[clang] [clang][ByteCode] Fix crash when dereferencing cast to larger type (PR #179030)

Sun, 01 Feb 2026 22:58:31 -0800 

https://github.com/mugiwaraluffy56 updated 
https://github.com/llvm/llvm-project/pull/179030

>From 57b251561ebfed846d847d7ecd55907f3facf74f Mon Sep 17 00:00:00 2001
From: mugiwaraluffy56 <[email protected]>
Date: Sat, 31 Jan 2026 18:02:24 +0530
Subject: [PATCH] [clang][ByteCode] Fix crash when dereferencing cast to larger
 type

When dereferencing a pointer that was reinterpret_cast to a larger type
(e.g. *(int**)""), check if the pointer descriptor's primitive type
matches what we're trying to read. If not, return std::nullopt to
gracefully fail the constant evaluation instead of crashing.

Fixes #179015
---
 clang/lib/AST/ByteCode/Pointer.cpp  | 6 ++++++
 clang/test/AST/ByteCode/invalid.cpp | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/clang/lib/AST/ByteCode/Pointer.cpp 
b/clang/lib/AST/ByteCode/Pointer.cpp
index a1ab492e5cb37..80c2bc3df31dd 100644
--- a/clang/lib/AST/ByteCode/Pointer.cpp
+++ b/clang/lib/AST/ByteCode/Pointer.cpp
@@ -947,6 +947,12 @@ std::optional<APValue> Pointer::toRValue(const Context 
&Ctx,
 
   // Just load primitive types.
   if (OptPrimType T = Ctx.classify(ResultType)) {
+    // Check if the pointer descriptor's primitive type matches what we're
+    // trying to read. This fails when we reinterpret_cast a pointer to a
+    // different type (e.g. *(int**)"").
+    if (const Descriptor *D = getFieldDesc();
+        (D->isPrimitive() || D->isPrimitiveArray()) && D->getPrimType() != *T)
+      return std::nullopt;
     TYPE_SWITCH(*T, return this->deref<T>().toAPValue(ASTCtx));
   }
 
diff --git a/clang/test/AST/ByteCode/invalid.cpp 
b/clang/test/AST/ByteCode/invalid.cpp
index f7f2da2769d65..7c9433ec065ee 100644
--- a/clang/test/AST/ByteCode/invalid.cpp
+++ b/clang/test/AST/ByteCode/invalid.cpp
@@ -57,6 +57,12 @@ namespace Casts {
 
   /// Just make sure this doesn't crash.
   float PR9558 = reinterpret_cast<const float&>("asd");
+
+  /// Ensure we don't crash when trying to dereference a cast pointer where the
+  /// target type is larger than the source allocation (GH#179015).
+  void GH179015() {
+    *(int **)""; // both-warning {{expression result unused}}
+  }
 }
 
 

_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to