<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="en-DE" link="#0563C1" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Please disregard – this mail has been delayed in the “mailing list moderation” for a while and is no longer relevant/was already addressed in a different thread<br>
<br>
-Adrian<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">cfe-dev <cfe-dev-bounces@lists.llvm.org> on behalf of Adrian Vogelsgesang via cfe-dev <cfe-dev@lists.llvm.org><br>
<b>Date: </b>Wednesday, 10. February 2021 at 07:24<br>
<b>To: </b>cfe-dev@lists.llvm.org <cfe-dev@lists.llvm.org><br>
<b>Subject: </b>[cfe-dev] Potential frontend bug: heap-use-after-free in C++ coroutines</span><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US">Dear Clang community,<br>
<br>
I think I stumbled across a front-end bug in clang’s C++ coroutine implementation.<br>
<br>
Having an awaitable with<br>
<br>
```<br>
</span>template<typename PROMISE> std::experimental::coroutine_handle<> await_suspend(std::experimental::coroutine_handle<PROMISE> coro) noexcept {<o:p></o:p></p>
<p class="MsoNormal"> coro.destroy();<o:p></o:p></p>
<p class="MsoNormal"> return std::experimental::noop_coroutine();<o:p></o:p></p>
<p class="MsoNormal">}<br>
<span lang="EN-US">```<br>
<br>
destroys the functions own coroutine frame. This is valid, as long as no-one afterwards resumes the coroutine anymore. However, address-sanitizer still reports a “heap-use-after-free” error.<br>
<br>
>From my understanding so far, this is because the clang-frontend stores the return value of `await_suspend` in the coroutine frame. Instead, the clang-frontend should probably store this return value on the stack. Afaik, storing on the stack should be valid,
as it is guaranteed that this return value will never live across a suspension point.<br>
<br>
You can find a minimal repro in <a href="https://godbolt.org/z/eq6eoc">
https://godbolt.org/z/eq6eoc</a> and a more complex end-to-end version in <a href="https://godbolt.org/z/8Yadv1">
https://godbolt.org/z/8Yadv1</a> . See </span><a href="https://stackoverflow.com/questions/65991264/c-coroutines-is-it-valid-to-call-handle-destroy-from-the-final-suspend-poin">https://stackoverflow.com/questions/65991264/c-coroutines-is-it-valid-to-call-handle-destroy-from-the-final-suspend-poin</a><span lang="EN-US">
(in particular the comments to David Haim’s reply) for more context.<br>
<br>
Cheers,<br>
Adrian</span><o:p></o:p></p>
</div>
</body>
</html>