<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/69683>69683</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Clang AST unbounded node expansion idue to designated array inititalization - InitListExpr
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            clang
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          srikwit
      </td>
    </tr>
</table>

<pre>
    Clang supports InitListExpr which can be used to initialize objects of different types, including struct/class/union types, arrays, and vectors. While working with designated array initialization I have encountered that an expression like the following:
`char *test[257400000] = {[257399999] = "data"};`

will result in expansion of all elements in the array. The resulting array will have a single element being initialized with the value "data" and the rest of the values would be default initialized. The issue with such a permissive expansion of array elements is that by increasing the number of elements in the array we can successfully create ASTs several orders greater than the original source code i.e. non-useful ASTs can be created with file sizes in GBs when the original data source can be less than 1 KB in size. This can result in disk storage exhaustion, high CPU and memory usage resulting in a Denial of Service, or a common coding weakness called "Uncontrolled Resource Consumption" on the system where Clang is available.

The AST generation was performed using the following command: `clang -Xclang -ast-dump=json x.c`

The impact of such a code is that it can deter the generation of AST for further code analysis apart from making the host system unusable.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJxsVcGO27gS_Br60hhDI3nk8cGHmfGbh2D3sNgk2L22yJbEmCIFNmnH-fpFU46dBNHBsiR2sapYTSKzHTzRXj29qqfDCnMaQ9xztMezTasumMv-zaEfgPM8h5gYPnib_rSc_vd1jnAerR5Bo4eOIDMZSAGst8mis98IQveFdGIIPRjb9xTJJ0iXmVjVb2C9dtlYQU8x66Tqd-2QWdXv2dvg7yMxRrws_7yBE-kUIq_hn9E6gnOIRwE52zSCIVGEicxSdGeDSSA_wIgnAvI6ZJ8oCuURE6AH-jpHYpZRzh4J0kjQB-fC2fpBNS-qOqjqRbWVHjGCql8ScVJPr_XTdlPJpZ4OoJoDqO3r8rrZyXV7XdcGE6q6VtuDal5VW10hy-_ZOgeROLsEtrBBX8iEHtA5IEcT-cTyUagVeWv4NNK1SjxYNBeoohOBrR8cfa-GjmTYfYnMYpsAntBl-oFl8Tot8ElY3AYxnEN2RhbdUI8L4xviwskyZ1rAOesREGaKk2W2Yv9P4grnuzxeVqSTtdORUBSUuX2eOopS8lsv4Ewlipy1JuY-O3cBAUgELx8_MTCdKKKDEA1FhqF8ijLbghKiHaxHBxxy1AQ6GAK7pjX44B8yU5_dgnRN_AJ-tbCXLLL9RoXV_18ZziP9AizO3tAXDEfMC4VH-ONVSgVDPLTLPPdIGMtH4BQiDmLhiJkl09IWox1GePvrc1mziaYQL5BZxt2zYT0gHMhbsaCHjxRPVpNUhwgIOkxT8CK6NBPh0Qs1jc6RkVh89jr4FEN5_puuMt6C5zzNC5EawqKYL5xoEgciwbKDWAY8oXXYOVr_GHxJy8vHTzCQp7h06RlZ4tKHOJGBfEvArR0LW_RGNS8gHVlmePj3ekdODyZPs2oOXzh4-LrWvzRbSeg0oy7BvgZ0We9r_Gwq7htaIkI_0gt9IdyHCH2OaaS41KJHd2EROmNM0McwwYTH7-zHwOm7M9lnLk6szL4xu2aHK9o_trvt9rmt2mY17vv-cfdcbfoN4m5Dj0a3zU63aPrts3netXpl93VVN49VXVXbx03drNtt05tt2-mNqbB6rtSmogmtWzt3mtYhDqvSlPt21z43K4cdOS47f10X42Rnejqs4l7GP3R5YLWpnOXEd4Rkk6PrmSAeZN-F7A0Z8OLAvbGtySSnwe835HTfkR9-OlJWObr9mNLMsuPW76p-H2wac7fWYVL1uxC53h7mGOR4UfV70SXnRpH2XwAAAP__8w5gpg">