<html>
    <head>
      <base href="https://llvm.org/bugs/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - crash in Sema::CleanupVarDeclMarking with [=] lambda"
   href="https://llvm.org/bugs/show_bug.cgi?id=23334">23334</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>crash in Sema::CleanupVarDeclMarking with [=] lambda
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>trunk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>C++
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedclangbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>nlewycky@google.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>dgregor@apple.com, llvmbugs@cs.uiuc.edu
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Testcase:

void fn1() {
  constexpr int kIsolationClass = 0;
  const int kBytesPerConnection = 0;
  [=]
  {
    0(kUserkIsolationClass);
    kBytesPerConnection, kBytesPerConnection;
  };
}

in -std=c++11 mode. I believe I can get a crash on valid out of this too.

==31903==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000d7e0
at pc 0x00000060f4f9 bp 0x7fffc27a6c60 sp 0x7fffc27a6c58
READ of size 8 at 0x61900000d7e0 thread T0
    #0 0x60f4f8 in llvm::SmallPtrSetIteratorImpl::AdvanceIfNotValid()
third_party/llvm/llvm/include/llvm/ADT/SmallPtrSet.h:171:13
    #1 0x1f336d4 in llvm::SmallPtrSetIterator<clang::Expr*>::operator++()
third_party/llvm/llvm/include/llvm/ADT/SmallPtrSet.h:201:5
    #2 0x1eb26f2 in clang::Sema::CleanupVarDeclMarking()
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:13140:16
    #3 0x1dd96c4 in clang::Sema::MaybeCreateExprWithCleanups(clang::Expr*)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:5150:3
    #4 0x1dd9606 in
clang::Sema::MaybeCreateExprWithCleanups(clang::ActionResult<clang::Expr*,
true>) third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:5144:10
    #5 0x1de086a in clang::Sema::ActOnFinishFullExpr(clang::Expr*,
clang::SourceLocation, bool, bool, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:6439:10
    #6 0x1bc78b5 in
clang::Sema::ActOnExprStmt(clang::ActionResult<clang::Expr*, true>)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaStmt.cpp:46:8
    #7 0x18bdc13 in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:408:10
    #8 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
    #9 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
    #10 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
    #11 0x18fc656 in
clang::Parser::ParseLambdaExpressionAfterIntroducer(clang::LambdaIntroducer&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:1250:19
    #12 0x18fa194 in clang::Parser::ParseLambdaExpression()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:729:10
    #13 0x191112d in clang::Parser::ParseCastExpression(bool, bool, bool&,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:1283:13
    #14 0x190a27b in clang::Parser::ParseCastExpression(bool, bool,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:437:20
    #15 0x190823d in
clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:167:20
    #16 0x190817d in
clang::Parser::ParseExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:121:18
    #17 0x18bda0e in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:384:19
    #18 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
    #19 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
    #20 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
    #21 0x18c61b6 in clang::Parser::ParseFunctionStatementBody(clang::Decl*,
clang::Parser::ParseScope&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:1873:21
[...]

0x61900000d7e0 is located 96 bytes inside of 1024-byte region
[0x61900000d780,0x61900000db80)
freed by thread T0 here:
    #0 0x4ffd6b in __interceptor_free
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
    #1 0x1ea955d in clang::Sema::PopExpressionEvaluationContext()
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:12018:3
    #2 0x1ec792c in addAsFieldToClosureType(clang::Sema&,
clang::sema::LambdaScopeInfo*, clang::VarDecl*, clang::QualType,
clang::QualType, clang::SourceLocation, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:12655:1
    #3 0x1eb7864 in captureInLambda(clang::sema::LambdaScopeInfo*,
clang::VarDecl*, clang::SourceLocation, bool, clang::QualType&,
clang::QualType&, bool, clang::Sema::TryCaptureKind, clang::SourceLocation,
bool, clang::Sema&)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:12738:25
    #4 0x1eb4e6e in clang::Sema::tryCaptureVariable(clang::VarDecl*,
clang::SourceLocation, clang::Sema::TryCaptureKind, clang::SourceLocation,
bool, clang::QualType&, clang::QualType&, unsigned int const*)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:13034:12
    #5 0x1e58489 in clang::MarkVarDeclODRUsed(clang::VarDecl*,
clang::SourceLocation, clang::Sema&, unsigned int const*)
third_party/llvm/llvm/tools/clang/include/clang/Sema/SemaInternal.h:70:3
    #6 0x1eb26ea in clang::Sema::CleanupVarDeclMarking()
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:13153:5
    #7 0x1dd96c4 in clang::Sema::MaybeCreateExprWithCleanups(clang::Expr*)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:5150:3
    #8 0x1dd9606 in
clang::Sema::MaybeCreateExprWithCleanups(clang::ActionResult<clang::Expr*,
true>) third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:5144:10
    #9 0x1de086a in clang::Sema::ActOnFinishFullExpr(clang::Expr*,
clang::SourceLocation, bool, bool, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExprCXX.cpp:6439:10
    #10 0x1bc78b5 in
clang::Sema::ActOnExprStmt(clang::ActionResult<clang::Expr*, true>)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaStmt.cpp:46:8
    #11 0x18bdc13 in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:408:10
    #12 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
    #13 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
    #14 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
    #15 0x18fc656 in
clang::Parser::ParseLambdaExpressionAfterIntroducer(clang::LambdaIntroducer&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:1250:19
    #16 0x18fa194 in clang::Parser::ParseLambdaExpression()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:729:10
    #17 0x191112d in clang::Parser::ParseCastExpression(bool, bool, bool&,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:1283:13
    #18 0x190a27b in clang::Parser::ParseCastExpression(bool, bool,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:437:20
    #19 0x190823d in
clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:167:20
    #20 0x190817d in
clang::Parser::ParseExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:121:18
    #21 0x18bda0e in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:384:19
    #22 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
    #23 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
    #24 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
    #25 0x18c61b6 in clang::Parser::ParseFunctionStatementBody(clang::Decl*,
clang::Parser::ParseScope&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:1873:21
    #26 0x1895ef8 in
clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&,
clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:1104:10
    #27 0x1949a47 in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&,
unsigned int, clang::SourceLocation*, clang::Parser::ForRangeInit*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseDecl.cpp:1689:11
    #28 0x1894f20 in
clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec&, clang::AccessSpecifier)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:893:10
    #29 0x1894619 in
clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*, clang::AccessSpecifier)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:909:12

previously allocated by thread T0 here:
    #0 0x50004b in __interceptor_malloc
third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x4a7aca6 in llvm::SmallPtrSetImplBase::Grow(unsigned int)
third_party/llvm/llvm/lib/Support/SmallPtrSet.cpp:141:28
    #2 0x4a7aa04 in llvm::SmallPtrSetImplBase::insert_imp(void const*)
third_party/llvm/llvm/lib/Support/SmallPtrSet.cpp:61:5
    #3 0x1f3674e in llvm::SmallPtrSetImpl<clang::Expr*>::insert(clang::Expr*)
third_party/llvm/llvm/include/llvm/ADT/SmallPtrSet.h:265:14
    #4 0x1eb876c in DoMarkVarDeclReferenced(clang::Sema&,
clang::SourceLocation, clang::VarDecl*, clang::Expr*)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:13271:7
    #5 0x1e69efa in clang::Sema::BuildDeclRefExpr(clang::ValueDecl*,
clang::QualType, clang::ExprValueKind, clang::DeclarationNameInfo const&,
clang::CXXScopeSpec const*, clang::NamedDecl*, clang::TemplateArgumentListInfo
const*) third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:1678:3
    #6 0x1e700a3 in clang::Sema::BuildDeclarationNameExpr(clang::CXXScopeSpec
const&, clang::DeclarationNameInfo const&, clang::NamedDecl*,
clang::NamedDecl*, clang::TemplateArgumentListInfo const*, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:2981:12
    #7 0x1e6de0f in clang::Sema::BuildDeclarationNameExpr(clang::CXXScopeSpec
const&, clang::LookupResult&, bool, bool)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaExpr.cpp:2749:12
    #8 0x2063aef in clang::Sema::ClassifyName(clang::Scope*,
clang::CXXScopeSpec&, clang::IdentifierInfo*&, clang::SourceLocation,
clang::Token const&, bool, std::unique_ptr<clang::CorrectionCandidateCallback,
std::default_delete<clang::CorrectionCandidateCallback> >)
third_party/llvm/llvm/tools/clang/lib/Sema/SemaDecl.cpp:1029:10
    #9 0x189727c in clang::Parser::TryAnnotateName(bool,
std::unique_ptr<clang::CorrectionCandidateCallback,
std::default_delete<clang::CorrectionCandidateCallback> >)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:1365:45
    #10 0x18a4b63 in
clang::Parser::isCXXDeclarationSpecifier(clang::Parser::TPResult, bool*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseTentative.cpp:1160:15
    #11 0x191b9a9 in clang::Parser::isKnownToBeDeclarationSpecifier()
third_party/llvm/llvm/tools/clang/include/clang/Parse/Parser.h:1789:14
    #12 0x190ccc1 in clang::Parser::isNotExpressionStart()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:216:10
    #13 0x1908727 in
clang::Parser::ParseRHSOfBinaryExpression(clang::ActionResult<clang::Expr*,
true>, clang::prec::Level)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:251:35
    #14 0x18bda0e in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:384:19
    #15 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
    #16 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
    #17 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
    #18 0x18fc656 in
clang::Parser::ParseLambdaExpressionAfterIntroducer(clang::LambdaIntroducer&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:1250:19
    #19 0x18fa194 in clang::Parser::ParseLambdaExpression()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:729:10
    #20 0x191112d in clang::Parser::ParseCastExpression(bool, bool, bool&,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:1283:13
    #21 0x190a27b in clang::Parser::ParseCastExpression(bool, bool,
clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:437:20
    #22 0x190823d in
clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:167:20
    #23 0x190817d in
clang::Parser::ParseExpression(clang::Parser::TypeCastState)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseExpr.cpp:121:18
    #24 0x18bda0e in clang::Parser::ParseExprStatement()
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:384:19
    #25 0x18bcecc in
clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:220:12
    #26 0x18bc238 in
clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*,
32u>&, bool, clang::SourceLocation*)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:106:20
    #27 0x18c538a in clang::Parser::ParseCompoundStatementBody(bool)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:958:11
    #28 0x18c61b6 in clang::Parser::ParseFunctionStatementBody(clang::Decl*,
clang::Parser::ParseScope&)
third_party/llvm/llvm/tools/clang/lib/Parse/ParseStmt.cpp:1873:21
    #29 0x1895ef8 in
clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&,
clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*)
third_party/llvm/llvm/tools/clang/lib/Parse/Parser.cpp:1104:10

SUMMARY: AddressSanitizer: heap-use-after-free
third_party/llvm/llvm/include/llvm/ADT/SmallPtrSet.h:171:13 in
llvm::SmallPtrSetIteratorImpl::AdvanceIfNotValid()
Shadow bytes around the buggy address:
  0x0c327fff9aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff9ad0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff9af0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c327fff9b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff9b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31903==ABORTING</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>