[LLVMbugs] [Bug 7909] New: clang c++ use-after-free with templates

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Sat Aug 14 20:52:51 PDT 2010 

http://llvm.org/bugs/show_bug.cgi?id=7909

           Summary: clang c++ use-after-free with templates
           Product: clang
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Keywords: crash-on-invalid
          Severity: normal
          Priority: P
         Component: C++
        AssignedTo: unassignedclangbugs at nondot.org
        ReportedBy: sharparrow1 at yahoo.com
                CC: llvmbugs at cs.uiuc.edu, dgregor at apple.com


Testcase:
template<typename T> struct A {};
template<typename T> const T& foo();
invalid(A<invalid(foo<int>())>);

First valgrind error:
==25464== Invalid read of size 4
==25464==    at 0xC3B9A4: clang::Parser::ParseCastExpression(bool, bool, bool&,
void*) (in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BC69: clang::Parser::ParseCastExpression(bool, bool, void*)
(in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BCCD: clang::Parser::ParseAssignmentExpression() (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BE27:
clang::Parser::ParseExpressionList(llvm::SmallVector<void*, 12u>&,
llvm::SmallVector<clang::SourceLocation, 12u>&, void
(clang::Action::*)(clang::Scope*, void*, void**, unsigned int), void*) (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3C694:
clang::Parser::ParsePostfixExpressionSuffix(clang::ASTOwningResult<&(clang::ActionBase::DeleteExpr(void*))>)
(in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3B754: clang::Parser::ParseCastExpression(bool, bool, bool&,
void*) (in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BC69: clang::Parser::ParseCastExpression(bool, bool, void*)
(in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3DCB5: clang::Parser::ParseConstantExpression() (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC4BA91: clang::Parser::ParseTemplateArgument() (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC4BB2A:
clang::Parser::ParseTemplateArgumentList(llvm::SmallVector<clang::ParsedTemplateArgument,
16u>&) (in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC4BE94:
clang::Parser::ParseTemplateIdAfterTemplateName(clang::OpaquePtr<2>,
clang::SourceLocation, clang::CXXScopeSpec const*, bool,
clang::SourceLocation&, llvm::SmallVector<clang::ParsedTemplateArgument, 16u>&,
clang::SourceLocation&) (in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC4C515:
clang::Parser::AnnotateTemplateIdToken(clang::OpaquePtr<2>,
clang::TemplateNameKind, clang::CXXScopeSpec const*, clang::UnqualifiedId&,
clang::SourceLocation, bool) (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==  Address 0x5e20cc0 is 32 bytes inside a block of size 88 free'd
==25464==    at 0x4C280BD: free (vg_replace_malloc.c:366)
==25464==    by 0xC094C8: clang::UnqualifiedId::clear() (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC41EC1: clang::Parser::ParseCXXIdExpression(bool) (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3B14B: clang::Parser::ParseCastExpression(bool, bool, bool&,
void*) (in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BC69: clang::Parser::ParseCastExpression(bool, bool, void*)
(in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3B450: clang::Parser::ParseCastExpression(bool, bool, bool&,
void*) (in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BC69: clang::Parser::ParseCastExpression(bool, bool, void*)
(in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BCCD: clang::Parser::ParseAssignmentExpression() (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BE27:
clang::Parser::ParseExpressionList(llvm::SmallVector<void*, 12u>&,
llvm::SmallVector<clang::SourceLocation, 12u>&, void
(clang::Action::*)(clang::Scope*, void*, void**, unsigned int), void*) (in
/home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3C694:
clang::Parser::ParsePostfixExpressionSuffix(clang::ASTOwningResult<&(clang::ActionBase::DeleteExpr(void*))>)
(in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3B754: clang::Parser::ParseCastExpression(bool, bool, bool&,
void*) (in /home/eli/llvmgbuild/Release+Asserts/bin/clang)
==25464==    by 0xC3BC69: clang::Parser::ParseCastExpression(bool, bool, void*)
(in /home/eli/llvmgbuild/Release+Asserts/bin/clang)

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list