[LLVMbugs] [Bug 5884] New: Use-after-free inside CXXBaseOrMemberInitializer:: CXXBaseOrMemberInitializer()

bugzilla-daemon at cs.uiuc.edu bugzilla-daemon at cs.uiuc.edu
Fri Dec 25 13:19:59 PST 2009 

http://llvm.org/bugs/show_bug.cgi?id=5884

           Summary: Use-after-free inside
                    CXXBaseOrMemberInitializer::CXXBaseOrMemberInitializer()
           Product: clang
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Semantic Analyzer
        AssignedTo: unassignedclangbugs at nondot.org
        ReportedBy: asl at math.spbu.ru
                CC: llvmbugs at cs.uiuc.edu


Consider the attached preprocessed source.

clang++ q3listview.ii yields:
clang:
/home/asl/proj/llvm/src/tools/clang/lib/Frontend/../../include/clang/AST/Stmt.h:201:
clang::Stmt::StmtClass clang::Stmt::getStmtClass() const: Assertion `RefCount
>= 1 && "Referencing already-destroyed statement!"' failed.

valgrind indicates that this seems to be indeed so:
==21959== Invalid read of size 8
==21959==    at 0x8A8D18:
clang::CXXBaseOrMemberInitializer::CXXBaseOrMemberInitializer(clang::ASTContext&,
clang::TypeSourceInfo*, clang::CXXConstructorDecl*, clang::SourceLocation,
clang::Expr**, unsigned int, clang::SourceLocation) (DeclCXX.cpp:678)
==21959==    by 0x77785B: clang::Sema::BuildBaseInitializer(clang::QualType,
clang::TypeSourceInfo*, clang::Expr**, unsigned int, clang::SourceLocation,
clang::SourceLocation, clang::CXXRecordDecl*) (SemaDeclCXX.cpp:1272)
==21959==    by 0x777CD3: clang::Sema::ActOnMemInitializer(clang::OpaquePtr<0>,
clang::Scope*, clang::CXXScopeSpec const&, clang::IdentifierInfo*, void*,
clang::SourceLocation, clang::SourceLocation, void**, unsigned int,
clang::SourceLocation*, clang::SourceLocation) (SemaDeclCXX.cpp:1037)
==21959==    by 0x93F495:
clang::Parser::ParseMemInitializer(clang::OpaquePtr<0>) (ParseDeclCXX.cpp:1568)
==21959==    by 0x93F550:
clang::Parser::ParseConstructorInitializer(clang::OpaquePtr<0>)
(ParseDeclCXX.cpp:1491)
==21959==    by 0x959DCE:
clang::Parser::ParseLexedMethodDefs(clang::Parser::ParsingClass&)
(ParseCXXInlineMethods.cpp:201)
==21959==    by 0x9419DA:
clang::Parser::ParseCXXMemberSpecification(clang::SourceLocation, unsigned int,
clang::OpaquePtr<0>) (ParseDeclCXX.cpp:1452)
==21959==    by 0x942CF5:
clang::Parser::ParseClassSpecifier(clang::tok::TokenKind,
clang::SourceLocation, clang::DeclSpec&, clang::Parser::ParsedTemplateInfo
const&, clang::AccessSpecifier) (ParseDeclCXX.cpp:860)
==21959==    by 0x93847B:
clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&,
clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier,
clang::Parser::DeclSpecContext) (ParseDecl.cpp:1202)
==21959==    by 0x92DB83:
clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsingDeclSpec&,
clang::AttributeList*, clang::AccessSpecifier) (Parser.cpp:544)
==21959==    by 0x92DFDA:
clang::Parser::ParseDeclarationOrFunctionDefinition(clang::AttributeList*,
clang::AccessSpecifier) (Parser.cpp:600)
==21959==    by 0x92F91E:
clang::Parser::ParseExternalDeclaration(clang::CXX0XAttributeList)
(Parser.cpp:488)
==21959==  Address 0x67e6c78 is 0 bytes inside a block of size 128 free'd
==21959==    at 0x4C21EBC: operator delete(void*) (vg_replace_malloc.c:342)
==21959==    by 0x77FC0B: llvm::SmallVectorImpl<void*>::~SmallVectorImpl()
(SmallVector.h:275)
==21959==    by 0x77FC28: llvm::SmallVector<void*, 8u>::~SmallVector()
(SmallVector.h:644)
==21959==    by 0x77FCCE:
clang::ASTOwningVector<&(clang::ActionBase::DeleteExpr(void*)),
8u>::~ASTOwningVector() (Ownership.h:751)
==21959==    by 0x7777CF: clang::Sema::BuildBaseInitializer(clang::QualType,
clang::TypeSourceInfo*, clang::Expr**, unsigned int, clang::SourceLocation,
clang::SourceLocation, clang::CXXRecordDecl*) (SemaDeclCXX.cpp:1263)
==21959==    by 0x777CD3: clang::Sema::ActOnMemInitializer(clang::OpaquePtr<0>,
clang::Scope*, clang::CXXScopeSpec const&, clang::IdentifierInfo*, void*,
clang::SourceLocation, clang::SourceLocation, void**, unsigned int,
clang::SourceLocation*, clang::SourceLocation) (SemaDeclCXX.cpp:1037)
==21959==    by 0x93F495:
clang::Parser::ParseMemInitializer(clang::OpaquePtr<0>) (ParseDeclCXX.cpp:1568)
==21959==    by 0x93F550:
clang::Parser::ParseConstructorInitializer(clang::OpaquePtr<0>)
(ParseDeclCXX.cpp:1491)
==21959==    by 0x959DCE:
clang::Parser::ParseLexedMethodDefs(clang::Parser::ParsingClass&)
(ParseCXXInlineMethods.cpp:201)
==21959==    by 0x9419DA:
clang::Parser::ParseCXXMemberSpecification(clang::SourceLocation, unsigned int,
clang::OpaquePtr<0>) (ParseDeclCXX.cpp:1452)
==21959==    by 0x942CF5:
clang::Parser::ParseClassSpecifier(clang::tok::TokenKind,
clang::SourceLocation, clang::DeclSpec&, clang::Parser::ParsedTemplateInfo
const&, clang::AccessSpecifier) (ParseDeclCXX.cpp:860)
==21959==    by 0x93847B:
clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&,
clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier,
clang::Parser::DeclSpecContext) (ParseDecl.cpp:1202)


-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the llvm-bugs mailing list