[llvm-bugs] [Bug 165555] [clang-fuzzer] Crash in `llvm::APInt::APInt`

Wed, 29 Oct 2025 07:27:37 -0700

Issue 165555
Summary [clang-fuzzer] Crash in `llvm::APInt::APInt`
Labels new issue
Assignees
Reporter gal1ium 
    Hi, while testing clang by the fuzzing driver `clang-fuzzer`, it found a crashing case:

Version: 531fd45e9238d0485e3268aaf14ae15d01c7740f

PoC:
```c
nstexpr ool e(in0){switch(0)0=0:eturn t(
```

Crashing thread backtrace:
```
#0 0x00007ffff7a51e10 in __memmove_avx512_unaligned_erms (/lib/x86_64-linux-gnu/libc.so.6)
                       at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:873

#1 0x000055555d390b44 in llvm::APInt::APInt (fuzz-binaries/clang-fuzzer)
 at /src/llvm/llvm/include/llvm/ADT/APInt.h:180

#2 0x000055555d390b44 in llvm::APSInt::APSInt (fuzz-binaries/clang-fuzzer)
 at /src/llvm/llvm/include/llvm/ADT/APSInt.h:24

#3 0x000055555d390b44 in clang::Expr::EvaluateKnownConstInt (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ExprConstant.cpp:19018

#4  0x000055555d3de9eb in EvaluateSwitch (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/include/clang/AST/Stmt.h:1945

#5  0x000055555d3de9eb in EvaluateStmt (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ExprConstant.cpp:5941

#6  0x000055555d3db543 in EvaluateStmt (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ExprConstant.cpp:5700

#7  0x000055555d3ee388 in HandleFunctionCall (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ExprConstant.cpp:6745

#8  0x000055555d481909 in clang::Expr::isPotentialConstantExpr (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/lib/AST/ExprConstant.cpp:19757

#9 0x000055555b14224a in CheckConstexprFunctionBody (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/Sema/SemaDeclCXX.cpp:2545

#10 0x000055555b14224a in clang::Sema::CheckConstexprFunctionDefinition (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/lib/Sema/SemaDeclCXX.cpp:2001

#11 0x000055555af5eeff in clang::Sema::ActOnFinishFunctionBody (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/Sema/SemaDecl.cpp:16803

#12 0x000055555a166d18 in clang::Parser::ParseFunctionStatementBody (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/include/clang/Sema/Ownership.h:204

#13 0x0000555559ffe009 in clang::Parser::ParseFunctionDefinition (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/Parse/Parser.cpp:1448

#14 0x000055555a05f588 in clang::Parser::ParseDeclGroup (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/lib/Parse/ParseDecl.cpp:2265

#15 0x0000555559fea9b0 in clang::Parser::ParseDeclOrFunctionDefInternal (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/Parse/Parser.cpp:1187

#16 0x0000555559fec23b in clang::Parser::ParseDeclarationOrFunctionDefinition (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/Parse/Parser.cpp:1209

#17 0x000055555a0024f0 in clang::Parser::ParseExternalDeclaration (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/lib/Parse/Parser.cpp:1032

#18 0x000055555a006d15 in clang::Parser::ParseTopLevelDecl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/Parse/Parser.cpp:745

#19 0x000055555a0079a0 in clang::Parser::ParseFirstTopLevelDecl (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/lib/Parse/Parser.cpp:601

#20 0x0000555559fbff86 in clang::ParseAST (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/lib/Parse/ParseAST.cpp:169

#21 0x0000555559ec1b28 in clang::ASTFrontendAction::ExecuteAction (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/Frontend/FrontendAction.cpp:1432

#22 0x00005555564f8aa2 in clang::CodeGenAction::ExecuteAction (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/CodeGen/CodeGenAction.cpp:1109

#23 0x0000555559ed30d2 in clang::FrontendAction::Execute (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/lib/Frontend/FrontendAction.cpp:1312

#24 0x0000555559da3af8 in clang::CompilerInstance::ExecuteAction (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/Frontend/CompilerInstance.cpp:1003

#25 0x0000555559d46f8e in clang::tooling::FrontendActionFactory::runInvocation (fuzz-binaries/clang-fuzzer)
                       443: bool clang::tooling::FrontendActionFactory::runInvocation(this = (clang::tooling::FrontendActionFactory * const)0x5555617751b0, Invocation = (std::shared_ptr<clang::CompilerInvocation>)std::shared_ptr<clang::CompilerInvocation> (empty) = {get() = 0x0}, Files = (clang::FileManager *)0x5555617715d0, PCHContainerOps = (std::shared_ptr<clang::PCHContainerOperations>)std::shared_ptr<clang::PCHContainerOperations> (empty) = {get() = 0x0}, DiagConsumer = (clang::DiagnosticConsumer *)0x7fffffff9990) {
                       |||:
                       ---: }
                       at /usr/include/c++/9/bits/unique_ptr.h:154

#26 0x00005555564db128 in clang_fuzzer::HandleCXX (fuzz-binaries/clang-fuzzer)
 23: void clang_fuzzer::HandleCXX(S = (const std::string &)"nstexpr ool e(in0){switch(0)0=0:eturn t(", FileName = (const char *)0x5555558e74b7 "./test.cc", ExtraArgs = (const std::vector<char const*, std::allocator<char const*> > &)std::vector of length 1, capacity 1 = {0x5555559613a3 "-O2"}) {
                       ||||:
 1386:       template<typename _Yp, typename _Yp2 = typename remove_cv<_Yp>::type>
                       1387: 	typename enable_if<!__has_esft_base<_Yp2>::value>::type
                       1388: 	_M_enable_shared_from_this_with(_Yp*) noexcept
 ||||:
                       ----: }
                       at /usr/include/c++/9/bits/shared_ptr_base.h:1388

#27 0x00005555564d3832 in LLVMFuzzerTestOneInput (fuzz-binaries/clang-fuzzer)
 at /src/llvm/clang/tools/clang-fuzzer/ClangFuzzer.cpp:23
```

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to