LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 37008 - parser heap use after free
Summary: parser heap use after free
Status: NEW
Alias: None
Product: clang
Classification: Unclassified
Component: C++ (show other bugs)
Version: trunk
Hardware: PC Linux
: P enhancement
Assignee: Unassigned Clang Bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-04 13:29 PDT by Richard Smith
Modified: 2018-04-04 19:48 PDT (History)
3 users (show)

See Also:
Fixed By Commit(s):


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Smith 2018-04-04 13:29:03 PDT
(Filed on behalf of Jim Meyering)

Here's the minimized reproducer:

  printf 'template <int> void ngX() template z()->ngY<>;' | clang -cc1 -x c++

Here's most of the resulting output:

<stdin>:1:26: error: expected ';' at end of declaration
template <int> void ngX() template z()->ngY<>;
                         ^
                         ;
<stdin>:1:41: error: no template named 'ngY'; did you mean 'ngX'?
template <int> void ngX() template z()->ngY<>;
                                        ^~~
                                        ngX
<stdin>:1:21: note: 'ngX' declared here
template <int> void ngX() template z()->ngY<>;
                    ^
<stdin>:1:41: error: expected a type
template <int> void ngX() template z()->ngY<>;
                                        ^
<stdin>:1:41: error: variable cannot be defined in an explicit instantiation; if this declaration is meant to be a variable definition, remove the 'template' keyword
template <int> void ngX() template z()->ngY<>;
                          ~~~~~~~~~     ^
<stdin>:1:36: error: C++ requires a type specifier for all declarations
template <int> void ngX() template z()->ngY<>;
                                   ^
<stdin>:1:45: error: expected ';' at end of declaration
template <int> void ngX() template z()->ngY<>;
                                            ^
                                            ;
=================================================================
==3876978==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001a30 at pc 0x000005a27670 bp 0x7ffd8a754350 sp 0x7ffd8a754348
READ of size 4 at 0x607000001a30 thread T0
    #0 0x5a2766f in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:3310
    #1 0x59f70e3 in clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:922
    #2 0x59f6b86 in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:1028
    #3 0x59f56f2 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:853
    #4 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
    #5 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool) /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
    #6 0x3c95c64 in clang::FrontendAction::Execute() /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
    #7 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
    #8 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
    #9 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
    #10 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
    #11 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
    #12 0x7f6051da4c04 in __libc_start_main ??:?
    #13 0xe5fe33 in _start ??:?

0x607000001a30 is located 64 bytes inside of 80-byte region [0x6070000019f0,0x607000001a40)
freed by thread T0 here:
    #0 0xf372c0 in __interceptor_free.localalias.0 crtstuff.c:?
    #1 0x59feac7 in ~DestroyTemplateIdAnnotationsRAIIObj /tmp/llvm/build/../tools/clang/include/clang/Parse/RAIIObjectsForParser.h:459
    #2 0x59f580d in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:859
    #3 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
    #4 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool) /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
    #5 0x3c95c64 in clang::FrontendAction::Execute() /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
    #6 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
    #7 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
    #8 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
    #9 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
    #10 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
    #11 0x7f6051da4c04 in __libc_start_main ??:?

previously allocated by thread T0 here:
    #0 0xf374d0 in __interceptor_malloc ??:?
    #1 0xfb2b0a in llvm::safe_malloc(unsigned long) /tmp/llvm/build/../include/llvm/Support/Allocator.h:447
    #2 0x5aa115c in clang::TemplateIdAnnotation::Create(clang::CXXScopeSpec, clang::SourceLocation, clang::SourceLocation, clang::IdentifierInfo*, clang::OverloadedOperatorKind, clang::OpaquePtr<clang::TemplateName>, clang::TemplateNameKind, clang::SourceLocation, clang::SourceLocation, llvm::ArrayRef<clang::ParsedTemplateArgument>, llvm::SmallVectorImpl<clang::TemplateIdAnnotation*>&) /tmp/llvm/build/../tools/clang/include/clang/Sema/ParsedTemplate.h:202
    #3 0x5b102e9 in clang::Parser::AnnotateTemplateIdToken(clang::OpaquePtr<clang::TemplateName>, clang::TemplateNameKind, clang::CXXScopeSpec&, clang::SourceLocation, clang::UnqualifiedId&, bool) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:1042
    #4 0x5a8f564 in clang::Parser::ParseOptionalCXXScopeSpecifier(clang::CXXScopeSpec&, clang::OpaquePtr<clang::QualType>, bool, bool*, bool, clang::IdentifierInfo**, bool) /tmp/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:497
    #5 0x59fc010 in clang::Parser::TryAnnotateCXXScopeToken(bool) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:1886
    #6 0x5a23ae9 in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:3212
    #7 0x5a11ff0 in clang::Parser::ParseSpecifierQualifierList(clang::DeclSpec&, clang::AccessSpecifier, clang::Parser::DeclSpecContext) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:2389
    #8 0x5a11c31 in clang::Parser::ParseTypeName(clang::SourceRange*, clang::DeclaratorContext, clang::AccessSpecifier, clang::Decl**, clang::ParsedAttributes*) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:58
    #9 0x5a39bcd in clang::Parser::ParseFunctionDeclarator(clang::Declarator&, clang::ParsedAttributes&, clang::BalancedDelimiterTracker&, bool, bool) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:6152
    #10 0x5a3692c in clang::Parser::ParseDirectDeclarator(clang::Declarator&) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:5789
    #11 0x5a34e6e in clang::Parser::ParseDeclaratorInternal(clang::Declarator&, void (clang::Parser::*)(clang::Declarator&)) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:5340
    #12 0x5b0b10e in clang::Parser::ParseSingleDeclarationAfterTemplate(clang::DeclaratorContext, clang::Parser::ParsedTemplateInfo const&, clang::ParsingDeclRAIIObject&, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:238
    #13 0x5b09d9b in clang::Parser::ParseExplicitInstantiation(clang::DeclaratorContext, clang::SourceLocation, clang::SourceLocation, clang::SourceLocation&, clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:1318
    #14 0x5b09b40 in clang::Parser::ParseDeclarationStartingWithTemplate(clang::DeclaratorContext, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:34
    #15 0x5a22609 in clang::Parser::ParseDeclaration(clang::DeclaratorContext, clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:1686
    #16 0x59f4d97 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:786
    #17 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
    #18 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool) /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
    #19 0x3c95c64 in clang::FrontendAction::Execute() /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
    #20 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
    #21 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
    #22 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
    #23 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
    #24 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
    #25 0x7f6051da4c04 in __libc_start_main ??:?