Quuxplusone / LLVMBugzillaTest

0 stars 0 forks source link

fuzz clang #23056

Open Quuxplusone opened 9 years ago

Quuxplusone commented 9 years ago
Bugzilla Link PR23057
Status NEW
Importance P normal
Reported by Kostya Serebryany (kcc@google.com)
Reported on 2015-03-28 16:20:26 -0700
Last modified on 2016-12-01 05:50:36 -0800
Version unspecified
Hardware PC Linux
CC andreybokhanko@gmail.com, benny.kra@gmail.com, bruno.cardoso@gmail.com, d.zobnin.bugzilla@gmail.com, david.majnemer@gmail.com, ditaliano@apple.com, dmitry.polukhin@gmail.com, erik.pilkington@gmail.com, llvm-bugs@lists.llvm.org, nicolasweber@gmx.de, richard-llvm@metafoo.co.uk, sami.liedes@iki.fi, silvasean@google.com, su@cs.ucdavis.edu
Fixed by commit(s)
Attachments clang-uaf.log (13926 bytes, text/x-log)
Blocks
Blocked by PR21826, PR21829, PR21830, PR21843, PR21854, PR21865, PR21871, PR21948, PR21950, PR21951, PR21952, PR21953, PR21954, PR21955, PR21958, PR21960, PR21970, PR21972, PR21816, PR21818, PR21819, PR21821, PR21824, PR21828, PR21831, PR21832, PR21833, PR21834, PR21837, PR21838, PR21842, PR21844, PR21846, PR21849, PR21852, PR21855, PR21856, PR21860, PR21862, PR21863, PR21866, PR21867, PR21868, PR21869, PR21870, PR21957, PR21959, PR21961, PR21973
See also
As of r233459 we have a clang fuzzer in the source tree.
Details: llvm/lib/Fuzzer/README.txt

We also have a build bot that runs the fuzzer 24/7
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
(See also bug 23052 for the clang-format fuzzer).

I propose to track all activities related to fuzzing clang here.
(There was a significant volume of bugs detected by AFL,
if someone has the list of revisions/bugs, please attach here).
Quuxplusone commented 9 years ago
echo -n "#if 0" | clang -x c++  -

==23545==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x604000006b76 at pc 0x00000bb7006e bp 0x7fffa7ced0f0 sp 0x7fffa7ced0e8
READ of size 1 at 0x604000006b76 thread T0
    #0 0xbb7006d in clang::NumericLiteralParser::ParseNumberStartingWithZero(clang::SourceLocation) tools/clang/lib/Lex/LiteralSupport.cpp:759:12
    #1 0xbb63964 in clang::NumericLiteralParser::NumericLiteralParser(llvm::StringRef, clang::SourceLocation, clang::Preprocessor&) tools/clang/lib/Lex/LiteralSupport.cpp:531:
    #2 0xbc9ced8 in EvaluateValue((anonymous namespace)::PPValue&, clang::Token&, DefinedTracker&, bool, clang::Preprocessor&) tools/clang/lib/Lex/PPExpressions.cpp:220:26
    #3 0xbc9980e in clang::Preprocessor::EvaluateDirectiveExpression(clang::IdentifierInfo*&) tools/clang/lib/Lex/PPExpressions.cpp:758:7
    #4 0xbc59a89 in clang::Preprocessor::HandleIfDirective(clang::Token&, bool) tools/clang/lib/Lex/PPDirectives.cpp:2396:32
    #5 0xbc50c98 in clang::Preprocessor::HandleDirective(clang::Token&) tools/clang/lib/Lex/PPDirectives.cpp:838:14
    #6 0xbb5e82e in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3633:3
    #7 0xbd738ef in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
    #8 0x7dfc1e5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
    #9 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
    #10 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
    #11 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
    #12 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
    #13 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #14 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #15 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #16 0x82473f in main tools/clang/tools/driver/driver.cpp:415
0x604000006b76 is located 0 bytes to the right of 38-byte region
[0x604000006b50,0x604000006b76)
allocated by thread T0 here:
    #0 0x81955b in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
    #1 0x4e4741b in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:139:34
    #2 0x4e4b200 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:120:7
    #3 0x4e4b200 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:241
    #4 0x4e48947 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:428:10
    #5 0x56df240 in clang::CompilerInstance::InitializeSourceManager(clang::FrontendInputFile const&, clang::DiagnosticsEngine&, clang::FileManager&, clang::SourceManager&, cl
    #6 0x57d3347 in clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&, clang::FrontendInputFile const&) tools/clang/lib/Frontend/FrontendAction.cpp:308:8
    #7 0x56e3e40 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:806:9
    #8 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #9 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #10 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #11 0x82473f in main tools/clang/tools/driver/driver.cpp:415
Quuxplusone commented 9 years ago
echo -n '~a::{' | clang -x c++

==23855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc
0x00000b7c91c6 bp 0x7fffe68c9dd0 sp 0x7fffe68c9dc0 T0)
    #0 0xb7c91c5 in clang::NestedNameSpecifier::getKind() const tools/clang/lib/AST/NestedNameSpecifier.cpp:132:8
    #1 0x88ec340 in clang::Sema::ShouldEnterDeclaratorScope(clang::Scope*, clang::CXXScopeSpec const&) tools/clang/lib/Sema/SemaCXXScopeSpec.cpp:999:11
    #2 0x7ff9f0e in clang::Parser::ParseUnqualifiedId(clang::CXXScopeSpec&, bool, bool, bool, clang::OpaquePtr<clang::QualType>, clang::SourceLocation&, clang::UnqualifiedId&) tools/clang/lib/Parse/ParseExprCXX.cpp:2549:11
    #3 0x7ee34db in clang::Parser::ParseDirectDeclarator(clang::Declarator&) tools/clang/lib/Parse/ParseDecl.cpp:4982:11
    #4 0x7ede076 in clang::Parser::ParseDeclaratorInternal(clang::Declarator&, void (clang::Parser::*)(clang::Declarator&)) tools/clang/lib/Parse/ParseDecl.cpp:4756:7
    #5 0x7e97c3d in ParseDeclarator tools/clang/lib/Parse/ParseDecl.cpp:4651:3
    #6 0x7e97c3d in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, unsigned int, clang::SourceLocation*, clang::Parser::ForRangeInit*) tools/clang/lib/Parse/ParseDecl.cpp:1633
    #7 0x7e24f9d in clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) tools/clang/lib/Parse/Parser.cpp:893:10
    #8 0x7e22340 in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) tools/clang/lib/Parse/Parser.cpp:909:12
    #9 0x7e1873e in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) tools/clang/lib/Parse/Parser.cpp:767:12
    #10 0x7e157c2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) tools/clang/lib/Parse/Parser.cpp:569:12
    #11 0x7dfc2e8 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:134:7
    #12 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
    #13 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
    #14 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
    #15 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
    #16 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #17 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #18 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #19 0x82473f in main tools/clang/tools/driver/driver.cpp:415
Quuxplusone commented 9 years ago
Not sure if leaks in clang on invalid inputs are worth fixing.
If not, we can disable leak detection on the fuzzer bot.
Here is one leak example:

echo "::(&C" |  clang -x c++ -

Direct leak of 432 byte(s) in 1 object(s) allocated from:
    #0 0x81927b in operator new(unsigned long) projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
    #1 0x7e13b19 in EnterScope tools/clang/lib/Parse/Parser.cpp:358:24
    #2 0x7e13b19 in clang::Parser::Initialize() tools/clang/lib/Parse/Parser.cpp:425
    #3 0x7dfc1e5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
    #4 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
    #5 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
    #6 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
    #7 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
    #8 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #9 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #10 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #11 0x82473f in main tools/clang/tools/driver/driver.cpp:415
Quuxplusone commented 9 years ago
The bot is currently running w/o assertions because there are quite a few of
them

printf '\n;::(&C' | clang -x c++ -
tools/clang/include/clang/Parse/Parser.h:2166: void
clang::Parser::DeclaratorScopeObj::EnterDeclaratorScope(): Assertion
`!EnteredScope && "Already entered the scope!"' failed.

printf 'x(a::(b)' |  clang -x c++ -
tools/clang/lib/Lex/PPCaching.cpp:101: void
clang::Preprocessor::AnnotatePreviousCachedTokens(const clang::Token &):
Assertion `CachedTokens[CachedLexPos-1].getLastLoc() ==
Tok.getAnnotationEndLoc() && "The annotation should be until the most recent
cached token"' failed.

echo ClMKWyK/APABWOsiTD1rW9hs | base64 --decode | clang -x c++ -
tools/clang/lib/Frontend/TextDiagnostic.cpp:973: void highlightRange(const
clang::CharSourceRange &, unsigned int, clang::FileID, const (anonymous
namespace)::SourceColumnMap &, std::string &, const clang::SourceManager &,
const clang::LangOptions &): Assertion `StartColNo <=
map.getSourceLine().size() && "Invalid range!"' failed.

printf   'k80x&::((**\ne::' | clang -x c++ -
tools/clang/include/clang/Parse/Parser.h:2178:
clang::Parser::DeclaratorScopeObj::~DeclaratorScopeObj(): Assertion `SS.isSet()
&& "C++ scope was cleared ?"' failed.
Quuxplusone commented 9 years ago
echo -n "#if 0" | clang -x c++ - fixed in r233491.
echo -n '~a::{' | clang -x c++ - fixed in r233492.
Quuxplusone commented 9 years ago
echo I1zqGiMAXAoAI7JrCiPR | base64 --decode | clang -x c++ -
tools/clang/lib/Lex/PPDirectives.cpp:99: void
clang::Preprocessor::DiscardUntilEndOfDirective(): Assertion
`Tmp.isNot(tok::eof) && "EOF seen while discarding directive tokens"' failed.

W/o asserts causes null deref.

Thanks Benjamin for the fixes!
Quuxplusone commented 9 years ago

I added the still-open AFL bugs found by Sami Liedes

Quuxplusone commented 9 years ago
(In reply to comment #3)
> Not sure if leaks in clang on invalid inputs are worth fixing.
> If not, we can disable leak detection on the fuzzer bot.

I think they are worth fixing. They would adversely affect the stability of
long-lived processes that use clang as a library, such as IDE's.
Quuxplusone commented 9 years ago
echo zWsoIi+qACrc8o25aFlrW7YkImJL | base64 --decode  | clang -x c++ - -c

==4839==ERROR: AddressSanitizer: negative-size-param: (size=-264)
    #0 0x7e031f in __asan_memset projects/compiler-rt/lib/asan/asan_interceptors.cc:420:3
    #1 0x5a474df in __fill_a<char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_algobase.h:703:7
    #2 0x5a474df in fill<__gnu_cxx::__normal_iterator<char *, std::basic_string<char> >, char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_algobase.h:728
    #3 0x5a474df in highlightRange tools/clang/lib/Frontend/TextDiagnostic.cpp:983
    #4 0x5a474df in clang::TextDiagnostic::emitSnippetAndCaret(clang::SourceLocation, clang::DiagnosticsEngine::Level, llvm::SmallVectorImpl<clang::CharSourceRange>&, llvm::ArrayRef<clang::FixItHint>, clang::SourceManager const&) tools/clang/lib/Frontend/TextDiagnostic.cpp:1125
    #5 0x5a2c599 in emitCaret tools/clang/lib/Frontend/DiagnosticRenderer.cpp:394:3
Quuxplusone commented 9 years ago
echo -n "#include<\\"  |  clang -x c++ -c -

==24291==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x604000006bbb at pc 0x00000bb382d1 bp 0x7fff54ea18d0 sp 0x7fff54ea18c8
READ of size 1 at 0x604000006bbb thread T0
    #0 0xbb382d0 in getAndAdvanceChar tools/clang/include/clang/Lex/Lexer.h:529:36
    #1 0xbb382d0 in clang::Lexer::LexAngledStringLiteral(clang::Token&, char const*) tools/clang/lib/Lex/Lexer.cpp:1870
    #2 0xbb56361 in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3387:14
    #3 0xbd7318f in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
    #4 0xbd798e5 in clang::PreprocessorLexer::LexIncludeFilename(clang::Token&) tools/clang/lib/Lex/PreprocessorLexer.cpp:44:5
    #5 0xbc5e998 in clang::Preprocessor::HandleIncludeDirective(clang::SourceLocation, clang::Token&, clang::DirectoryLookup const*, clang::FileEntry const*, bool)
    #6 0xbc51b36 in clang::Preprocessor::HandleDirective(clang::Token&) tools/clang/lib/Lex/PPDirectives.cpp:853:14
    #7 0xbb5d63e in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3633:3
    #8 0xbd7318f in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
    #9 0x7dfa8f5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
    #10 0x57d763e in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
    #11 0x639214a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
    #12 0x57d5c92 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
    #13 0x56e09d0 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
    #14 0x5a5a00d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #15 0x829a7d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #16 0x824a9f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #17 0x824a9f in main tools/clang/tools/driver/driver.cpp:415
    #18 0x7f21b4643ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

0x604000006bbb is located 0 bytes to the right of 43-byte region
[0x604000006b90,0x604000006bbb)

allocated by thread T0 here:
    #0 0x8198bb in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
    #1 0x4e42fcb in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:139:34
    #2 0x4e46db0 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:120:7
    #3 0x4e46db0 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:241
    #4 0x4e444f7 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:428:10
    #5 0x56dbdb0 in clang::CompilerInstance::InitializeSourceManager(clang::FrontendInputFile const&, clang::DiagnosticsEngine&, clang::FileManager&, clang::SourceM
    #6 0x57cfeb7 in clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&, clang::FrontendInputFile const&) tools/clang/lib/Frontend/FrontendAction.cpp:30
    #7 0x56e09b0 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:806:9
    #8 0x5a5a00d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
    #9 0x829a7d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
    #10 0x824a9f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
    #11 0x824a9f in main tools/clang/tools/driver/driver.cpp:415
Quuxplusone commented 9 years ago

There are probably quite a few unreported ones at http://sli.dy.fi/~sliedes/clang-triage/triage_report.xhtml . I just added a few new test cases there that bumped the number of distinct crashes from 68 to 88. My bot doesn't automatically fuzz; the fuzzing part is manual, but it runs clang trunk against a generated corpus of (currently ~14k, but probably only 5-6k exercise distinct paths) inputs that have at some point crashed clang.

Anyway, glad to hear that there's more advanced fuzzing infrastructure in place now.

Quuxplusone commented 9 years ago

I think they [leaks] are worth fixing.

Interestingly, all the cases of leaks I observe also fail assertions in a debug build, see #4. So, if we fix those assertions the leaks may disappear as well.

Quuxplusone commented 9 years ago
(In reply to comment #11)
> There are probably quite a few unreported ones at
> http://sli.dy.fi/~sliedes/clang-triage/triage_report.xhtml

This is the reason why the fuzzer bot runs the in-process fuzzer w/o assertions.
With assertions it would be crashing too quickly.
Your list contains my four assertion failures from c#4 and many more.
Neat.
Quuxplusone commented 9 years ago
Infinite recursion:

echo "inlineJ33 y8(struct include;  " |  clang -x c++ -c -

    #0 0xb2f7e33 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1220
    #1 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
    #2 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
    #3 0xb2fb560 in getLVForLocalDecl tools/clang/lib/AST/Decl.cpp:1198
    #4 0xb2fb560 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1299
    #5 0xb300b9a in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
    #6 0xb300b9a in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
    #7 0xb300b9a in clang::NamedDecl::getLinkageInternal() const tools/clang/lib/AST/Decl.cpp:1024
    #8 0xb94b1cb in computeCachedProperties tools/clang/lib/AST/Type.cpp:2185:17
    #9 0xb94b1cb in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2137
    #10 0xb94a711 in get tools/clang/lib/AST/Type.cpp:2116:5
    #11 0xb94a711 in get tools/clang/lib/AST/Type.cpp:2112
    #12 0xb94a711 in computeCachedProperties tools/clang/lib/AST/Type.cpp:2222
    #13 0xb94a711 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2137
    #14 0xb949d40 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2129:7
    #15 0xb949b80 in clang::Type::getLinkage() const tools/clang/lib/AST/Type.cpp:2242:3
    #16 0xb34f6c4 in getLVForNamespaceScopeDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:764:11
    #17 0xb2f80b7 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1275:12
    #18 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
    #19 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
    #20 0xb2fb560 in getLVForLocalDecl tools/clang/lib/AST/Decl.cpp:1198
Quuxplusone commented 9 years ago

r233726 disables leak detection for clang-fuzzer until c#4 is fixed.

Quuxplusone commented 9 years ago

Attached clang-uaf.log (13926 bytes, text/x-log): use-after-free.log

Quuxplusone commented 9 years ago
echo "g34( struct Yunsignedp
char32_t=char32_t_35==ZcregisterZtypename&&S=4autobitand8 &&or*
xor{static_cast&char32_t&welseconst auto" | clang -x c++  -

tools/clang/include/clang/AST/DeclCXX.h:592: struct DefinitionData
&clang::CXXRecordDecl::data() const: Assertion `DD && "queried property of
class with no definition"' failed.

Leads to a null deref w/o assertions.
Also present in Sami Liedes's set from c#11
Quuxplusone commented 9 years ago

echo "f(){for(a operator==:" | clang -x c++ -c -

Assertion `Val && "isa<> used on a null pointer"' failed.

Sami has this one too. W/o assertions this is another NULL deref.

Quuxplusone commented 9 years ago
These two might be variations of c#16 or separate use-after-free bugs.

echo 'lshort typedef s4;bool
Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void
ifdef))nullptrchar32_t|$( tnews*public   -=--<*'  | clang -x c++ -c -

==17685==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e740
at pc 0x0000007dfd49 bp 0x7fff53379ef0 sp 0x7fff533796a8
READ of size 20 at 0x61500000e740 thread T0
    #0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
    #1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
    #2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
    #3 0xbc2fdc1 in clang::Preprocessor::CachingLex(clang::Token&) tools/clang/lib/Lex/PPCaching.cpp:58:3
    #4 0xbd732f6 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:701:7
    #5 0x7e0c23e in ConsumeToken tools/clang/include/clang/Parse/Parser.h:285:5
    #6 0x7e0c23e in clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:340
    #7 0x8039d37 in SkipUntil tools/clang/include/clang/Parse/Parser.h:842:12
    #8 0x8039d37 in clang::Parser::ParseBraceInitializer() tools/clang/lib/Parse/ParseInit.cpp:444

0x61500000e740 is located 192 bytes inside of 456-byte region
[0x61500000e680,0x61500000e848)
freed by thread T0 here:
    #0 0x7f6fdb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
    #1 0x802dfa9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:365:7
    #2 0x802dfa9 in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, clang::ColonProtectionRA
    #3 0x7fad534 in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/lib/Parse/ParseExpr.cp
    #4 0x7f9886c in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:681:11
    #5 0x7f83045 in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:437:20
    #6 0x7f83045 in clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:167
    #7 0x7f8fe6a in ParseExpression tools/clang/lib/Parse/ParseExpr.cpp:121:18

echo '*=registerforthisclassxor^u ;conceptBchar32_t=breaku:OB&
ifndef[(double(wchar_t nI[3u/23;p*= ,signed))nullptr  error(Rl' | clang -x c++ -
c -

==17945==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e758
at pc 0x0000007dfd49 bp 0x7fffc5bc49b0 sp 0x7fffc5bc4168
READ of size 20 at 0x61500000e758 thread T0
    #0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
    #1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
    #2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
    #3 0x7e05bbf in TryConsumeToken tools/clang/include/clang/Parse/Parser.h:295:5

...
0x61500000e758 is located 216 bytes inside of 456-byte region
[0x61500000e680,0x61500000e848)
freed by thread T0 here:
    #0 0x7f6fdb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
    #1 0x802dfa9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:365:7
Quuxplusone commented 9 years ago
As of today, issue 22407 is the only one seen on the clang fuzzer bot:a
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/1395
Quuxplusone commented 9 years ago
(In reply to comment #20)
> As of today, issue 22407 is the only one seen on the clang fuzzer bot:a
> http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/1395

(the bot uses no-assertions build)
Quuxplusone commented 9 years ago
the clang/clang-format fuzzer bot
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
has been extended to run both with and w/o assertions.
whenever a bug is found, the fuzzer will print the base64-encoded reproducer
so that one can copy-paste it from the buildbot logs:
E.g. from the bot logs:
===============
SUMMARY: AddressSanitizer: ...
CRASHED; file written to crash-80193815206841682354717562770799349303
Base64: OiDgO3gKUyYhU0Z4KhFoEztFKGV1bZNTe5Hsk1MmKUMheCoTIWgTO0VTKMFldW2TUzs=
===============

Just do this:
echo OiDgO3gKUyYhU0Z4KhFoEztFKGV1bZNTe5Hsk1MmKUMheCoTIWgTO0VTKMFldW2TUzs= |
base64 -d | clang -x c++ -
Quuxplusone commented 9 years ago
Still seen by the fuzzer bot:

echo
w5sKZTtTk1LJKHbBDckJUgksZCg7Kjo6KCooZckokztyyWWROyjJKIM6OsllwSgmQkFyPDooOi87  |
base64 --decode | clang++ -x c++ -
tools/clang/include/clang/Parse/Parser.h:2253: void
clang::Parser::DeclaratorScopeObj::EnterDeclaratorScope(): Assertion
`!EnteredScope && "Already entered the scope!"' failed.
Quuxplusone commented 8 years ago
some more
echo
KAljQyggbCA9ZG8sdXNqb3J0fGI+bGU6eUJwOygJKipDKGxnKGtpID1jQyg5KWRlZmluZSggKkkpMyg=
| base64 --decode | clang -x c++ -

llvm/include/llvm/Support/Casting.h:95: static bool
llvm::isa_impl_cl<clang::ExprWithCleanups, const clang::Expr *>::doit(const
From *) [To = clang::ExprWithCleanups, From = const clang::Expr *]: Assertion
`Val && "isa<> used on a null pointer"' failed.

(null deref follows)
Quuxplusone commented 8 years ago
echo O2lubGluZSB0ZW1wbGEoCWNDKSgJIGVudW0gbDY7KHRlIG8= | base64 --decode | clang
-x c++ -

==38911==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfb8a2f00 (pc
0x00000cb04169 bp 0x7ffdfb8a30a0 sp 0x7ffdfb8a2f00 T0)
    #0 0xcb04168 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1226
    #1 0xcb5b855 in clang::LinkageComputer::getLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1320:22
    #2 0xcb0b5b5 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1357:10
    #3 0xcb0b5b5 in clang::NamedDecl::getLinkageInternal() const tools/clang/lib/AST/Decl.cpp:1030
    #4 0xd1d98f9 in computeCachedProperties tools/clang/lib/AST/Type.cpp:3163:17
    #5 0xd1d98f9 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:3115
    #6 0xd1d871c in get tools/clang/lib/AST/Type.cpp:3094:5
    #7 0xd1d871c in get tools/clang/lib/AST/Type.cpp:3090
    #8 0xd1d871c in computeCachedProperties tools/clang/lib/AST/Type.cpp:3200
Quuxplusone commented 8 years ago
stack trace for #24
==14981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x00000acf5492 bp 0x7ffde0a49d30 sp 0x7ffde0a48340 T0)
    #0 0xacf5491 in getInit tools/clang/include/clang/AST/Decl.h:1089:17
    #1 0xacf5491 in clang::Sema::BuildCXXDefaultArgExpr(clang::SourceLocation, clang::FunctionDecl*, clang::ParmVarDecl*) tools/clang/lib/Sema/SemaExpr.cpp:4330
    #2 0xad02439 in clang::Sema::GatherArgumentsForCall(clang::SourceLocation, clang::FunctionDecl*, clang::FunctionProtoType const*, unsigned int, llvm::ArrayRef<clang::Expr*
    #3 0xacfa0e5 in clang::Sema::ConvertArgumentsForCall(clang::CallExpr*, clang::Expr*, clang::FunctionDecl*, clang::FunctionProtoType const*, llvm::ArrayRef<clang::Expr*>, c
    #4 0xad0a38d in clang::Sema::BuildResolvedCallExpr(clang::Expr*, clang::NamedDecl*, clang::SourceLocation, llvm::ArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr
    #5 0xb6b5f0a in FinishOverloadedCallExpr(clang::Sema&, clang::Scope*, clang::Expr*, clang::UnresolvedLookupExpr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*
    #6 0xb6b4281 in clang::Sema::BuildOverloadedCallExpr(clang::Scope*, clang::Expr*, clang::UnresolvedLookupExpr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>,
    #7 0xac857a7 in clang::Sema::ActOnCallExpr(clang::Scope*, clang::Expr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr*, bo
    #8 0x9828350 in clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) tools/clang/lib/Parse/ParseExpr.cpp:1554:15
    #9 0x9830cb8 in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:1338:10
    #10 0x9819a6c in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20
Quuxplusone commented 8 years ago
one more:

echo
dGVtcGxhdGUgPCF2PmNsYXNzJAlle25tdGwgZSAoIGRvdWxlMipDKXRocm93CyAoKXsgIGUgZDpkKCkhPA==
| base64 --decode | clang -x c++ -

==15086==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc
0x0000096ce636 bp 0x7ffd5d700ee0 sp 0x7ffd5d700ac0 T0)
    #0 0x96ce635 in getKind tools/clang/include/clang/AST/DeclBase.h:382:51
    #1 0x96ce635 in classof tools/clang/include/clang/AST/DeclTemplate.h:980
    #2 0x96ce635 in doit include/llvm/Support/Casting.h:56
    #3 0x96ce635 in doit include/llvm/Support/Casting.h:96
    #4 0x96ce635 in doit include/llvm/Support/Casting.h:122
    #5 0x96ce635 in doit include/llvm/Support/Casting.h:112
    #6 0x96ce635 in isa<clang::FunctionTemplateDecl, clang::Decl *> include/llvm/Support/Casting.h:133
    #7 0x96ce635 in dyn_cast<clang::FunctionTemplateDecl, clang::Decl> include/llvm/Support/Casting.h:298
    #8 0x96ce635 in clang::Parser::ParseLexedMethodDeclaration(clang::Parser::LateParsedMethodDeclaration&) tools/clang/lib/Parse/ParseCXXInlineMethods.cpp:415
    #9 0x96ca645 in clang::Parser::ParseLexedMethodDeclarations(clang::Parser::ParsingClass&) tools/clang/lib/Parse/ParseCXXInlineMethods.cpp:287:5
    #10 0x97d7d45 in clang::Parser::ParseCXXMemberSpecification(clang::SourceLocation, clang::SourceLocation, clang::Parser::ParsedAttributesWithRange&, unsigned int, clang::D
    #11 0x97ce06e in clang::Parser::ParseClassSpecifier(clang::tok::TokenKind, clang::SourceLocation, clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::Access
    #12 0x971b6c1 in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecConte
    #13 0x99fecea in clang::Parser::ParseSingleDeclarationAfterTemplate(unsigned int, clang::Parser::ParsedTemplateInfo const&, clang::ParsingDeclRAIIObject&, clang::SourceLoc
    #14 0x99fc432 in clang::Parser::ParseTemplateDeclarationOrSpecialization(unsigned int, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) tools/clang/l
    #15 0x99fa1b6 in clang::Parser::ParseDeclarationStartingWithTemplate(unsigned int, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) tools/clang/lib/P
    #16 0x9715090 in clang::Parser::ParseDeclaration(unsigned int, clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&) tools/clang/lib/Parse/ParseDecl.cpp:1461:
    #17 0x9686c55 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) tools/clang/lib/Parse/Parser.cpp:743:14
    #18 0x96845e2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) tools/clang/lib/Parse/Parser.cpp:593:12
Quuxplusone commented 8 years ago

tools/clang/lib/AST/DeclBase.cpp:762: bool clang::Decl::AccessDeclContextSanity() const: Assertion `Access != AS_none && "Access specifier is AS_none inside a record decl"' failed.

echo IChkb3dsKiYmQykLKChsYXNzeyAgZmxvZXR1dCgJXkMpKAkgZW51bWwgb21wbDtjPDp4b3JfZXEnOiEpOyc | base64 --decode | clang -x c++ -

Quuxplusone commented 8 years ago
(In reply to comment #28)
> tools/clang/lib/AST/DeclBase.cpp:762: bool
> clang::Decl::AccessDeclContextSanity() const: Assertion `Access != AS_none
> && "Access specifier is AS_none inside a record decl"' failed.

In an non-assert build causes this:
==16615==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc
0x00000a239d45 bp 0x7ffd4aa874b0 sp 0x7ffd4aa87480 T0)
    #0 0xa239d44 in getCanonicalDecl tools/clang/include/clang/AST/DeclCXX.h:655:12
    #1 0xa239d44 in (anonymous namespace)::AccessTarget::initialize() tools/clang/lib/Sema/SemaAccess.cpp:247
    #2 0xa223796 in AccessTarget tools/clang/lib/Sema/SemaAccess.cpp:152:5
    #3 0xa223796 in clang::Sema::HandleDelayedAccessCheck(clang::sema::DelayedDiagnostic&, clang::Decl*) tools/clang/lib/Sema/SemaAccess.cpp:1490
    #4 0xa897de4 in clang::Sema::PopParsingDeclaration(clang::Sema::DelayedDiagnosticsState, clang::Decl*) tools/clang/lib/Sema/SemaDeclAttr.cpp:5913:9
    #5 0x97f1a64 in pop tools/clang/lib/Parse/RAIIObjectsForParser.h:168:9
    #6 0x97f1a64 in complete tools/clang/lib/Parse/RAIIObjectsForParser.h:151
    #7 0x97f1a64 in complete tools/clang/lib/Parse/RAIIObjectsForParser.h:222
Quuxplusone commented 8 years ago
Input (base64):
bmFtZXNwYWNlICB7YXV0byBsIChedm9sYXRpbGV7b2lubGF1byBsKT1ee2ZhOiBsIG5hfWUmJmwocyggKGho

llvm/tools/clang/lib/AST/Decl.cpp:2136: clang::APValue
*clang::VarDecl::evaluateValue(SmallVectorImpl<PartialDiagnosticAt> &) const:
Asse
rtion `!Init->isValueDependent()' failed.

==17999==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000d2b0a79 bp 0x7ffee1d343b0 sp 0x7ffee1d33e40 T0)
    #0 0xd2b0a78 in getTypePtr tools/clang/include/clang/AST/Type.h:5054:26
    #1 0xd2b0a78 in operator-> tools/clang/include/clang/AST/Type.h:635
    #2 0xd2b0a78 in clang::Expr::EvaluateAsInitializer(clang::APValue&, clang::ASTContext const&, clang::VarDecl const*, llvm::SmallVectorImpl<std::pair<clang::SourceLocation,
    #3 0xd096cf4 in clang::VarDecl::evaluateValue(llvm::SmallVectorImpl<std::pair<clang::SourceLocation, clang::PartialDiagnostic> >&) const tools/clang/lib/AST/Decl.cpp:2147:
    #4 0xd0966e8 in clang::VarDecl::evaluateValue() const tools/clang/lib/AST/Decl.cpp:2115:10
    #5 0xcd5e4fd in clang::ASTContext::DeclMustBeEmitted(clang::Decl const*) tools/clang/lib/AST/ASTContext.cpp:8472:8
    #6 0xa596825 in clang::Sema::ShouldWarnIfUnusedFileScopedDecl(clang::DeclaratorDecl const*) const tools/clang/lib/Sema/SemaDecl.cpp:1414:9
    #7 0xa597ebb in clang::Sema::MarkUnusedFileScopedDecl(clang::DeclaratorDecl const*) tools/clang/lib/Sema/SemaDecl.cpp:1446:7
    #8 0xa6ebef8 in clang::Sema::FinalizeDeclaration(clang::Decl*) tools/clang/lib/Sema/SemaDecl.cpp:10222:5
Quuxplusone commented 8 years ago
and a use-after-free:

ICB5PS0gJ1QgOih0ICA9eShkb3c6IXN0aGM6PCcqKikrUzs6OiBsM0UgPSp5b3JlaW50SWl3KChjaGFyKHhvcikobyBXLGQmKiZdQykpc3xyZXJwcgs=

==30399==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e538
at pc 0x0000008a4fa9 bp 0x7ffc039791a0 sp 0x7ffc03978958
READ of size 20 at 0x61500000e538 thread T0
    #0 0x8a4fa8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
    #1 0xdbfecf6 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
    #2 0xdbe5c07 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:731:23
    #3 0x96782aa in ConsumeParen tools/clang/include/clang/Parse/Parser.h:383:5
    #4 0x96782aa in clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:334
    #5 0x9828676 in SkipUntil tools/clang/include/clang/Parse/Parser.h:864:12
    #6 0x9828676 in clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) tools/clang/lib/Parse/ParseExpr.cpp:1546
    #7 0x9830cb8 in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:1338:10

0x61500000e538 is located 312 bytes inside of 456-byte region
[0x61500000e400,0x61500000e5c8)
freed by thread T0 here:
    #0 0x8bc0eb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x98c93e9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:374:7
    #2 0x98c93e9 in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, cla
    #3 0x98513b8 in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/l
    #4 0x98301ea in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:709:11
    #5 0x9819a6c in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20
    #6 0x9819a6c in clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:169

previously allocated by thread T0 here:
    #0 0x8bc75e in realloc projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71:3
    #1 0x5ea8a5f in llvm::SmallVectorBase::grow_pod(void*, unsigned long, unsigned long) lib/Support/SmallVector.cpp:34:15
    #2 0x96d3b20 in grow_pod include/llvm/ADT/SmallVector.h:81:5
    #3 0x96d3b20 in grow include/llvm/ADT/SmallVector.h:334
    #4 0x96d3b20 in push_back include/llvm/ADT/SmallVector.h:339
    #5 0x96d3b20 in clang::Parser::ConsumeAndStoreUntil(clang::tok::TokenKind, clang::tok::TokenKind, llvm::SmallVector<clang::Token, 4u>&, bool, bool) tools/clang/lib/Parse/P
    #6 0x96d38c3 in ConsumeAndStoreUntil tools/clang/include/clang/Parse/Parser.h:1212:12
    #7 0x96d38c3 in clang::Parser::ConsumeAndStoreUntil(clang::tok::TokenKind, clang::tok::TokenKind, llvm::SmallVector<clang::Token, 4u>&, bool, bool) tools/clang/lib/Parse/P
    #8 0x98c7edf in ConsumeAndStoreUntil tools/clang/include/clang/Parse/Parser.h:1212:12
Quuxplusone commented 8 years ago
echo "(*operator union z *" | ./bin/clang -x c++ -

==39217==ERROR: AddressSanitizer: use-after-poison on address 0x6210000127a8 at
pc 0x00000081dda9 bp 0x7ffe21265030 sp 0x7ffe212647e0
WRITE of size 32 at 0x6210000127a8 thread T0
    #0 0x81dda8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
    #1 0xce40013 in clang::Sema::GetTypeSourceInfoForDeclarator(clang::Declarator&, clang::QualType, clang::TypeSourceInfo*) tools/clang/lib/Sema/SemaType.cpp:4882:5
    #2 0xce318b1 in GetFullTypeForDeclarator((anonymous namespace)::TypeProcessingState&, clang::QualType, clang::TypeSourceInfo*) tools/clang/lib/Sema/SemaType.cpp:4291:10
    #3 0xce0c4e6 in clang::Sema::GetTypeForDeclarator(clang::Declarator&, clang::Scope*) tools/clang/lib/Sema/SemaType.cpp:4311:10
    #4 0xb60de32 in clang::Sema::HandleDeclarator(clang::Scope*, clang::Declarator&, llvm::MutableArrayRef<clang::TemplateParameterList*>) tools/clang/lib/Sema/SemaDecl.cpp:48
    #5 0xb60cd7d in clang::Sema::ActOnDeclarator(clang::Scope*, clang::Declarator&) tools/clang/lib/Sema/SemaDecl.cpp:4658:15

0x6210000127a8 is located 3752 bytes inside of 4096-byte region
[0x621000011900,0x621000012900)
allocated by thread T0 here:
    #0 0x83504b in __interceptor_malloc projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x8a4285 in Allocate include/llvm/Support/Allocator.h:95:12
    #2 0x8a4285 in StartNewSlab include/llvm/Support/Allocator.h:321
    #3 0x8a4285 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul>::Allocate(unsigned long, unsigned long) include/llvm/Support/Allocator.h:248
    #4 0xe1fe535 in Allocate tools/clang/include/clang/AST/ASTContext.h:560:12
    #5 0xe1fe535 in operator new[] tools/clang/include/clang/AST/ASTContext.h:2645
    #6 0xe1fe535 in clang::DeclarationNameTable::DeclarationNameTable(clang::ASTContext const&) tools/clang/lib/AST/DeclarationName.cpp:345
Quuxplusone commented 8 years ago
Infinite loop:
echo "e ():iihdechar ()::new) (" | clang -x c++ -

#0  0x0000000001985dd2 in clang::SourceManager::getSLocEntryByID(int, bool*)
const ()
#1  0x0000000002eee228 in clang::Lexer::getRawToken(clang::SourceLocation,
clang::Token&, clang::SourceManager const&, clang::LangOptions const&, bool) ()
#2  0x0000000002eef7bf in
clang::Lexer::getLocForEndOfToken(clang::SourceLocation, unsigned int,
clang::SourceManager const&, clang::LangOptions const&) ()
#3  0x0000000002387a3f in
clang::Parser::ParseConstructorInitializer(clang::Decl*) ()
#4  0x000000000234a79e in
clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&,
clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*) ()
#5  0x0000000002362e74 in
clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, unsigned int,
clang::SourceLocation*, clang::Parser::ForRangeInit*) ()
#6  0x0000000002349fb6 in
clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec&, clang::AccessSpecifier) ()
#7  0x000000000234997a in
clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*, clang::AccessSpecifier) ()
#8  0x0000000002348bd5 in
clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*) ()
#9  0x0000000002347de2 in
clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) ()
#10 0x0000000002343771 in clang::ParseAST(clang::Sema&, bool, bool) ()
#11 0x0000000001cef765 in clang::FrontendAction::Execute() ()
Quuxplusone commented 8 years ago

Infinite incursion from comment #25 should be fixed by http://reviews.llvm.org/rL257461

Quuxplusone commented 8 years ago
printf ">>>> <<<\n<<<<\n<<<<" | ./bin/clang -x c++ -

==24055==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60600000d013 at pc 0x0000007ba3ea bp 0x7ffe30bec7d0 sp 0x7ffe30bebf88
READ of size 5 at 0x60600000d013 thread T0
    #0 0x7ba3e9 in memcmp projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:418:7
    #1 0x6a1881c in llvm::StringRef::find(llvm::StringRef, unsigned long) const lib/Support/StringRef.cpp:175:9
    #2 0xed6299f in FindConflictEnd(char const*, char const*, clang::ConflictMarkerKind) tools/clang/lib/Lex/Lexer.cpp:2586:16
    #3 0xed756db in HandleEndOfConflictMarker tools/clang/lib/Lex/Lexer.cpp:2668:25
    #4 0xed756db in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3405
    #5 0xed5e40f in clang::Lexer::Lex(clang::Token&) tools/clang/lib/Lex/Lexer.cpp:2892:24
    #6 0xefddcc4 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:725:23
    #7 0xa7998c5 in ConsumeToken tools/clang/include/clang/Parse/Parser.h:289:5

0x60600000d013 is located 0 bytes to the right of 51-byte region
[0x60600000cfe0,0x60600000d013)
allocated by thread T0 here:
    #0 0x86d27b in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
    #1 0x69ccad8 in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:140:34
    #2 0x69d0ac3 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:121:7
    #3 0x69d0ac3 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:243
    #4 0x69cdde7 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:430:10
Quuxplusone commented 8 years ago
echo
IO+Am5YqOjrvSIP4KLjvu49faWYou2lVKb8oKLvvPz8oaW50uygpWynvbWG7Xe/vuw3vACkpKF4= |
base64 --decode | ./bin/clang -x c++ -

==32513==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000008550
at pc 0x00000082bcd9 bp 0x7fffe6568e70 sp 0x7fffe6568628
READ of size 20 at 0x611000008550 thread T0
    #0 0x82bcd8 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:393:3
    #1 0xf00b44f in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:442:7
    #2 0xeff1e77 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:731:23
    #3 0xee6f502 in clang::Preprocessor::PeekAhead(unsigned int) tools/clang/lib/Lex/PPCaching.cpp:91:5
    #4 0xa99c845 in LookAhead tools/clang/include/clang/Lex/Preprocessor.h:1140:14
    #5 0xa99c845 in NextToken tools/clang/include/clang/Parse/Parser.h:552

0x611000008550 is located 144 bytes inside of 216-byte region
[0x6110000084c0,0x611000008598)
freed by thread T0 here:
    #0 0x842e1b in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0xaa467df in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:374:7
    #2 0xaa467df in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtr<clang::QualType>&, clang::BalancedDelimiterTracker&, clang::ColonProtectionRA
    #3 0xa9b56bc in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) tools/clang/lib/Parse/ParseExpr.cp
    #4 0xa99b2aa in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:709:11
    #5 0xa9828fc in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20
Quuxplusone commented 8 years ago
Infinite loop from comment #33 should be fixed by
http://reviews.llvm.org/rL258290

Denis Zobnin
================
Software Engineer
Intel Compiler Team
Intel
Quuxplusone commented 8 years ago
Issue from comment #18 should be fixed by http://reviews.llvm.org/rL259532.

Denis Zobnin
================
Software Engineer
Intel Compiler Team
Intel
Quuxplusone commented 8 years ago
Comment #36 (smaller repro "int H((int()[)])") should be fixed by
http://reviews.llvm.org/rL259750

Dmitry Polukhin
===============
Software Engineer
Intel Compiler Team
Quuxplusone commented 8 years ago

comment #33 is fixed in http://reviews.llvm.org/rL265125.

Quuxplusone commented 7 years ago
$ echo '#define ID(x) x\nID(x)\nID(_Pragma(""))' | clang -x c -
<stdin>:3:4: error: _Pragma takes a parenthesized string literal
ID(_Pragma(""))
   ^
clang-4.0: include/llvm/ADT/SmallVector.h:164: reference
llvm::SmallVectorTemplateCommon<clang::Token, void>::back() [T = clang::Token]:
Assertion `!empty()' failed.
#0 0x0000000001aef418 llvm::sys::PrintStackTrace(llvm::raw_ostream&) (clang-
4.0+0x1aef418)
#1 0x0000000001aeffb6 SignalHandler(int) (clang-4.0+0x1aeffb6)
#2 0x00007efcc705b330 __restore_rt (/lib/x86_64-linux-
gnu/libpthread.so.0+0x10330)
#3 0x00007efcc5c4ec37 gsignal /build/eglibc-oGUzwX/eglibc-
2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0
#4 0x00007efcc5c52028 abort /build/eglibc-oGUzwX/eglibc-2.19/stdlib/abort.c:91:0
#5 0x00007efcc5c47bf6 __assert_fail_base /build/eglibc-oGUzwX/eglibc-
2.19/assert/assert.c:92:0
#6 0x00007efcc5c47ca2 (/lib/x86_64-linux-gnu/libc.so.6+0x2fca2)
#7 0x00000000034e3fec clang::Preprocessor::PeekAhead(unsigned int) (clang-
4.0+0x34e3fec)
#8 0x00000000028044d2 clang::Parser::ParseImplicitInt(clang::DeclSpec&,
clang::CXXScopeSpec*, clang::Parser::ParsedTemplateInfo const&,
clang::AccessSpecifier, clang::Parser::DeclSpecContext,
clang::Parser::ParsedAttributesWithRange&) (clang-4.0+0x28044d2)
#9 0x00000000027fcf73
clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&,
clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier,
clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*) (clang-
4.0+0x27fcf73)
#10 0x00000000027e737e
clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec&, clang::AccessSpecifier) (clang-4.0+0x27e737e)