<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - parser heap use after free"
href="https://bugs.llvm.org/show_bug.cgi?id=37008">37008</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>parser heap use after free
</td>
</tr>
<tr>
<th>Product</th>
<td>clang
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>C++
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedclangbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>richard-llvm@metafoo.co.uk
</td>
</tr>
<tr>
<th>CC</th>
<td>dgregor@apple.com, llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>(Filed on behalf of Jim Meyering)
Here's the minimized reproducer:
printf 'template <int> void ngX() template z()->ngY<>;' | clang -cc1 -x c++
Here's most of the resulting output:
<stdin>:1:26: error: expected ';' at end of declaration
template <int> void ngX() template z()->ngY<>;
^
;
<stdin>:1:41: error: no template named 'ngY'; did you mean 'ngX'?
template <int> void ngX() template z()->ngY<>;
^~~
ngX
<stdin>:1:21: note: 'ngX' declared here
template <int> void ngX() template z()->ngY<>;
^
<stdin>:1:41: error: expected a type
template <int> void ngX() template z()->ngY<>;
^
<stdin>:1:41: error: variable cannot be defined in an explicit instantiation;
if this declaration is meant to be a variable definition, remove the 'template'
keyword
template <int> void ngX() template z()->ngY<>;
~~~~~~~~~ ^
<stdin>:1:36: error: C++ requires a type specifier for all declarations
template <int> void ngX() template z()->ngY<>;
^
<stdin>:1:45: error: expected ';' at end of declaration
template <int> void ngX() template z()->ngY<>;
^
;
=================================================================
==3876978==ERROR: AddressSanitizer: heap-use-after-free on address
0x607000001a30 at pc 0x000005a27670 bp 0x7ffd8a754350 sp 0x7ffd8a754348
READ of size 4 at 0x607000001a30 thread T0
#0 0x5a2766f in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&,
clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier,
clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*)
/tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:3310
#1 0x59f70e3 in
clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec&, clang::AccessSpecifier)
/tmp/llvm/tools/clang/lib/Parse/Parser.cpp:922
#2 0x59f6b86 in
clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*, clang::AccessSpecifier)
/tmp/llvm/tools/clang/lib/Parse/Parser.cpp:1028
#3 0x59f56f2 in
clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:853
#4 0x59f45d1 in
clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&)
/tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
#5 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool)
/tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
#6 0x3c95c64 in clang::FrontendAction::Execute()
/tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
#7 0x3c03f86 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
/tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
#8 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
/tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
#9 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*)
/tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
#10 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
#11 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
#12 0x7f6051da4c04 in __libc_start_main ??:?
#13 0xe5fe33 in _start ??:?
0x607000001a30 is located 64 bytes inside of 80-byte region
[0x6070000019f0,0x607000001a40)
freed by thread T0 here:
#0 0xf372c0 in __interceptor_free.localalias.0 crtstuff.c:?
#1 0x59feac7 in ~DestroyTemplateIdAnnotationsRAIIObj
/tmp/llvm/build/../tools/clang/include/clang/Parse/RAIIObjectsForParser.h:459
#2 0x59f580d in
clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:859
#3 0x59f45d1 in
clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&)
/tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
#4 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool)
/tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
#5 0x3c95c64 in clang::FrontendAction::Execute()
/tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
#6 0x3c03f86 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
/tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
#7 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
/tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
#8 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*)
/tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
#9 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef)
/tmp/llvm/tools/clang/tools/driver/driver.cpp:310
#10 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
#11 0x7f6051da4c04 in __libc_start_main ??:?
previously allocated by thread T0 here:
#0 0xf374d0 in __interceptor_malloc ??:?
#1 0xfb2b0a in llvm::safe_malloc(unsigned long)
/tmp/llvm/build/../include/llvm/Support/Allocator.h:447
#2 0x5aa115c in clang::TemplateIdAnnotation::Create(clang::CXXScopeSpec,
clang::SourceLocation, clang::SourceLocation, clang::IdentifierInfo*,
clang::OverloadedOperatorKind, clang::OpaquePtr<clang::TemplateName>,
clang::TemplateNameKind, clang::SourceLocation, clang::SourceLocation,
llvm::ArrayRef<clang::ParsedTemplateArgument>,
llvm::SmallVectorImpl<clang::TemplateIdAnnotation*>&)
/tmp/llvm/build/../tools/clang/include/clang/Sema/ParsedTemplate.h:202
#3 0x5b102e9 in
clang::Parser::AnnotateTemplateIdToken(clang::OpaquePtr<clang::TemplateName>,
clang::TemplateNameKind, clang::CXXScopeSpec&, clang::SourceLocation,
clang::UnqualifiedId&, bool)
/tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:1042
#4 0x5a8f564 in
clang::Parser::ParseOptionalCXXScopeSpecifier(clang::CXXScopeSpec&,
clang::OpaquePtr<clang::QualType>, bool, bool*, bool, clang::IdentifierInfo**,
bool) /tmp/llvm/tools/clang/lib/Parse/ParseExprCXX.cpp:497
#5 0x59fc010 in clang::Parser::TryAnnotateCXXScopeToken(bool)
/tmp/llvm/tools/clang/lib/Parse/Parser.cpp:1886
#6 0x5a23ae9 in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&,
clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier,
clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*)
/tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:3212
#7 0x5a11ff0 in
clang::Parser::ParseSpecifierQualifierList(clang::DeclSpec&,
clang::AccessSpecifier, clang::Parser::DeclSpecContext)
/tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:2389
#8 0x5a11c31 in clang::Parser::ParseTypeName(clang::SourceRange*,
clang::DeclaratorContext, clang::AccessSpecifier, clang::Decl**,
clang::ParsedAttributes*) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:58
#9 0x5a39bcd in clang::Parser::ParseFunctionDeclarator(clang::Declarator&,
clang::ParsedAttributes&, clang::BalancedDelimiterTracker&, bool, bool)
/tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:6152
#10 0x5a3692c in clang::Parser::ParseDirectDeclarator(clang::Declarator&)
/tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:5789
#11 0x5a34e6e in clang::Parser::ParseDeclaratorInternal(clang::Declarator&,
void (clang::Parser::*)(clang::Declarator&))
/tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:5340
#12 0x5b0b10e in
clang::Parser::ParseSingleDeclarationAfterTemplate(clang::DeclaratorContext,
clang::Parser::ParsedTemplateInfo const&, clang::ParsingDeclRAIIObject&,
clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*)
/tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:238
#13 0x5b09d9b in
clang::Parser::ParseExplicitInstantiation(clang::DeclaratorContext,
clang::SourceLocation, clang::SourceLocation, clang::SourceLocation&,
clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:1318
#14 0x5b09b40 in
clang::Parser::ParseDeclarationStartingWithTemplate(clang::DeclaratorContext,
clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*)
/tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:34
#15 0x5a22609 in clang::Parser::ParseDeclaration(clang::DeclaratorContext,
clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&)
/tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:1686
#16 0x59f4d97 in
clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&,
clang::ParsingDeclSpec*) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:786
#17 0x59f45d1 in
clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&)
/tmp/llvm/tools/clang/lib/Parse/Parser.cpp:609
#18 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool)
/tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
#19 0x3c95c64 in clang::FrontendAction::Execute()
/tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
#20 0x3c03f86 in
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
/tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
#21 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
/tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
#22 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*, void*)
/tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
#23 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
#24 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
#25 0x7f6051da4c04 in __libc_start_main ??:?</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>