytes inside of 456-byte region [0x61500000e400,0x61500000e5c8)
freed by thread T0 here:
    #0 0x8bc0eb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x98c93e9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:374:7
    #2 0x98c93e9 in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, cla
    #3 0x98513b8 in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/l
    #4 0x98301ea in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:709:11
    #5 0x9819a6c in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20
    #6 0x9819a6c in clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:169


previously allocated by thread T0 here:
    #0 0x8bc75e in realloc projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71:3
    #1 0x5ea8a5f in llvm::SmallVectorBase::grow_pod(void*, unsigned long, unsigned long) lib/Support/SmallVector.cpp:34:15
    #2 0x96d3b20 in grow_pod include/llvm/ADT/SmallVector.h:81:5
    #3 0x96d3b20 in grow include/llvm/ADT/SmallVector.h:334
    #4 0x96d3b20 in push_back include/llvm/ADT/SmallVector.h:339
    #5 0x96d3b20 in clang::Parser::ConsumeAndStoreUntil(clang::tok::TokenKind, clang::tok::TokenKind, llvm::SmallVector<clang::Token, 4u>&, bool, bool) tools/clang/lib/Parse/P
    #6 0x96d38c3 in ConsumeAndStoreUntil tools/clang/include/clang/Parse/Parser.h:1212:12
    #7 0x96d38c3 in clang::Parser::ConsumeAndStoreUntil(clang::tok::TokenKind, clang::tok::TokenKind, llvm::SmallVector<clang::Token, 4u>&, bool, bool) tools/clang/lib/Parse/P
    #8 0x98c7edf in ConsumeAndStoreUntil tools/clang/include/clang/Parse/Parser.h:1212:12

Comment 32 Kostya Serebryany 2016-01-05 23:10:14 PST

echo "(*operator union z *" | ./bin/clang -x c++ - 

==39217==ERROR: AddressSanitizer: use-after-poison on address 0x6210000127a8 at pc 0x00000081dda9 bp 0x7ffe21265030 sp 0x7ffe212647e0
WRITE of size 32 at 0x6210000127a8 thread T0
    #0 0x81dda8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
    #1 0xce40013 in clang::Sema::GetTypeSourceInfoForDeclarator(clang::Declarator&, clang::QualType, clang::TypeSourceInfo*) tools/clang/lib/Sema/SemaType.cpp:4882:5
    #2 0xce318b1 in GetFullTypeForDeclarator((anonymous namespace)::TypeProcessingState&, clang::QualType, clang::TypeSourceInfo*) tools/clang/lib/Sema/SemaType.cpp:4291:10
    #3 0xce0c4e6 in clang::Sema::GetTypeForDeclarator(clang::Declarator&, clang::Scope*) tools/clang/lib/Sema/SemaType.cpp:4311:10
    #4 0xb60de32 in clang::Sema::HandleDeclarator(clang::Scope*, clang::Declarator&, llvm::MutableArrayRef<clang::TemplateParameterList*>) tools/clang/lib/Sema/SemaDecl.cpp:48
    #5 0xb60cd7d in clang::Sema::ActOnDeclarator(clang::Scope*, clang::Declarator&) tools/clang/lib/Sema/SemaDecl.cpp:4658:15

0x6210000127a8 is located 3752 bytes inside of 4096-byte region [0x621000011900,0x621000012900)
allocated by thread T0 here:
    #0 0x83504b in __interceptor_malloc projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x8a4285 in Allocate include/llvm/Support/Allocator.h:95:12
    #2 0x8a4285 in StartNewSlab include/llvm/Support/Allocator.h:321
    #3 0x8a4285 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul>::Allocate(unsigned long, unsigned long) include/llvm/Support/Allocator.h:248
    #4 0xe1fe535 in Allocate tools/clang/include/clang/AST/ASTContext.h:560:12
    #5 0xe1fe535 in operator new[] tools/clang/include/clang/AST/ASTContext.h:2645
    #6 0xe1fe535 in clang::DeclarationNameTable::DeclarationNameTable(clang::ASTContext const&) tools/clang/lib/AST/DeclarationName.cpp:345

Comment 33 Kostya Serebryany 2016-01-06 13:03:05 PST

Infinite loop:
echo "e ():iihdechar ()::new) (" | clang -x c++ - 

#0  0x0000000001985dd2 in clang::SourceManager::getSLocEntryByID(int, bool*) const ()
#1  0x0000000002eee228 in clang::Lexer::getRawToken(clang::SourceLocation, clang::Token&, clang::SourceManager const&, clang::LangOptions const&, bool) ()
#2  0x0000000002eef7bf in clang::Lexer::getLocForEndOfToken(clang::SourceLocation, unsigned int, clang::SourceManager const&, clang::LangOptions const&) ()
#3  0x0000000002387a3f in clang::Parser::ParseConstructorInitializer(clang::Decl*) ()
#4  0x000000000234a79e in clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*) ()
#5  0x0000000002362e74 in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, unsigned int, clang::SourceLocation*, clang::Parser::ForRangeInit*) ()
#6  0x0000000002349fb6 in clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) ()
#7  0x000000000234997a in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) ()
#8  0x0000000002348bd5 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) ()
#9  0x0000000002347de2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) ()
#10 0x0000000002343771 in clang::ParseAST(clang::Sema&, bool, bool) ()
#11 0x0000000001cef765 in clang::FrontendAction::Execute() ()

Comment 34 Dmitry Polukhin 2016-01-12 03:39:40 PST

Infinite incursion from comment #25 should be fixed by http://reviews.llvm.org/rL257461

Comment 35 Kostya Serebryany 2016-01-15 12:29:22 PST

printf ">>>> <<<\n<<<<\n<<<<" | ./bin/clang -x c++ - 

==24055==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000d013 at pc 0x0000007ba3ea bp 0x7ffe30bec7d0 sp 0x7ffe30bebf88
READ of size 5 at 0x60600000d013 thread T0
    #0 0x7ba3e9 in memcmp projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:418:7
    #1 0x6a1881c in llvm::StringRef::find(llvm::StringRef, unsigned long) const lib/Support/StringRef.cpp:175:9
    #2 0xed6299f in FindConflictEnd(char const*, char const*, clang::ConflictMarkerKind) tools/clang/lib/Lex/Lexer.cpp:2586:16
    #3 0xed756db in HandleEndOfConflictMarker tools/clang/lib/Lex/Lexer.cpp:2668:25
    #4 0xed756db in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3405
    #5 0xed5e40f in clang::Lexer::Lex(clang::Token&) tools/clang/lib/Lex/Lexer.cpp:2892:24
    #6 0xefddcc4 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:725:23
    #7 0xa7998c5 in ConsumeToken tools/clang/include/clang/Parse/Parser.h:289:5


0x60600000d013 is located 0 bytes to the right of 51-byte region [0x60600000cfe0,0x60600000d013)
allocated by thread T0 here:
    #0 0x86d27b in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
    #1 0x69ccad8 in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:140:34
    #2 0x69d0ac3 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:121:7
    #3 0x69d0ac3 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:243
    #4 0x69cdde7 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:430:10

Comment 36 Kostya Serebryany 2016-01-15 17:59:17 PST

echo  IO+Am5YqOjrvSIP4KLjvu49faWYou2lVKb8oKLvvPz8oaW50uygpWynvbWG7Xe/vuw3vACkpKF4= | base64 --decode | ./bin/clang -x c++ - 


==32513==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000008550 at pc 0x00000082bcd9 bp 0x7fffe6568e70 sp 0x7fffe6568628
READ of size 20 at 0x611000008550 thread T0
    #0 0x82bcd8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
    #1 0xf00b44f in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:442:7
    #2 0xeff1e77 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:731:23
    #3 0xee6f502 in clang::Preprocessor::PeekAhead(unsigned int) tools/clang/lib/Lex/PPCaching.cpp:91:5
    #4 0xa99c845 in LookAhead tools/clang/include/clang/Lex/Preprocessor.h:1140:14
    #5 0xa99c845 in NextToken tools/clang/include/clang/Parse/Parser.h:552


0x611000008550 is located 144 bytes inside of 216-byte region [0x6110000084c0,0x611000008598)
freed by thread T0 here:
    #0 0x842e1b in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0xaa467df in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:374:7
    #2 0xaa467df in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, clang::ColonProtectionRA
    #3 0xa9b56bc in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/lib/Parse/ParseExpr.cp
    #4 0xa99b2aa in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:709:11
    #5 0xa9828fc in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20

Comment 37 Denis Zobnin 2016-01-20 10:39:33 PST

Infinite loop from comment #33 should be fixed by http://reviews.llvm.org/rL258290

Denis Zobnin
================
Software Engineer
Intel Compiler Team
Intel

Comment 38 Denis Zobnin 2016-02-03 05:09:49 PST

Issue from comment #18 should be fixed by http://reviews.llvm.org/rL259532.

Denis Zobnin
================
Software Engineer
Intel Compiler Team
Intel

Comment 39 Dmitry Polukhin 2016-02-04 02:05:55 PST

Comment #36 (smaller repro "int H((int()[)])") should be fixed by http://reviews.llvm.org/rL259750

Dmitry Polukhin
===============
Software Engineer
Intel Compiler Team

Comment 40 Benjamin Kramer 2016-04-01 05:05:55 PDT

comment #33 is fixed in http://reviews.llvm.org/rL265125.

Comment 41 Benjamin Kramer 2016-12-01 05:50:36 PST

$ echo '#define ID(x) x\nID(x)\nID(_Pragma(""))' | clang -x c -
<stdin>:3:4: error: _Pragma takes a parenthesized string literal
ID(_Pragma(""))
   ^
clang-4.0: include/llvm/ADT/SmallVector.h:164: reference llvm::SmallVectorTemplateCommon<clang::Token, void>::back() [T = clang::Token]: Assertion `!empty()' failed.
#0 0x0000000001aef418 llvm::sys::PrintStackTrace(llvm::raw_ostream&) (clang-4.0+0x1aef418)
#1 0x0000000001aeffb6 SignalHandler(int) (clang-4.0+0x1aeffb6)
#2 0x00007efcc705b330 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x10330)
#3 0x00007efcc5c4ec37 gsignal /build/eglibc-oGUzwX/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#4 0x00007efcc5c52028 abort /build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
#5 0x00007efcc5c47bf6 __assert_fail_base /build/eglibc-oGUzwX/eglibc-2.19/assert/assert.c:92:0
#6 0x00007efcc5c47ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
#7 0x00000000034e3fec clang::Preprocessor::PeekAhead(unsigned int) (clang-4.0+0x34e3fec)
#8 0x00000000028044d2 clang::Parser::ParseImplicitInt(clang::DeclSpec&, clang::CXXScopeSpec*, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecContext, clang::Parser::ParsedAttributesWithRange&) (clang-4.0+0x28044d2)
#9 0x00000000027fcf73 clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*) (clang-4.0+0x27fcf73)
#10 0x00000000027e737e clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) (clang-4.0+0x27e737e)