[cfe-dev] parser heap-use-after-free
Richard Smith via cfe-dev
cfe-dev at lists.llvm.org
Wed Apr 4 13:32:10 PDT 2018
Thanks, filed as https://llvm.org/PR37008
On 3 April 2018 at 19:33, Jim Meyering via cfe-dev <cfe-dev at lists.llvm.org>
wrote:
> Hello,
>
> [As with yesterday's report, I would have used your bugs.llvm.org
> bug-reporting form, but have no account and still have not heard back
> from bugs-admin at lists.llvm.org regarding my registration request]
>
> This was a bit tricky even to find/reduce with a default clang build,
> but once I built clang itself with ASAN, it's obvious and consistently
> reproducible -- alternatively, set e.g., MALLOC_DEBUG_=45 (or any other
> value in 1..255) to make it more consistently reproducible with the
> non-ASAN binary.
>
> Here's the minimized reproducer:
>
> printf 'template <int> void ngX() template z()->ngY<>;' | clang -cc1 -x
> c++
>
> Here's most of the resulting output:
>
> <stdin>:1:26: error: expected ';' at end of declaration
> template <int> void ngX() template z()->ngY<>;
> ^
> ;
> <stdin>:1:41: error: no template named 'ngY'; did you mean 'ngX'?
> template <int> void ngX() template z()->ngY<>;
> ^~~
> ngX
> <stdin>:1:21: note: 'ngX' declared here
> template <int> void ngX() template z()->ngY<>;
> ^
> <stdin>:1:41: error: expected a type
> template <int> void ngX() template z()->ngY<>;
> ^
> <stdin>:1:41: error: variable cannot be defined in an explicit
> instantiation; if this declaration is meant to be a variable definition,
> remove the 'template' keyword
> template <int> void ngX() template z()->ngY<>;
> ~~~~~~~~~ ^
> <stdin>:1:36: error: C++ requires a type specifier for all declarations
> template <int> void ngX() template z()->ngY<>;
> ^
> <stdin>:1:45: error: expected ';' at end of declaration
> template <int> void ngX() template z()->ngY<>;
> ^
> ;
> =================================================================
> ==3876978==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x607000001a30 at pc 0x000005a27670 bp 0x7ffd8a754350 sp 0x7ffd8a754348
> READ of size 4 at 0x607000001a30 thread T0
> #0 0x5a2766f in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&,
> clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier,
> clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*)
> /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:3310
> #1 0x59f70e3 in clang::Parser::ParseDeclOrFunctionDefInternal
> (clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&,
> clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:922
> #2 0x59f6b86 in clang::Parser::ParseDeclarationOrFunctionDefi
> nition(clang::Parser::ParsedAttributesWithRange&,
> clang::ParsingDeclSpec*, clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/
> Parse/Parser.cpp:1028
> #3 0x59f56f2 in clang::Parser::ParseExternalDeclaration(
> clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*)
> /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:853
> #4 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::
> OpaquePtr<clang::DeclGroupRef>&) /tmp/llvm/tools/clang/lib/
> Parse/Parser.cpp:609
> #5 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool)
> /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
> #6 0x3c95c64 in clang::FrontendAction::Execute()
> /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
> #7 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
> /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
> #8 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
> #9 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
> #10 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
> llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
> #11 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
> #12 0x7f6051da4c04 in __libc_start_main ??:?
> #13 0xe5fe33 in _start ??:?
>
> 0x607000001a30 is located 64 bytes inside of 80-byte region
> [0x6070000019f0,0x607000001a40)
> freed by thread T0 here:
> #0 0xf372c0 in __interceptor_free.localalias.0 crtstuff.c:?
> #1 0x59feac7 in ~DestroyTemplateIdAnnotationsRAIIObj
> /tmp/llvm/build/../tools/clang/include/clang/Parse/
> RAIIObjectsForParser.h:459
> #2 0x59f580d in clang::Parser::ParseExternalDeclaration(
> clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*)
> /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:859
> #3 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::
> OpaquePtr<clang::DeclGroupRef>&) /tmp/llvm/tools/clang/lib/
> Parse/Parser.cpp:609
> #4 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool)
> /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
> #5 0x3c95c64 in clang::FrontendAction::Execute()
> /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
> #6 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
> /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
> #7 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
> #8 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
> #9 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
> llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
> #10 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
> #11 0x7f6051da4c04 in __libc_start_main ??:?
>
> previously allocated by thread T0 here:
> #0 0xf374d0 in __interceptor_malloc ??:?
> #1 0xfb2b0a in llvm::safe_malloc(unsigned long)
> /tmp/llvm/build/../include/llvm/Support/Allocator.h:447
> #2 0x5aa115c in clang::TemplateIdAnnotation::Create(clang::CXXScopeSpec,
> clang::SourceLocation, clang::SourceLocation, clang::IdentifierInfo*,
> clang::OverloadedOperatorKind, clang::OpaquePtr<clang::TemplateName>,
> clang::TemplateNameKind, clang::SourceLocation, clang::SourceLocation,
> llvm::ArrayRef<clang::ParsedTemplateArgument>,
> llvm::SmallVectorImpl<clang::TemplateIdAnnotation*>&)
> /tmp/llvm/build/../tools/clang/include/clang/Sema/ParsedTemplate.h:202
> #3 0x5b102e9 in clang::Parser::AnnotateTemplateIdToken(clang:
> :OpaquePtr<clang::TemplateName>, clang::TemplateNameKind,
> clang::CXXScopeSpec&, clang::SourceLocation, clang::UnqualifiedId&, bool)
> /tmp/llvm/tools/clang/lib/Parse/ParseTemplate.cpp:1042
> #4 0x5a8f564 in clang::Parser::ParseOptionalCXXScopeSpecifier(clang::CXXScopeSpec&,
> clang::OpaquePtr<clang::QualType>, bool, bool*, bool,
> clang::IdentifierInfo**, bool) /tmp/llvm/tools/clang/lib/
> Parse/ParseExprCXX.cpp:497
> #5 0x59fc010 in clang::Parser::TryAnnotateCXXScopeToken(bool)
> /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:1886
> #6 0x5a23ae9 in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&,
> clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier,
> clang::Parser::DeclSpecContext, clang::Parser::LateParsedAttrList*)
> /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:3212
> #7 0x5a11ff0 in clang::Parser::ParseSpecifierQualifierList(clang::DeclSpec&,
> clang::AccessSpecifier, clang::Parser::DeclSpecContext)
> /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:2389
> #8 0x5a11c31 in clang::Parser::ParseTypeName(clang::SourceRange*,
> clang::DeclaratorContext, clang::AccessSpecifier, clang::Decl**,
> clang::ParsedAttributes*) /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:58
> #9 0x5a39bcd in clang::Parser::ParseFunctionDeclarator(clang::Declarator&,
> clang::ParsedAttributes&, clang::BalancedDelimiterTracker&, bool, bool)
> /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:6152
> #10 0x5a3692c in clang::Parser::ParseDirectDeclarator(clang::Declarator&)
> /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:5789
> #11 0x5a34e6e in clang::Parser::ParseDeclaratorInternal(clang::Declarator&,
> void (clang::Parser::*)(clang::Declarator&)) /tmp/llvm/tools/clang/lib/
> Parse/ParseDecl.cpp:5340
> #12 0x5b0b10e in clang::Parser::ParseSingleDeclarationAfterTem
> plate(clang::DeclaratorContext, clang::Parser::ParsedTemplateInfo const&,
> clang::ParsingDeclRAIIObject&, clang::SourceLocation&,
> clang::AccessSpecifier, clang::AttributeList*) /tmp/llvm/tools/clang/lib/
> Parse/ParseTemplate.cpp:238
> #13 0x5b09d9b in clang::Parser::ParseExplicitInstantiation(clang::DeclaratorContext,
> clang::SourceLocation, clang::SourceLocation, clang::SourceLocation&,
> clang::AccessSpecifier) /tmp/llvm/tools/clang/lib/
> Parse/ParseTemplate.cpp:1318
> #14 0x5b09b40 in clang::Parser::ParseDeclarationStartingWithTe
> mplate(clang::DeclaratorContext, clang::SourceLocation&,
> clang::AccessSpecifier, clang::AttributeList*) /tmp/llvm/tools/clang/lib/
> Parse/ParseTemplate.cpp:34
> #15 0x5a22609 in clang::Parser::ParseDeclaration(clang::DeclaratorContext,
> clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&)
> /tmp/llvm/tools/clang/lib/Parse/ParseDecl.cpp:1686
> #16 0x59f4d97 in clang::Parser::ParseExternalDeclaration(
> clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*)
> /tmp/llvm/tools/clang/lib/Parse/Parser.cpp:786
> #17 0x59f45d1 in clang::Parser::ParseTopLevelDecl(clang::
> OpaquePtr<clang::DeclGroupRef>&) /tmp/llvm/tools/clang/lib/
> Parse/Parser.cpp:609
> #18 0x59ee6bb in clang::ParseAST(clang::Sema&, bool, bool)
> /tmp/llvm/tools/clang/lib/Parse/ParseAST.cpp:152
> #19 0x3c95c64 in clang::FrontendAction::Execute()
> /tmp/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:904
> #20 0x3c03f86 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
> /tmp/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:989
> #21 0x3e0bf27 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> /tmp/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:255
> #22 0xf90faf in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*) /tmp/llvm/tools/clang/tools/driver/cc1_main.cpp:221
> #23 0xf818e9 in ExecuteCC1Tool(llvm::ArrayRef<char const*>,
> llvm::StringRef) /tmp/llvm/tools/clang/tools/driver/driver.cpp:310
> #24 0xf81581 in main /tmp/llvm/tools/clang/tools/driver/driver.cpp:390
> #25 0x7f6051da4c04 in __libc_start_main ??:?
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180404/e685cf0f/attachment.html>
More information about the cfe-dev
mailing list