Open Quuxplusone opened 9 years ago
echo -n "#if 0" | clang -x c++ -
==23545==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x604000006b76 at pc 0x00000bb7006e bp 0x7fffa7ced0f0 sp 0x7fffa7ced0e8
READ of size 1 at 0x604000006b76 thread T0
#0 0xbb7006d in clang::NumericLiteralParser::ParseNumberStartingWithZero(clang::SourceLocation) tools/clang/lib/Lex/LiteralSupport.cpp:759:12
#1 0xbb63964 in clang::NumericLiteralParser::NumericLiteralParser(llvm::StringRef, clang::SourceLocation, clang::Preprocessor&) tools/clang/lib/Lex/LiteralSupport.cpp:531:
#2 0xbc9ced8 in EvaluateValue((anonymous namespace)::PPValue&, clang::Token&, DefinedTracker&, bool, clang::Preprocessor&) tools/clang/lib/Lex/PPExpressions.cpp:220:26
#3 0xbc9980e in clang::Preprocessor::EvaluateDirectiveExpression(clang::IdentifierInfo*&) tools/clang/lib/Lex/PPExpressions.cpp:758:7
#4 0xbc59a89 in clang::Preprocessor::HandleIfDirective(clang::Token&, bool) tools/clang/lib/Lex/PPDirectives.cpp:2396:32
#5 0xbc50c98 in clang::Preprocessor::HandleDirective(clang::Token&) tools/clang/lib/Lex/PPDirectives.cpp:838:14
#6 0xbb5e82e in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3633:3
#7 0xbd738ef in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
#8 0x7dfc1e5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
#9 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
#10 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
#11 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
#12 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
#13 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#14 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#15 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#16 0x82473f in main tools/clang/tools/driver/driver.cpp:415
0x604000006b76 is located 0 bytes to the right of 38-byte region
[0x604000006b50,0x604000006b76)
allocated by thread T0 here:
#0 0x81955b in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
#1 0x4e4741b in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:139:34
#2 0x4e4b200 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:120:7
#3 0x4e4b200 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:241
#4 0x4e48947 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:428:10
#5 0x56df240 in clang::CompilerInstance::InitializeSourceManager(clang::FrontendInputFile const&, clang::DiagnosticsEngine&, clang::FileManager&, clang::SourceManager&, cl
#6 0x57d3347 in clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&, clang::FrontendInputFile const&) tools/clang/lib/Frontend/FrontendAction.cpp:308:8
#7 0x56e3e40 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:806:9
#8 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#9 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#10 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#11 0x82473f in main tools/clang/tools/driver/driver.cpp:415
echo -n '~a::{' | clang -x c++
==23855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc
0x00000b7c91c6 bp 0x7fffe68c9dd0 sp 0x7fffe68c9dc0 T0)
#0 0xb7c91c5 in clang::NestedNameSpecifier::getKind() const tools/clang/lib/AST/NestedNameSpecifier.cpp:132:8
#1 0x88ec340 in clang::Sema::ShouldEnterDeclaratorScope(clang::Scope*, clang::CXXScopeSpec const&) tools/clang/lib/Sema/SemaCXXScopeSpec.cpp:999:11
#2 0x7ff9f0e in clang::Parser::ParseUnqualifiedId(clang::CXXScopeSpec&, bool, bool, bool, clang::OpaquePtr<clang::QualType>, clang::SourceLocation&, clang::UnqualifiedId&) tools/clang/lib/Parse/ParseExprCXX.cpp:2549:11
#3 0x7ee34db in clang::Parser::ParseDirectDeclarator(clang::Declarator&) tools/clang/lib/Parse/ParseDecl.cpp:4982:11
#4 0x7ede076 in clang::Parser::ParseDeclaratorInternal(clang::Declarator&, void (clang::Parser::*)(clang::Declarator&)) tools/clang/lib/Parse/ParseDecl.cpp:4756:7
#5 0x7e97c3d in ParseDeclarator tools/clang/lib/Parse/ParseDecl.cpp:4651:3
#6 0x7e97c3d in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, unsigned int, clang::SourceLocation*, clang::Parser::ForRangeInit*) tools/clang/lib/Parse/ParseDecl.cpp:1633
#7 0x7e24f9d in clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) tools/clang/lib/Parse/Parser.cpp:893:10
#8 0x7e22340 in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) tools/clang/lib/Parse/Parser.cpp:909:12
#9 0x7e1873e in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) tools/clang/lib/Parse/Parser.cpp:767:12
#10 0x7e157c2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) tools/clang/lib/Parse/Parser.cpp:569:12
#11 0x7dfc2e8 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:134:7
#12 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
#13 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
#14 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
#15 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
#16 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#17 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#18 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#19 0x82473f in main tools/clang/tools/driver/driver.cpp:415
Not sure if leaks in clang on invalid inputs are worth fixing.
If not, we can disable leak detection on the fuzzer bot.
Here is one leak example:
echo "::(&C" | clang -x c++ -
Direct leak of 432 byte(s) in 1 object(s) allocated from:
#0 0x81927b in operator new(unsigned long) projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
#1 0x7e13b19 in EnterScope tools/clang/lib/Parse/Parser.cpp:358:24
#2 0x7e13b19 in clang::Parser::Initialize() tools/clang/lib/Parse/Parser.cpp:425
#3 0x7dfc1e5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
#4 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
#5 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
#6 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
#7 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
#8 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#9 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#10 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#11 0x82473f in main tools/clang/tools/driver/driver.cpp:415
The bot is currently running w/o assertions because there are quite a few of
them
printf '\n;::(&C' | clang -x c++ -
tools/clang/include/clang/Parse/Parser.h:2166: void
clang::Parser::DeclaratorScopeObj::EnterDeclaratorScope(): Assertion
`!EnteredScope && "Already entered the scope!"' failed.
printf 'x(a::(b)' | clang -x c++ -
tools/clang/lib/Lex/PPCaching.cpp:101: void
clang::Preprocessor::AnnotatePreviousCachedTokens(const clang::Token &):
Assertion `CachedTokens[CachedLexPos-1].getLastLoc() ==
Tok.getAnnotationEndLoc() && "The annotation should be until the most recent
cached token"' failed.
echo ClMKWyK/APABWOsiTD1rW9hs | base64 --decode | clang -x c++ -
tools/clang/lib/Frontend/TextDiagnostic.cpp:973: void highlightRange(const
clang::CharSourceRange &, unsigned int, clang::FileID, const (anonymous
namespace)::SourceColumnMap &, std::string &, const clang::SourceManager &,
const clang::LangOptions &): Assertion `StartColNo <=
map.getSourceLine().size() && "Invalid range!"' failed.
printf 'k80x&::((**\ne::' | clang -x c++ -
tools/clang/include/clang/Parse/Parser.h:2178:
clang::Parser::DeclaratorScopeObj::~DeclaratorScopeObj(): Assertion `SS.isSet()
&& "C++ scope was cleared ?"' failed.
echo -n "#if 0" | clang -x c++ - fixed in r233491.
echo -n '~a::{' | clang -x c++ - fixed in r233492.
echo I1zqGiMAXAoAI7JrCiPR | base64 --decode | clang -x c++ -
tools/clang/lib/Lex/PPDirectives.cpp:99: void
clang::Preprocessor::DiscardUntilEndOfDirective(): Assertion
`Tmp.isNot(tok::eof) && "EOF seen while discarding directive tokens"' failed.
W/o asserts causes null deref.
Thanks Benjamin for the fixes!
I added the still-open AFL bugs found by Sami Liedes
(In reply to comment #3)
> Not sure if leaks in clang on invalid inputs are worth fixing.
> If not, we can disable leak detection on the fuzzer bot.
I think they are worth fixing. They would adversely affect the stability of
long-lived processes that use clang as a library, such as IDE's.
echo zWsoIi+qACrc8o25aFlrW7YkImJL | base64 --decode | clang -x c++ - -c
==4839==ERROR: AddressSanitizer: negative-size-param: (size=-264)
#0 0x7e031f in __asan_memset projects/compiler-rt/lib/asan/asan_interceptors.cc:420:3
#1 0x5a474df in __fill_a<char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_algobase.h:703:7
#2 0x5a474df in fill<__gnu_cxx::__normal_iterator<char *, std::basic_string<char> >, char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_algobase.h:728
#3 0x5a474df in highlightRange tools/clang/lib/Frontend/TextDiagnostic.cpp:983
#4 0x5a474df in clang::TextDiagnostic::emitSnippetAndCaret(clang::SourceLocation, clang::DiagnosticsEngine::Level, llvm::SmallVectorImpl<clang::CharSourceRange>&, llvm::ArrayRef<clang::FixItHint>, clang::SourceManager const&) tools/clang/lib/Frontend/TextDiagnostic.cpp:1125
#5 0x5a2c599 in emitCaret tools/clang/lib/Frontend/DiagnosticRenderer.cpp:394:3
echo -n "#include<\\" | clang -x c++ -c -
==24291==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x604000006bbb at pc 0x00000bb382d1 bp 0x7fff54ea18d0 sp 0x7fff54ea18c8
READ of size 1 at 0x604000006bbb thread T0
#0 0xbb382d0 in getAndAdvanceChar tools/clang/include/clang/Lex/Lexer.h:529:36
#1 0xbb382d0 in clang::Lexer::LexAngledStringLiteral(clang::Token&, char const*) tools/clang/lib/Lex/Lexer.cpp:1870
#2 0xbb56361 in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3387:14
#3 0xbd7318f in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
#4 0xbd798e5 in clang::PreprocessorLexer::LexIncludeFilename(clang::Token&) tools/clang/lib/Lex/PreprocessorLexer.cpp:44:5
#5 0xbc5e998 in clang::Preprocessor::HandleIncludeDirective(clang::SourceLocation, clang::Token&, clang::DirectoryLookup const*, clang::FileEntry const*, bool)
#6 0xbc51b36 in clang::Preprocessor::HandleDirective(clang::Token&) tools/clang/lib/Lex/PPDirectives.cpp:853:14
#7 0xbb5d63e in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3633:3
#8 0xbd7318f in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
#9 0x7dfa8f5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
#10 0x57d763e in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
#11 0x639214a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
#12 0x57d5c92 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
#13 0x56e09d0 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
#14 0x5a5a00d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#15 0x829a7d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#16 0x824a9f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#17 0x824a9f in main tools/clang/tools/driver/driver.cpp:415
#18 0x7f21b4643ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
0x604000006bbb is located 0 bytes to the right of 43-byte region
[0x604000006b90,0x604000006bbb)
allocated by thread T0 here:
#0 0x8198bb in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
#1 0x4e42fcb in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:139:34
#2 0x4e46db0 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:120:7
#3 0x4e46db0 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:241
#4 0x4e444f7 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:428:10
#5 0x56dbdb0 in clang::CompilerInstance::InitializeSourceManager(clang::FrontendInputFile const&, clang::DiagnosticsEngine&, clang::FileManager&, clang::SourceM
#6 0x57cfeb7 in clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&, clang::FrontendInputFile const&) tools/clang/lib/Frontend/FrontendAction.cpp:30
#7 0x56e09b0 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:806:9
#8 0x5a5a00d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#9 0x829a7d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#10 0x824a9f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#11 0x824a9f in main tools/clang/tools/driver/driver.cpp:415
There are probably quite a few unreported ones at http://sli.dy.fi/~sliedes/clang-triage/triage_report.xhtml . I just added a few new test cases there that bumped the number of distinct crashes from 68 to 88. My bot doesn't automatically fuzz; the fuzzing part is manual, but it runs clang trunk against a generated corpus of (currently ~14k, but probably only 5-6k exercise distinct paths) inputs that have at some point crashed clang.
Anyway, glad to hear that there's more advanced fuzzing infrastructure in place now.
I think they [leaks] are worth fixing.
Interestingly, all the cases of leaks I observe also fail assertions in a debug build, see #4. So, if we fix those assertions the leaks may disappear as well.
(In reply to comment #11)
> There are probably quite a few unreported ones at
> http://sli.dy.fi/~sliedes/clang-triage/triage_report.xhtml
This is the reason why the fuzzer bot runs the in-process fuzzer w/o assertions.
With assertions it would be crashing too quickly.
Your list contains my four assertion failures from c#4 and many more.
Neat.
Infinite recursion:
echo "inlineJ33 y8(struct include; " | clang -x c++ -c -
#0 0xb2f7e33 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1220
#1 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
#2 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
#3 0xb2fb560 in getLVForLocalDecl tools/clang/lib/AST/Decl.cpp:1198
#4 0xb2fb560 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1299
#5 0xb300b9a in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
#6 0xb300b9a in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
#7 0xb300b9a in clang::NamedDecl::getLinkageInternal() const tools/clang/lib/AST/Decl.cpp:1024
#8 0xb94b1cb in computeCachedProperties tools/clang/lib/AST/Type.cpp:2185:17
#9 0xb94b1cb in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2137
#10 0xb94a711 in get tools/clang/lib/AST/Type.cpp:2116:5
#11 0xb94a711 in get tools/clang/lib/AST/Type.cpp:2112
#12 0xb94a711 in computeCachedProperties tools/clang/lib/AST/Type.cpp:2222
#13 0xb94a711 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2137
#14 0xb949d40 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2129:7
#15 0xb949b80 in clang::Type::getLinkage() const tools/clang/lib/AST/Type.cpp:2242:3
#16 0xb34f6c4 in getLVForNamespaceScopeDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:764:11
#17 0xb2f80b7 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1275:12
#18 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
#19 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
#20 0xb2fb560 in getLVForLocalDecl tools/clang/lib/AST/Decl.cpp:1198
r233726 disables leak detection for clang-fuzzer until c#4 is fixed.
Attached clang-uaf.log
(13926 bytes, text/x-log): use-after-free.log
echo "g34( struct Yunsignedp
char32_t=char32_t_35==ZcregisterZtypename&&S=4autobitand8 &&or*
xor{static_cast&char32_t&welseconst auto" | clang -x c++ -
tools/clang/include/clang/AST/DeclCXX.h:592: struct DefinitionData
&clang::CXXRecordDecl::data() const: Assertion `DD && "queried property of
class with no definition"' failed.
Leads to a null deref w/o assertions.
Also present in Sami Liedes's set from c#11
echo "f(){for(a operator==:" | clang -x c++ -c -
Assertion `Val && "isa<> used on a null pointer"' failed.
Sami has this one too. W/o assertions this is another NULL deref.
These two might be variations of c#16 or separate use-after-free bugs.
echo 'lshort typedef s4;bool
Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void
ifdef))nullptrchar32_t|$( tnews*public -=--<*' | clang -x c++ -c -
==17685==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e740
at pc 0x0000007dfd49 bp 0x7fff53379ef0 sp 0x7fff533796a8
READ of size 20 at 0x61500000e740 thread T0
#0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
#1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
#2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
#3 0xbc2fdc1 in clang::Preprocessor::CachingLex(clang::Token&) tools/clang/lib/Lex/PPCaching.cpp:58:3
#4 0xbd732f6 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:701:7
#5 0x7e0c23e in ConsumeToken tools/clang/include/clang/Parse/Parser.h:285:5
#6 0x7e0c23e in clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:340
#7 0x8039d37 in SkipUntil tools/clang/include/clang/Parse/Parser.h:842:12
#8 0x8039d37 in clang::Parser::ParseBraceInitializer() tools/clang/lib/Parse/ParseInit.cpp:444
0x61500000e740 is located 192 bytes inside of 456-byte region
[0x61500000e680,0x61500000e848)
freed by thread T0 here:
#0 0x7f6fdb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
#1 0x802dfa9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:365:7
#2 0x802dfa9 in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, clang::ColonProtectionRA
#3 0x7fad534 in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/lib/Parse/ParseExpr.cp
#4 0x7f9886c in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:681:11
#5 0x7f83045 in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:437:20
#6 0x7f83045 in clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:167
#7 0x7f8fe6a in ParseExpression tools/clang/lib/Parse/ParseExpr.cpp:121:18
echo '*=registerforthisclassxor^u ;conceptBchar32_t=breaku:OB&
ifndef[(double(wchar_t nI[3u/23;p*= ,signed))nullptr error(Rl' | clang -x c++ -
c -
==17945==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e758
at pc 0x0000007dfd49 bp 0x7fffc5bc49b0 sp 0x7fffc5bc4168
READ of size 20 at 0x61500000e758 thread T0
#0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
#1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
#2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
#3 0x7e05bbf in TryConsumeToken tools/clang/include/clang/Parse/Parser.h:295:5
...
0x61500000e758 is located 216 bytes inside of 456-byte region
[0x61500000e680,0x61500000e848)
freed by thread T0 here:
#0 0x7f6fdb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
#1 0x802dfa9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:365:7
As of today, issue 22407 is the only one seen on the clang fuzzer bot:a
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/1395
(In reply to comment #20)
> As of today, issue 22407 is the only one seen on the clang fuzzer bot:a
> http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/1395
(the bot uses no-assertions build)
the clang/clang-format fuzzer bot
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
has been extended to run both with and w/o assertions.
whenever a bug is found, the fuzzer will print the base64-encoded reproducer
so that one can copy-paste it from the buildbot logs:
E.g. from the bot logs:
===============
SUMMARY: AddressSanitizer: ...
CRASHED; file written to crash-80193815206841682354717562770799349303
Base64: OiDgO3gKUyYhU0Z4KhFoEztFKGV1bZNTe5Hsk1MmKUMheCoTIWgTO0VTKMFldW2TUzs=
===============
Just do this:
echo OiDgO3gKUyYhU0Z4KhFoEztFKGV1bZNTe5Hsk1MmKUMheCoTIWgTO0VTKMFldW2TUzs= |
base64 -d | clang -x c++ -
Still seen by the fuzzer bot:
echo
w5sKZTtTk1LJKHbBDckJUgksZCg7Kjo6KCooZckokztyyWWROyjJKIM6OsllwSgmQkFyPDooOi87 |
base64 --decode | clang++ -x c++ -
tools/clang/include/clang/Parse/Parser.h:2253: void
clang::Parser::DeclaratorScopeObj::EnterDeclaratorScope(): Assertion
`!EnteredScope && "Already entered the scope!"' failed.
some more
echo
KAljQyggbCA9ZG8sdXNqb3J0fGI+bGU6eUJwOygJKipDKGxnKGtpID1jQyg5KWRlZmluZSggKkkpMyg=
| base64 --decode | clang -x c++ -
llvm/include/llvm/Support/Casting.h:95: static bool
llvm::isa_impl_cl<clang::ExprWithCleanups, const clang::Expr *>::doit(const
From *) [To = clang::ExprWithCleanups, From = const clang::Expr *]: Assertion
`Val && "isa<> used on a null pointer"' failed.
(null deref follows)
echo O2lubGluZSB0ZW1wbGEoCWNDKSgJIGVudW0gbDY7KHRlIG8= | base64 --decode | clang
-x c++ -
==38911==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfb8a2f00 (pc
0x00000cb04169 bp 0x7ffdfb8a30a0 sp 0x7ffdfb8a2f00 T0)
#0 0xcb04168 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1226
#1 0xcb5b855 in clang::LinkageComputer::getLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1320:22
#2 0xcb0b5b5 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1357:10
#3 0xcb0b5b5 in clang::NamedDecl::getLinkageInternal() const tools/clang/lib/AST/Decl.cpp:1030
#4 0xd1d98f9 in computeCachedProperties tools/clang/lib/AST/Type.cpp:3163:17
#5 0xd1d98f9 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:3115
#6 0xd1d871c in get tools/clang/lib/AST/Type.cpp:3094:5
#7 0xd1d871c in get tools/clang/lib/AST/Type.cpp:3090
#8 0xd1d871c in computeCachedProperties tools/clang/lib/AST/Type.cpp:3200
stack trace for #24
==14981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x00000acf5492 bp 0x7ffde0a49d30 sp 0x7ffde0a48340 T0)
#0 0xacf5491 in getInit tools/clang/include/clang/AST/Decl.h:1089:17
#1 0xacf5491 in clang::Sema::BuildCXXDefaultArgExpr(clang::SourceLocation, clang::FunctionDecl*, clang::ParmVarDecl*) tools/clang/lib/Sema/SemaExpr.cpp:4330
#2 0xad02439 in clang::Sema::GatherArgumentsForCall(clang::SourceLocation, clang::FunctionDecl*, clang::FunctionProtoType const*, unsigned int, llvm::ArrayRef<clang::Expr*
#3 0xacfa0e5 in clang::Sema::ConvertArgumentsForCall(clang::CallExpr*, clang::Expr*, clang::FunctionDecl*, clang::FunctionProtoType const*, llvm::ArrayRef<clang::Expr*>, c
#4 0xad0a38d in clang::Sema::BuildResolvedCallExpr(clang::Expr*, clang::NamedDecl*, clang::SourceLocation, llvm::ArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr
#5 0xb6b5f0a in FinishOverloadedCallExpr(clang::Sema&, clang::Scope*, clang::Expr*, clang::UnresolvedLookupExpr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*
#6 0xb6b4281 in clang::Sema::BuildOverloadedCallExpr(clang::Scope*, clang::Expr*, clang::UnresolvedLookupExpr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>,
#7 0xac857a7 in clang::Sema::ActOnCallExpr(clang::Scope*, clang::Expr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr*, bo
#8 0x9828350 in clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) tools/clang/lib/Parse/ParseExpr.cpp:1554:15
#9 0x9830cb8 in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:1338:10
#10 0x9819a6c in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20
one more:
echo
dGVtcGxhdGUgPCF2PmNsYXNzJAlle25tdGwgZSAoIGRvdWxlMipDKXRocm93CyAoKXsgIGUgZDpkKCkhPA==
| base64 --decode | clang -x c++ -
==15086==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc
0x0000096ce636 bp 0x7ffd5d700ee0 sp 0x7ffd5d700ac0 T0)
#0 0x96ce635 in getKind tools/clang/include/clang/AST/DeclBase.h:382:51
#1 0x96ce635 in classof tools/clang/include/clang/AST/DeclTemplate.h:980
#2 0x96ce635 in doit include/llvm/Support/Casting.h:56
#3 0x96ce635 in doit include/llvm/Support/Casting.h:96
#4 0x96ce635 in doit include/llvm/Support/Casting.h:122
#5 0x96ce635 in doit include/llvm/Support/Casting.h:112
#6 0x96ce635 in isa<clang::FunctionTemplateDecl, clang::Decl *> include/llvm/Support/Casting.h:133
#7 0x96ce635 in dyn_cast<clang::FunctionTemplateDecl, clang::Decl> include/llvm/Support/Casting.h:298
#8 0x96ce635 in clang::Parser::ParseLexedMethodDeclaration(clang::Parser::LateParsedMethodDeclaration&) tools/clang/lib/Parse/ParseCXXInlineMethods.cpp:415
#9 0x96ca645 in clang::Parser::ParseLexedMethodDeclarations(clang::Parser::ParsingClass&) tools/clang/lib/Parse/ParseCXXInlineMethods.cpp:287:5
#10 0x97d7d45 in clang::Parser::ParseCXXMemberSpecification(clang::SourceLocation, clang::SourceLocation, clang::Parser::ParsedAttributesWithRange&, unsigned int, clang::D
#11 0x97ce06e in clang::Parser::ParseClassSpecifier(clang::tok::TokenKind, clang::SourceLocation, clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::Access
#12 0x971b6c1 in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecConte
#13 0x99fecea in clang::Parser::ParseSingleDeclarationAfterTemplate(unsigned int, clang::Parser::ParsedTemplateInfo const&, clang::ParsingDeclRAIIObject&, clang::SourceLoc
#14 0x99fc432 in clang::Parser::ParseTemplateDeclarationOrSpecialization(unsigned int, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) tools/clang/l
#15 0x99fa1b6 in clang::Parser::ParseDeclarationStartingWithTemplate(unsigned int, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) tools/clang/lib/P
#16 0x9715090 in clang::Parser::ParseDeclaration(unsigned int, clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&) tools/clang/lib/Parse/ParseDecl.cpp:1461:
#17 0x9686c55 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) tools/clang/lib/Parse/Parser.cpp:743:14
#18 0x96845e2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) tools/clang/lib/Parse/Parser.cpp:593:12
tools/clang/lib/AST/DeclBase.cpp:762: bool clang::Decl::AccessDeclContextSanity() const: Assertion `Access != AS_none && "Access specifier is AS_none inside a record decl"' failed.
echo IChkb3dsKiYmQykLKChsYXNzeyAgZmxvZXR1dCgJXkMpKAkgZW51bWwgb21wbDtjPDp4b3JfZXEnOiEpOyc | base64 --decode | clang -x c++ -
(In reply to comment #28)
> tools/clang/lib/AST/DeclBase.cpp:762: bool
> clang::Decl::AccessDeclContextSanity() const: Assertion `Access != AS_none
> && "Access specifier is AS_none inside a record decl"' failed.
In an non-assert build causes this:
==16615==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc
0x00000a239d45 bp 0x7ffd4aa874b0 sp 0x7ffd4aa87480 T0)
#0 0xa239d44 in getCanonicalDecl tools/clang/include/clang/AST/DeclCXX.h:655:12
#1 0xa239d44 in (anonymous namespace)::AccessTarget::initialize() tools/clang/lib/Sema/SemaAccess.cpp:247
#2 0xa223796 in AccessTarget tools/clang/lib/Sema/SemaAccess.cpp:152:5
#3 0xa223796 in clang::Sema::HandleDelayedAccessCheck(clang::sema::DelayedDiagnostic&, clang::Decl*) tools/clang/lib/Sema/SemaAccess.cpp:1490
#4 0xa897de4 in clang::Sema::PopParsingDeclaration(clang::Sema::DelayedDiagnosticsState, clang::Decl*) tools/clang/lib/Sema/SemaDeclAttr.cpp:5913:9
#5 0x97f1a64 in pop tools/clang/lib/Parse/RAIIObjectsForParser.h:168:9
#6 0x97f1a64 in complete tools/clang/lib/Parse/RAIIObjectsForParser.h:151
#7 0x97f1a64 in complete tools/clang/lib/Parse/RAIIObjectsForParser.h:222
Input (base64):
bmFtZXNwYWNlICB7YXV0byBsIChedm9sYXRpbGV7b2lubGF1byBsKT1ee2ZhOiBsIG5hfWUmJmwocyggKGho
llvm/tools/clang/lib/AST/Decl.cpp:2136: clang::APValue
*clang::VarDecl::evaluateValue(SmallVectorImpl<PartialDiagnosticAt> &) const:
Asse
rtion `!Init->isValueDependent()' failed.
==17999==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000d2b0a79 bp 0x7ffee1d343b0 sp 0x7ffee1d33e40 T0)
#0 0xd2b0a78 in getTypePtr tools/clang/include/clang/AST/Type.h:5054:26
#1 0xd2b0a78 in operator-> tools/clang/include/clang/AST/Type.h:635
#2 0xd2b0a78 in clang::Expr::EvaluateAsInitializer(clang::APValue&, clang::ASTContext const&, clang::VarDecl const*, llvm::SmallVectorImpl<std::pair<clang::SourceLocation,
#3 0xd096cf4 in clang::VarDecl::evaluateValue(llvm::SmallVectorImpl<std::pair<clang::SourceLocation, clang::PartialDiagnostic> >&) const tools/clang/lib/AST/Decl.cpp:2147:
#4 0xd0966e8 in clang::VarDecl::evaluateValue() const tools/clang/lib/AST/Decl.cpp:2115:10
#5 0xcd5e4fd in clang::ASTContext::DeclMustBeEmitted(clang::Decl const*) tools/clang/lib/AST/ASTContext.cpp:8472:8
#6 0xa596825 in clang::Sema::ShouldWarnIfUnusedFileScopedDecl(clang::DeclaratorDecl const*) const tools/clang/lib/Sema/SemaDecl.cpp:1414:9
#7 0xa597ebb in clang::Sema::MarkUnusedFileScopedDecl(clang::DeclaratorDecl const*) tools/clang/lib/Sema/SemaDecl.cpp:1446:7
#8 0xa6ebef8 in clang::Sema::FinalizeDeclaration(clang::Decl*) tools/clang/lib/Sema/SemaDecl.cpp:10222:5
and a use-after-free:
ICB5PS0gJ1QgOih0ICA9eShkb3c6IXN0aGM6PCcqKikrUzs6OiBsM0UgPSp5b3JlaW50SWl3KChjaGFyKHhvcikobyBXLGQmKiZdQykpc3xyZXJwcgs=
==30399==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e538
at pc 0x0000008a4fa9 bp 0x7ffc039791a0 sp 0x7ffc03978958
READ of size 20 at 0x61500000e538 thread T0
#0 0x8a4fa8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
#1 0xdbfecf6 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
#2 0xdbe5c07 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:731:23
#3 0x96782aa in ConsumeParen tools/clang/include/clang/Parse/Parser.h:383:5
#4 0x96782aa in clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:334
#5 0x9828676 in SkipUntil tools/clang/include/clang/Parse/Parser.h:864:12
#6 0x9828676 in clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) tools/clang/lib/Parse/ParseExpr.cpp:1546
#7 0x9830cb8 in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:1338:10
0x61500000e538 is located 312 bytes inside of 456-byte region
[0x61500000e400,0x61500000e5c8)
freed by thread T0 here:
#0 0x8bc0eb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x98c93e9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:374:7
#2 0x98c93e9 in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, cla
#3 0x98513b8 in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/l
#4 0x98301ea in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:709:11
#5 0x9819a6c in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20
#6 0x9819a6c in clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:169
previously allocated by thread T0 here:
#0 0x8bc75e in realloc projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71:3
#1 0x5ea8a5f in llvm::SmallVectorBase::grow_pod(void*, unsigned long, unsigned long) lib/Support/SmallVector.cpp:34:15
#2 0x96d3b20 in grow_pod include/llvm/ADT/SmallVector.h:81:5
#3 0x96d3b20 in grow include/llvm/ADT/SmallVector.h:334
#4 0x96d3b20 in push_back include/llvm/ADT/SmallVector.h:339
#5 0x96d3b20 in clang::Parser::ConsumeAndStoreUntil(clang::tok::TokenKind, clang::tok::TokenKind, llvm::SmallVector<clang::Token, 4u>&, bool, bool) tools/clang/lib/Parse/P
#6 0x96d38c3 in ConsumeAndStoreUntil tools/clang/include/clang/Parse/Parser.h:1212:12
#7 0x96d38c3 in clang::Parser::ConsumeAndStoreUntil(clang::tok::TokenKind, clang::tok::TokenKind, llvm::SmallVector<clang::Token, 4u>&, bool, bool) tools/clang/lib/Parse/P
#8 0x98c7edf in ConsumeAndStoreUntil tools/clang/include/clang/Parse/Parser.h:1212:12
echo "(*operator union z *" | ./bin/clang -x c++ -
==39217==ERROR: AddressSanitizer: use-after-poison on address 0x6210000127a8 at
pc 0x00000081dda9 bp 0x7ffe21265030 sp 0x7ffe212647e0
WRITE of size 32 at 0x6210000127a8 thread T0
#0 0x81dda8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
#1 0xce40013 in clang::Sema::GetTypeSourceInfoForDeclarator(clang::Declarator&, clang::QualType, clang::TypeSourceInfo*) tools/clang/lib/Sema/SemaType.cpp:4882:5
#2 0xce318b1 in GetFullTypeForDeclarator((anonymous namespace)::TypeProcessingState&, clang::QualType, clang::TypeSourceInfo*) tools/clang/lib/Sema/SemaType.cpp:4291:10
#3 0xce0c4e6 in clang::Sema::GetTypeForDeclarator(clang::Declarator&, clang::Scope*) tools/clang/lib/Sema/SemaType.cpp:4311:10
#4 0xb60de32 in clang::Sema::HandleDeclarator(clang::Scope*, clang::Declarator&, llvm::MutableArrayRef<clang::TemplateParameterList*>) tools/clang/lib/Sema/SemaDecl.cpp:48
#5 0xb60cd7d in clang::Sema::ActOnDeclarator(clang::Scope*, clang::Declarator&) tools/clang/lib/Sema/SemaDecl.cpp:4658:15
0x6210000127a8 is located 3752 bytes inside of 4096-byte region
[0x621000011900,0x621000012900)
allocated by thread T0 here:
#0 0x83504b in __interceptor_malloc projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x8a4285 in Allocate include/llvm/Support/Allocator.h:95:12
#2 0x8a4285 in StartNewSlab include/llvm/Support/Allocator.h:321
#3 0x8a4285 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul>::Allocate(unsigned long, unsigned long) include/llvm/Support/Allocator.h:248
#4 0xe1fe535 in Allocate tools/clang/include/clang/AST/ASTContext.h:560:12
#5 0xe1fe535 in operator new[] tools/clang/include/clang/AST/ASTContext.h:2645
#6 0xe1fe535 in clang::DeclarationNameTable::DeclarationNameTable(clang::ASTContext const&) tools/clang/lib/AST/DeclarationName.cpp:345
Infinite loop:
echo "e ():iihdechar ()::new) (" | clang -x c++ -
#0 0x0000000001985dd2 in clang::SourceManager::getSLocEntryByID(int, bool*)
const ()
#1 0x0000000002eee228 in clang::Lexer::getRawToken(clang::SourceLocation,
clang::Token&, clang::SourceManager const&, clang::LangOptions const&, bool) ()
#2 0x0000000002eef7bf in
clang::Lexer::getLocForEndOfToken(clang::SourceLocation, unsigned int,
clang::SourceManager const&, clang::LangOptions const&) ()
#3 0x0000000002387a3f in
clang::Parser::ParseConstructorInitializer(clang::Decl*) ()
#4 0x000000000234a79e in
clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&,
clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*) ()
#5 0x0000000002362e74 in
clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, unsigned int,
clang::SourceLocation*, clang::Parser::ForRangeInit*) ()
#6 0x0000000002349fb6 in
clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec&, clang::AccessSpecifier) ()
#7 0x000000000234997a in
clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*, clang::AccessSpecifier) ()
#8 0x0000000002348bd5 in
clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*) ()
#9 0x0000000002347de2 in
clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) ()
#10 0x0000000002343771 in clang::ParseAST(clang::Sema&, bool, bool) ()
#11 0x0000000001cef765 in clang::FrontendAction::Execute() ()
Infinite incursion from comment #25 should be fixed by http://reviews.llvm.org/rL257461
printf ">>>> <<<\n<<<<\n<<<<" | ./bin/clang -x c++ -
==24055==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60600000d013 at pc 0x0000007ba3ea bp 0x7ffe30bec7d0 sp 0x7ffe30bebf88
READ of size 5 at 0x60600000d013 thread T0
#0 0x7ba3e9 in memcmp projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:418:7
#1 0x6a1881c in llvm::StringRef::find(llvm::StringRef, unsigned long) const lib/Support/StringRef.cpp:175:9
#2 0xed6299f in FindConflictEnd(char const*, char const*, clang::ConflictMarkerKind) tools/clang/lib/Lex/Lexer.cpp:2586:16
#3 0xed756db in HandleEndOfConflictMarker tools/clang/lib/Lex/Lexer.cpp:2668:25
#4 0xed756db in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3405
#5 0xed5e40f in clang::Lexer::Lex(clang::Token&) tools/clang/lib/Lex/Lexer.cpp:2892:24
#6 0xefddcc4 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:725:23
#7 0xa7998c5 in ConsumeToken tools/clang/include/clang/Parse/Parser.h:289:5
0x60600000d013 is located 0 bytes to the right of 51-byte region
[0x60600000cfe0,0x60600000d013)
allocated by thread T0 here:
#0 0x86d27b in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
#1 0x69ccad8 in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:140:34
#2 0x69d0ac3 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:121:7
#3 0x69d0ac3 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:243
#4 0x69cdde7 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:430:10
echo
IO+Am5YqOjrvSIP4KLjvu49faWYou2lVKb8oKLvvPz8oaW50uygpWynvbWG7Xe/vuw3vACkpKF4= |
base64 --decode | ./bin/clang -x c++ -
==32513==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000008550
at pc 0x00000082bcd9 bp 0x7fffe6568e70 sp 0x7fffe6568628
READ of size 20 at 0x611000008550 thread T0
#0 0x82bcd8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
#1 0xf00b44f in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:442:7
#2 0xeff1e77 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:731:23
#3 0xee6f502 in clang::Preprocessor::PeekAhead(unsigned int) tools/clang/lib/Lex/PPCaching.cpp:91:5
#4 0xa99c845 in LookAhead tools/clang/include/clang/Lex/Preprocessor.h:1140:14
#5 0xa99c845 in NextToken tools/clang/include/clang/Parse/Parser.h:552
0x611000008550 is located 144 bytes inside of 216-byte region
[0x6110000084c0,0x611000008598)
freed by thread T0 here:
#0 0x842e1b in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0xaa467df in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:374:7
#2 0xaa467df in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, clang::ColonProtectionRA
#3 0xa9b56bc in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/lib/Parse/ParseExpr.cp
#4 0xa99b2aa in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:709:11
#5 0xa9828fc in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20
Infinite loop from comment #33 should be fixed by
http://reviews.llvm.org/rL258290
Denis Zobnin
================
Software Engineer
Intel Compiler Team
Intel
Issue from comment #18 should be fixed by http://reviews.llvm.org/rL259532.
Denis Zobnin
================
Software Engineer
Intel Compiler Team
Intel
Comment #36 (smaller repro "int H((int()[)])") should be fixed by
http://reviews.llvm.org/rL259750
Dmitry Polukhin
===============
Software Engineer
Intel Compiler Team
comment #33 is fixed in http://reviews.llvm.org/rL265125.
$ echo '#define ID(x) x\nID(x)\nID(_Pragma(""))' | clang -x c -
<stdin>:3:4: error: _Pragma takes a parenthesized string literal
ID(_Pragma(""))
^
clang-4.0: include/llvm/ADT/SmallVector.h:164: reference
llvm::SmallVectorTemplateCommon<clang::Token, void>::back() [T = clang::Token]:
Assertion `!empty()' failed.
#0 0x0000000001aef418 llvm::sys::PrintStackTrace(llvm::raw_ostream&) (clang-
4.0+0x1aef418)
#1 0x0000000001aeffb6 SignalHandler(int) (clang-4.0+0x1aeffb6)
#2 0x00007efcc705b330 __restore_rt (/lib/x86_64-linux-
gnu/libpthread.so.0+0x10330)
#3 0x00007efcc5c4ec37 gsignal /build/eglibc-oGUzwX/eglibc-
2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#4 0x00007efcc5c52028 abort /build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
#5 0x00007efcc5c47bf6 __assert_fail_base /build/eglibc-oGUzwX/eglibc-
2.19/assert/assert.c:92:0
#6 0x00007efcc5c47ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
#7 0x00000000034e3fec clang::Preprocessor::PeekAhead(unsigned int) (clang-
4.0+0x34e3fec)
#8 0x00000000028044d2 clang::Parser::ParseImplicitInt(clang::DeclSpec&,
clang::CXXScopeSpec*, clang::Parser::ParsedTemplateInfo const&,
clang::AccessSpecifier, clang::Parser::DeclSpecContext,
clang::Parser::ParsedAttributesWithRange&) (clang-4.0+0x28044d2)
#9 0x00000000027fcf73
clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&,
clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier,
clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*) (clang-
4.0+0x27fcf73)
#10 0x00000000027e737e
clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec&, clang::AccessSpecifier) (clang-4.0+0x27e737e)
clang-uaf.log
(13926 bytes, text/x-log)