[clang] [Clang] Fix stack-use-after-return in TryArrayCopy by allocating OpaqueValueExpr on the ASTContext (PR #192080)

Tue Apr 14 09:19:58 PDT 2026

https://github.com/TPPPP72 updated https://github.com/llvm/llvm-project/pull/192080

>From 6318e679c94f0f5c4846dcb55de94b673f140bd9 Mon Sep 17 00:00:00 2001
From: TPPPP72 <906483498 at qq.com>
Date: Wed, 15 Apr 2026 00:19:32 +0800
Subject: [PATCH] [Clang] Fix stack-use-after-return in TryArrayCopy by
 allocating OpaqueValueExpr on the ASTContext

---
 clang/lib/Sema/SemaInit.cpp     |  8 ++++----
 clang/test/SemaCXX/gh192026.cpp | 16 ++++++++++++++++
 2 files changed, 20 insertions(+), 4 deletions(-)
 create mode 100644 clang/test/SemaCXX/gh192026.cpp

diff --git a/clang/lib/Sema/SemaInit.cpp b/clang/lib/Sema/SemaInit.cpp
index e54a25405c816..991e7d42bdb87 100644
--- a/clang/lib/Sema/SemaInit.cpp
+++ b/clang/lib/Sema/SemaInit.cpp
@@ -4380,10 +4380,10 @@ static void TryArrayCopy(Sema &S, const InitializationKind &Kind,
       InitializedEntity::InitializeElement(S.Context, 0, Entity);
   QualType InitEltT =
       S.Context.getAsArrayType(Initializer->getType())->getElementType();
-  OpaqueValueExpr OVE(Initializer->getExprLoc(), InitEltT,
-                      Initializer->getValueKind(),
-                      Initializer->getObjectKind());
-  Expr *OVEAsExpr = &OVE;
+  OpaqueValueExpr *OVE = new (S.Context) OpaqueValueExpr(
+      Initializer->getExprLoc(), InitEltT, Initializer->getValueKind(),
+      Initializer->getObjectKind());
+  Expr *OVEAsExpr = OVE;
   Sequence.InitializeFrom(S, Element, Kind, OVEAsExpr,
                           /*TopLevelOfInitList*/ false,
                           TreatUnavailableAsInvalid);
diff --git a/clang/test/SemaCXX/gh192026.cpp b/clang/test/SemaCXX/gh192026.cpp
new file mode 100644
index 0000000000000..3b179f8420119
--- /dev/null
+++ b/clang/test/SemaCXX/gh192026.cpp
@@ -0,0 +1,16 @@
+// RUN: %clang_cc1 -fsyntax-only -verify %s
+
+struct ControlSwitcher { bool b; };
+
+class ComplexChain {
+  volatile union {
+    char flag_byte;
+    int ref_count;
+  } state_flags[5]; // expected-note {{copy constructor of 'ComplexChain' is implicitly deleted because field 'state_flags' has no copy constructor}}
+
+  ControlSwitcher cs{true};
+
+  ComplexChain trigger_bug() {
+    return *this; // expected-error {{call to implicitly-deleted copy constructor of 'ComplexChain'}}
+  }
+};

