<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/62672>62672</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            libclang seems to have a heap UAF from a pointer deleted by `clang::FrontendAction::CreateWrappedASTConsumer`
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          Frityet
      </td>
    </tr>
</table>

<pre>
    ## Explanation

Hello. I am trying to create a clang plugin, but I am stumped trying to figure out why I am getting a heap UAF according to asan in regards to a libllvm function, `clang::FrontendAction::CreateWrappedASTConsumer`. Trying to ignore it with `[[clang::no_sanitize("address")]]` does not work, as address sanitizer still throws the error, making me start to believe it might be a false positive.

## Source code
[Plugin source](https://gist.github.com/Frityet/140e788a02e1b5bc9cb3d5c5792bbfa5)

## Software info
Tested on:
MacOS:
```yaml
$ sw_vers:
> ProductName:               macOS
> ProductVersion:    13.1
> BuildVersion:              22C65

$ uname -srva:
> Darwin amrit-3.local 22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64

$ llvm-config --version:
> 16.0.3

$ clang --version:
> Homebrew clang version 16.0.3
> Target: x86_64-apple-darwin22.2.0
> Thread model: posix
> InstalledDir: /usr/local/opt/llvm/bin
```

Linux:
```yaml
$ uname -srva:
> Linux FritPC 6.3.1-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Mon, 01 May 2023 17:42:12 +0000 x86_64 GNU/Linux

$ llvm-config --version:
> 17.0.0

$ clang --version:
> clang version 17.0.0 (/home/main-builder/pkgsrc/llvm-project 0ffea218934b728b68fee7e4d2d973869f222961)
> Target: x86_64-pc-linux-gnu
> Thread model: posix
> InstalledDir: /usr/bin
```

## Usage commands
Compiled with:
- Plugin: `clang++ UAFTest.cpp -fPIC -g -Og -Wall -Werror -Wextra -Wno-unused-private-field -Wno-unused-function -Wno-unused-parameter -Wno-unused-variable $(llvm-config --cxxflags) -fsanitize=address,undefined -o libuaftest.so -shared -L/usr/local/lib $(llvm-config --ldflags) $(llvm-config --libs)`

- Program: `LD_PRELOAD=/usr/lib/clang/17/lib/x86_64-pc-linux-gnu/libclang_rt.asan.so clang -c -fplugin=./libuaftest.so -Xclang -add-plugin -Xclang lua -std=c2x -Wall -Wno-unknown-pragmas -Werror -Wextra -Wno-unused-function -Wno-unused-parameter -Wno-unused-variable -I/usr/local/include/lua Test.c -o Test.o` (on MacOS I used `DYLD_INSERT_LIBRARIES`)


## Output
[Address sanitizer output (MacOS)](https://gist.github.com/Frityet/a49e1a15dcbb086e0468bc2328ed9b1d)


</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJykVkFv47oR_jX0ZSCBomTZPvjg2FZf0CQbJNnue70ElDiS2aVIgaTs5B362wvKiuN401dsFzBWG86Q_Ga-jzPDnZONRlyS6RWZbia89ztjl4WV_hX9pDTidUlYSlgK25dOcc29NJrQDaGr47-_oVImhmvgLXj7KnUD3kBlkXsEDpXiuoFO9Y3UhK2h7P3R1_m-7VCc7all01sE03s47F6PXg16H8wcdsg7-LoqgFeVsWLcwx3XIDVYbLgVblgCJUul9i3Uva4GuGwNJKcDFJKuSLoqrNEetVgd7cPaeoD8zfKuQ7F6fFob7foWLclpDE8nlLLRxiJIDwfpd-HcIXVXZ6dr8-y4ll7-iYTNCWNcCIvOEcYIW5DpJvxyCsKgA208HIz9HkByB6MrvB1gwXmpFPidNQcHfoeA1hob3Fv-PYBqEZzn1gd0JSqJ-wFeK5udhzKQUHPlEDrjpJd7jM_pG8l9NL2tECojcFyfXt0PpIEbTAEym--871wIkhWEFY10Pm6k3_VlXJmWsGLUDWFFklGczeecMkzKaVktqjIV02o6W7CyrPk0JOIzGLU_8JBeXZuj5QmdRwFHloaVW159eTz9FQgYfq-8VW-HZeAOz3u07t0t3cK9NaKv_B1vcVhfELpoh8MuXf6B1o3CoIskjZN3j6teKvHBTuiCsXU-_RhPBr3mLULk7J5_gLHh9iA18NZKH6WxMhVXwFjMYvpm-ztajQrGa0YjSVdQWAl3Zg9JApSRdEXnJF1lM7h_fAJGGSPpFVhjPElXL7qP5rMFi_MkZv_OCCsetjfb1eP2-fd5_pxn8DJ8LlGHlxNVRteygSjanwX6hj_JYxqnl_uOD_3zHb-ZFkuLh9FpdPl4ULqFJ24bDNBHaBHvOoWRGHIy5uDdeWeRC2iNQBW2BHW_vJuvtfNcKRQbaYOZsKJ3lrBiSDdhhemCTEO0hBWl1BdqOg_vRur-5X8J7r-xPWwOvPn7NeRxGifRn6iTaPgAYWkC_9zewePtPdw_bLe390_Pmz_uVrfXa7g9li6awC1_DfSmkMwC34H5hAFhV5RSOmYL_nb3lbDiCPbnSZ3FNKY_Q-oFl8N-GOpdsTMtEla0XOqoDO8FQ-a7742z1Zj0qLPmX1h5oHWNnCXzRZqVMzYv83mNOMNMMLGYpfN8UTPGFnnyXjA-U0pXRSoEHjW6_3WN_LUcxlr11fEmVMy25Vq4o2lt2k4qFENvOGUrgmMpHe5460PsirCr0NBCgYurroOovr9eQ9RA9KWB6BtXCqJvQ7EP3xdvOUTftIl63TsUUWflnnuMaolKfLC89b2P7tzyFj3aD6t7biUvFQJhGWHzjzqpXl5qxRtH2AKi-tTS0s2pn617LbCWGgVEJvTdntc-xOMMRG7HbTDc_PD2lCw_vVCJ032fmmUZbBd0RKFoN5a3Y3pvNs_3D9ubL6sNSTfvV8uSsGJMfZHMTkufCWiwDb7P1sdhxggBjY-hgqge55l0Ex99z8P-ffTjQkRHv9Oa6jlEzguSbir2cuJ4oOO7NgcddZY3LXd_Sfz_Q290_QMJUleqF-GdBlhHFQYWh_-ZMJ8QNjcahnYL1xAODPnd_HGzeb6-e9w-PD3fXF89rB6ut4-Bk4uOfv5WvvS-6_1pslj9MOSYwSHceOzuxzHpZwYOni0w4clUVGVJ5znSLJ-XFUvZHMWiTMQFvIlYpmKRLvgEl0k-T-czmlM22S15xfMZFbMaFyJnHKsyzXmKNMvqOq0rPpHLUInpNGF0OqWUxVmVTQXNyowiZ3VdkYxiy6WKg3pjY5uJdK7HZc7yGZsoXqJyw7zNmMYDDMYwGk43E7scFF_2jSMZVdJ5936Kl17h8k2Z4BDbYeDd8T2eD8i1NS1w6IzUQQ8CFYYJqnz9tSF40lu1vOTjjIqxlZ4X96CyEJ0jrBii_08AAAD__8cGzK4">