[clang] [clangd][Parser][Sema] Fix TemplateIdAnnotation UAF with template-id … (PR #196788)

Sun, 10 May 2026 07:21:05 -0700 

https://github.com/clingfei created 
https://github.com/llvm/llvm-project/pull/196788

…declarator and lambda default argument.

I think this is another case of template annotations lifetime bug, similar to 
the one fixed by https://github.com/llvm/llvm-project/pull/89494.

Closes https://github.com/llvm/llvm-project/issues/196725.

>From 73b6b5dd61385b1c62f30951d0b98f38fcf16977 Mon Sep 17 00:00:00 2001
From: clingfei <[email protected]>
Date: Sun, 10 May 2026 16:42:45 +0800
Subject: [PATCH] [clangd][Parser][Sema] Fix TemplateIdAnnotation UAF with
 template-id declarator and lambda default argument

---
 clang/lib/Parse/ParseDecl.cpp          | 8 ++++++++
 clang/test/Parser/cxx-default-args.cpp | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/clang/lib/Parse/ParseDecl.cpp b/clang/lib/Parse/ParseDecl.cpp
index 55ea562faacaa..1a04ca7f43647 100644
--- a/clang/lib/Parse/ParseDecl.cpp
+++ b/clang/lib/Parse/ParseDecl.cpp
@@ -7748,6 +7748,14 @@ void Parser::ParseParameterDeclarationClause(
           // Consume the '='.
           ConsumeToken();
 
+          // The default argument may contain a lambda whose body triggers
+          // MaybeDestroyTemplateIds at the end of the inner statements; avoid
+          // destroying parsed template-ids that may still be referenced by
+          // the enclosing declarator (e.g. a template-id in the function
+          // name or other parameters).
+          DelayTemplateIdDestructionRAII DontDestructTemplateIds(
+              *this, /*DelayTemplateIdDestruction=*/true);
+
           // The argument isn't actually potentially evaluated unless it is
           // used.
           EnterExpressionEvaluationContext Eval(
diff --git a/clang/test/Parser/cxx-default-args.cpp 
b/clang/test/Parser/cxx-default-args.cpp
index 5b7d22a56bb91..9fd9651031023 100644
--- a/clang/test/Parser/cxx-default-args.cpp
+++ b/clang/test/Parser/cxx-default-args.cpp
@@ -40,3 +40,9 @@ struct U {
   void i(int x = ) {} // expected-error{{expected expression}}
   typedef int *fp(int x = ); // expected-error{{default arguments can only be 
specified for parameters in a function declaration}}
 };
+
+namespace {
+void f<>(int = []{;}) {} // expected-error{{no viable conversion from}} \
+                         // expected-error{{template specialization requires 
'template<>'}} \
+                         // expected-note 2{{}}
+}

_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to