[LLVMbugs] [Bug 23334] New: crash in Sema::CleanupVarDeclMarking with [=] lambda
bugzilla-daemon at llvm.org
bugzilla-daemon at llvm.org
Thu Apr 23 21:06:35 PDT 2015
https://llvm.org/bugs/show_bug.cgi?id=23334
Bug ID: 23334
Summary: crash in Sema::CleanupVarDeclMarking with [=] lambda
Product: clang
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: C++
Assignee: unassignedclangbugs at nondot.org
Reporter: nlewycky at google.com
CC: dgregor at apple.com, llvmbugs at cs.uiuc.edu
Classification: Unclassified
Testcase:
void fn1() {
constexpr int kIsolationClass = 0;
const int kBytesPerConnection = 0;
[=]
{
0(kUserkIsolationClass);
kBytesPerConnection, kBytesPerConnection;
};
}
in -std=c++11 mode. I believe I can get a crash on valid out of this too.
==31903==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000d7e0
at pc 0x00000060f4f9 bp 0x7fffc27a6c60 sp 0x7fffc27a6c58
READ of size 8 at 0x61900000d7e0 thread T0
#0 0x60f4f8 in llvm::SmallPtrSetIteratorImpl::AdvanceIfNotValid()
third_party/llvm/llvm/include/llvm/ADT/SmallPtrSet.h:171:13
#1 0x1f336d4 in llvm::SmallPtrSetIterator<clang::Expr*>::operator++()
third_party/llvm/llvm/include/llvm/ADT/SmallPtrSet.h:201:5
#2 0x1eb26f2 in clang::Sema::CleanupVarDeclMarking()
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:13140:16
#3 0x1dd96c4 in clang::Sema::MaybeCreateExprWithCleanups(clang::Expr*)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:5150:3
#4 0x1dd9606 in
clang::Sema::MaybeCreateExprWithCleanups(clang::ActionResult<clang::Expr*,
true>) third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:5144:10
#5 0x1de086a in clang::Sema::ActOnFinishFullExpr(clang::Expr*,
clang::SourceLocation, bool, bool, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:6439:10
#6 0x1bc78b5 in
clang::Sema::ActOnExprStmt(clang::ActionResult<clang::Expr*, true>)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaStmt.cpp:46:8
#7 0x18bdc13 in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:408:10
#8 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
#9 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
#10 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
#11 0x18fc656 in
clang::Parser::ParseLambdaExpressionAfterIntroducer(clang::LambdaIntroducer&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:1250:19
#12 0x18fa194 in clang::Parser::ParseLambdaExpression()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:729:10
#13 0x191112d in clang::Parser::ParseCastExpression(bool, bool, bool&,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:1283:13
#14 0x190a27b in clang::Parser::ParseCastExpression(bool, bool,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:437:20
#15 0x190823d in
clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:167:20
#16 0x190817d in
clang::Parser::ParseExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:121:18
#17 0x18bda0e in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:384:19
#18 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
#19 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
#20 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
#21 0x18c61b6 in clang::Parser::ParseFunctionStatementBody(clang::Decl*,
clang::Parser::ParseScope&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:1873:21
[...]
0x61900000d7e0 is located 96 bytes inside of 1024-byte region
[0x61900000d780,0x61900000db80)
freed by thread T0 here:
#0 0x4ffd6b in __interceptor_free
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
#1 0x1ea955d in clang::Sema::PopExpressionEvaluationContext()
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:12018:3
#2 0x1ec792c in addAsFieldToClosureType(clang::Sema&,
clang::sema::LambdaScopeInfo*, clang::VarDecl*, clang::QualType,
clang::QualType, clang::SourceLocation, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:12655:1
#3 0x1eb7864 in captureInLambda(clang::sema::LambdaScopeInfo*,
clang::VarDecl*, clang::SourceLocation, bool, clang::QualType&,
clang::QualType&, bool, clang::Sema::TryCaptureKind, clang::SourceLocation,
bool, clang::Sema&)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:12738:25
#4 0x1eb4e6e in clang::Sema::tryCaptureVariable(clang::VarDecl*,
clang::SourceLocation, clang::Sema::TryCaptureKind, clang::SourceLocation,
bool, clang::QualType&, clang::QualType&, unsigned int const*)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:13034:12
#5 0x1e58489 in clang::MarkVarDeclODRUsed(clang::VarDecl*,
clang::SourceLocation, clang::Sema&, unsigned int const*)
third_party/llvm/llvm/tools/clang/include/clang/Sema/SemaInternal.h:70:3
#6 0x1eb26ea in clang::Sema::CleanupVarDeclMarking()
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:13153:5
#7 0x1dd96c4 in clang::Sema::MaybeCreateExprWithCleanups(clang::Expr*)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:5150:3
#8 0x1dd9606 in
clang::Sema::MaybeCreateExprWithCleanups(clang::ActionResult<clang::Expr*,
true>) third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:5144:10
#9 0x1de086a in clang::Sema::ActOnFinishFullExpr(clang::Expr*,
clang::SourceLocation, bool, bool, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:6439:10
#10 0x1bc78b5 in
clang::Sema::ActOnExprStmt(clang::ActionResult<clang::Expr*, true>)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaStmt.cpp:46:8
#11 0x18bdc13 in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:408:10
#12 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
#13 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
#14 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
#15 0x18fc656 in
clang::Parser::ParseLambdaExpressionAfterIntroducer(clang::LambdaIntroducer&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:1250:19
#16 0x18fa194 in clang::Parser::ParseLambdaExpression()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:729:10
#17 0x191112d in clang::Parser::ParseCastExpression(bool, bool, bool&,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:1283:13
#18 0x190a27b in clang::Parser::ParseCastExpression(bool, bool,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:437:20
#19 0x190823d in
clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:167:20
#20 0x190817d in
clang::Parser::ParseExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:121:18
#21 0x18bda0e in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:384:19
#22 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
#23 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
#24 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
#25 0x18c61b6 in clang::Parser::ParseFunctionStatementBody(clang::Decl*,
clang::Parser::ParseScope&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:1873:21
#26 0x1895ef8 in
clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&,
clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:1104:10
#27 0x1949a47 in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&,
unsigned int, clang::SourceLocation*, clang::Parser::ForRangeInit*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseDecl.cpp:1689:11
#28 0x1894f20 in
clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec&, clang::AccessSpecifier)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:893:10
#29 0x1894619 in
clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*, clang::AccessSpecifier)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:909:12
previously allocated by thread T0 here:
#0 0x50004b in __interceptor_malloc
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x4a7aca6 in llvm::SmallPtrSetImplBase::Grow(unsigned int)
third_party/llvm/llvm/lib/Support/SmallPtrSet.cpp:141:28
#2 0x4a7aa04 in llvm::SmallPtrSetImplBase::insert_imp(void const*)
third_party/llvm/llvm/lib/Support/SmallPtrSet.cpp:61:5
#3 0x1f3674e in llvm::SmallPtrSetImpl<clang::Expr*>::insert(clang::Expr*)
third_party/llvm/llvm/include/llvm/ADT/SmallPtrSet.h:265:14
#4 0x1eb876c in DoMarkVarDeclReferenced(clang::Sema&,
clang::SourceLocation, clang::VarDecl*, clang::Expr*)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:13271:7
#5 0x1e69efa in clang::Sema::BuildDeclRefExpr(clang::ValueDecl*,
clang::QualType, clang::ExprValueKind, clang::DeclarationNameInfo const&,
clang::CXXScopeSpec const*, clang::NamedDecl*, clang::TemplateArgumentListInfo
const*) third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:1678:3
#6 0x1e700a3 in clang::Sema::BuildDeclarationNameExpr(clang::CXXScopeSpec
const&, clang::DeclarationNameInfo const&, clang::NamedDecl*,
clang::NamedDecl*, clang::TemplateArgumentListInfo const*, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:2981:12
#7 0x1e6de0f in clang::Sema::BuildDeclarationNameExpr(clang::CXXScopeSpec
const&, clang::LookupResult&, bool, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:2749:12
#8 0x2063aef in clang::Sema::ClassifyName(clang::Scope*,
clang::CXXScopeSpec&, clang::IdentifierInfo*&, clang::SourceLocation,
clang::Token const&, bool, std::unique_ptr<clang::CorrectionCandidateCallback,
std::default_delete<clang::CorrectionCandidateCallback> >)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaDecl.cpp:1029:10
#9 0x189727c in clang::Parser::TryAnnotateName(bool,
std::unique_ptr<clang::CorrectionCandidateCallback,
std::default_delete<clang::CorrectionCandidateCallback> >)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:1365:45
#10 0x18a4b63 in
clang::Parser::isCXXDeclarationSpecifier(clang::Parser::TPResult, bool*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseTentative.cpp:1160:15
#11 0x191b9a9 in clang::Parser::isKnownToBeDeclarationSpecifier()
third_party/llvm/llvm/tools/clang/include/clang/Parse/Parser.h:1789:14
#12 0x190ccc1 in clang::Parser::isNotExpressionStart()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:216:10
#13 0x1908727 in
clang::Parser::ParseRHSOfBinaryExpression(clang::ActionResult<clang::Expr*,
true>, clang::prec::Level)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:251:35
#14 0x18bda0e in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:384:19
#15 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
#16 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
#17 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
#18 0x18fc656 in
clang::Parser::ParseLambdaExpressionAfterIntroducer(clang::LambdaIntroducer&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:1250:19
#19 0x18fa194 in clang::Parser::ParseLambdaExpression()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:729:10
#20 0x191112d in clang::Parser::ParseCastExpression(bool, bool, bool&,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:1283:13
#21 0x190a27b in clang::Parser::ParseCastExpression(bool, bool,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:437:20
#22 0x190823d in
clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:167:20
#23 0x190817d in
clang::Parser::ParseExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:121:18
#24 0x18bda0e in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:384:19
#25 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
#26 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
#27 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
#28 0x18c61b6 in clang::Parser::ParseFunctionStatementBody(clang::Decl*,
clang::Parser::ParseScope&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:1873:21
#29 0x1895ef8 in
clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&,
clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:1104:10
SUMMARY: AddressSanitizer: heap-use-after-free
third_party/llvm/llvm/include/llvm/ADT/SmallPtrSet.h:171:13 in
llvm::SmallPtrSetIteratorImpl::AdvanceIfNotValid()
Shadow bytes around the buggy address:
0x0c327fff9aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9ad0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff9af0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c327fff9b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff9b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==31903==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20150424/1cf32210/attachment.html>
More information about the llvm-bugs
mailing list