[llvm-bugs] [Bug 175702] [Clang]Heap-use-after-free in Parser::isCXXDeclarationSpecifier when parsing deeply nested compound statements with statement expressions

Mon, 12 Jan 2026 19:05:34 -0800

Issue 175702
Summary [Clang]Heap-use-after-free in Parser::isCXXDeclarationSpecifier when parsing deeply nested compound statements with statement expressions
Labels clang
Assignees
Reporter Oneyux 
    Generated by fuzzer.
Compiler Explorer:https://godbolt.org/z/dTcPzh7K9

`
int main ( ) { typedef struct tree_el node i , sum = 0 ; for ( i = 1 ; i <= LAST ; i ++ ) { sum += i ; } printf ( "sum = %d\n" , sum ) ; return printout ( printf ( printf ( i < cnt , cnt & ( printout ( printf ( printf ( i < cnt , 0x5b * printf ( i < cnt , 0x5b * ( ( { cnt & ( printf ( printf ( i < cnt , 0x5b * ( 1 / ( 1 / ( cnt & ( printout ( printf ( i < cnt , 0x5b * ( 1 / ( ( { if ( "%f%f%f" ) break ; - ( ( 0.0 / ( 0xaf >> 3 & ( ( ( 0xaf >> 3 & ( ( ( { for ( i = 0 , bi = i < 10 ; i < length ; ++ i , ++ bi ) if ( cnt < ( 0xaf >> 3 & 1 ) >> 3 ) break ; cnt < ( 0xaf >> 3 & 1 ) >> 3 ; } ) ) ) ) >> 0xb9 & 1 ) >> 0xb9 & 1 ) ) ) ) ; } ) ) ) ) ) >> 3 & 1 ) ) ) ) ) , sum ) >> 3 & 1 ) ; return 0 ; i ; return ( node ( ) ) -> val ; } ) ) ) ) , sum ) ) >> 3 & 1 ) ) , sum ) ) ; }
`

Backtrace:
`
clang++: /root/llvm-project/llvm/tools/clang/lib/Basic/SourceManager.cpp:886: clang::FileID clang::SourceManager::getFileIDLoaded(clang::SourceLocation::UIntTy) const: Assertion `0 && "Invalid SLocOffset or bad function choice"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /opt/compiler-explorer/clang-assertions-trunk/bin/clang++ -g -o /app/output.s -mllvm --x86-asm-syntax=intel -fno-verbose-asm -S --gcc-toolchain=/opt/compiler-explorer/gcc-snapshot -fcolor-diagnostics -fno-crash-diagnostics <source>
1.	<source>:1:521: at annotation token
2.	<source>:1:14: parsing function body 'main'
3.	<source>:1:14: in compound statement ('{}')
4.	<source>:1:268: in compound statement ('{}')
5.	<source>:1:382: in compound statement ('{}')
6.	<source>:1:458: in compound statement ('{}')
  #0 0x000000000430abe8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x430abe8)
  #1 0x0000000004308014 llvm::sys::CleanupOnSignal(unsigned long) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x4308014)
  #2 0x000000000424aa08 CrashRecoverySignalHandler(int) CrashRecoveryContext.cpp:0:0
  #3 0x0000753e82c42520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
  #4 0x0000753e82c969fc pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x969fc)
  #5 0x0000753e82c42476 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x42476)
  #6 0x0000753e82c287f3 abort (/lib/x86_64-linux-gnu/libc.so.6+0x287f3)
  #7 0x0000753e82c2871b (/lib/x86_64-linux-gnu/libc.so.6+0x2871b)
  #8 0x0000753e82c39e96 (/lib/x86_64-linux-gnu/libc.so.6+0x39e96)
  #9 0x000000000456d573 (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x456d573)
 #10 0x000000000456f52f (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x456f52f)
 #11 0x000000000457525a clang::SourceManager::getDecomposedLoc(clang::SourceLocation) const (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x457525a)
 #12 0x0000000004575843 clang::SourceManager::getFileCharacteristic(clang::SourceLocation) const (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x4575843)
 #13 0x00000000045591d3 clang::DiagnosticIDs::getDiagnosticSeverity(unsigned int, clang::SourceLocation, clang::DiagnosticsEngine const&) const (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x45591d3)
 #14 0x000000000455994b clang::DiagnosticIDs::getDiagnosticLevel(unsigned int, clang::SourceLocation, clang::DiagnosticsEngine const&) const (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x455994b)
 #15 0x000000000454ca5d clang::DiagnosticsEngine::ProcessDiag(clang::DiagnosticBuilder const&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x454ca5d)
 #16 0x000000000454cce5 clang::DiagnosticsEngine::EmitDiagnostic(clang::DiagnosticBuilder const&, bool) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x454cce5)
 #17 0x0000000000de5fbd clang::DiagnosticBuilder::~DiagnosticBuilder() (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0xde5fbd)
 #18 0x0000000006aeb2af clang::Parser::ParseUnqualifiedId(clang::CXXScopeSpec&, clang::OpaquePtr<clang::QualType>, bool, bool, bool, bool, bool, clang::SourceLocation*, clang::UnqualifiedId&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6aeb2af)
 #19 0x0000000006aeb865 clang::Parser::tryParseCXXIdExpression(clang::CXXScopeSpec&, bool, clang::Token&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6aeb865)
 #20 0x0000000006aebb90 clang::Parser::ParseCXXIdExpression(bool) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6aebb90)
 #21 0x0000000006acf8ca clang::Parser::ParseCastExpression(clang::CastParseKind, bool, bool&, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6acf8ca)
 #22 0x0000000006ad1047 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad1047)
 #23 0x0000000006ad10d9 clang::Parser::ParseAssignmentExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad10d9)
 #24 0x0000000006ad56b9 clang::Parser::ParseExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad56b9)
 #25 0x0000000006ae6ae2 clang::Parser::ParseCXXCondition(clang::ActionResult<clang::Stmt*, true>*, clang::SourceLocation, clang::Sema::ConditionKind, bool, clang::Parser::ForRangeInfo*, bool) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ae6ae2)
 #26 0x0000000006b4f5db clang::Parser::ParseParenExprOrCondition(clang::ActionResult<clang::Stmt*, true>*, clang::Sema::ConditionResult&, clang::SourceLocation, clang::Sema::ConditionKind, clang::SourceLocation&, clang::SourceLocation&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b4f5db)
 #27 0x0000000006b543d6 clang::Parser::ParseIfStatement(clang::SourceLocation*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b543d6)
 #28 0x0000000006b51f1d clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*, 24u>&, clang::Parser::ParsedStmtContext, clang::SourceLocation*, clang::ParsedAttributes&, clang::ParsedAttributes&, clang::LabelDecl*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b51f1d)
 #29 0x0000000006b52e16 clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*, 24u>&, clang::Parser::ParsedStmtContext, clang::SourceLocation*, clang::LabelDecl*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b52e16)
 #30 0x0000000006b53e1b clang::Parser::ParseStatement(clang::SourceLocation*, clang::Parser::ParsedStmtContext, clang::LabelDecl*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b53e1b)
 #31 0x0000000006b5515f clang::Parser::ParseForStatement(clang::SourceLocation*, clang::LabelDecl*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b5515f)
 #32 0x0000000006b51f52 clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*, 24u>&, clang::Parser::ParsedStmtContext, clang::SourceLocation*, clang::ParsedAttributes&, clang::ParsedAttributes&, clang::LabelDecl*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b51f52)
 #33 0x0000000006b52e16 clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*, 24u>&, clang::Parser::ParsedStmtContext, clang::SourceLocation*, clang::LabelDecl*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b52e16)
 #34 0x0000000006b5b75e clang::Parser::ParseCompoundStatementBody(bool) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b5b75e)
 #35 0x0000000006b5bed4 void llvm::function_ref<void ()>::callback_fn<clang::Parser::ParseCompoundStatement(bool, unsigned int)::'lambda'()>(long) ParseStmt.cpp:0:0
 #36 0x0000000008539031 clang::StackExhaustionHandler::runWithSufficientStackSpace(clang::SourceLocation, llvm::function_ref<void ()>) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x8539031)
 #37 0x0000000006b4c88a clang::Parser::ParseCompoundStatement(bool) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6b4c88a)
 #38 0x0000000006ad98b1 clang::Parser::ParseParenExpression(clang::ParenParseOption&, bool, clang::ParenExprKind, clang::TypoCorrectionTypeBehavior, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad98b1)
 #39 0x0000000006acfcd8 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, bool&, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6acfcd8)
 #40 0x0000000006ad1047 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad1047)
 #41 0x0000000006ad10d9 clang::Parser::ParseAssignmentExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad10d9)
 #42 0x0000000006ad56b9 clang::Parser::ParseExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad56b9)
 #43 0x0000000006ad9494 clang::Parser::ParseParenExpression(clang::ParenParseOption&, bool, clang::ParenExprKind, clang::TypoCorrectionTypeBehavior, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad9494)
 #44 0x0000000006acfcd8 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, bool&, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6acfcd8)
 #45 0x0000000006ad1047 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad1047)
 #46 0x0000000006ad10d9 clang::Parser::ParseAssignmentExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad10d9)
 #47 0x0000000006ad56b9 clang::Parser::ParseExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad56b9)
 #48 0x0000000006ad9494 clang::Parser::ParseParenExpression(clang::ParenParseOption&, bool, clang::ParenExprKind, clang::TypoCorrectionTypeBehavior, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad9494)
 #49 0x0000000006acfcd8 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, bool&, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6acfcd8)
 #50 0x0000000006ad1047 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad1047)
 #51 0x0000000006ad2116 clang::Parser::ParseRHSOfBinaryExpression(clang::ActionResult<clang::Expr*, true>, clang::prec::Level) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad2116)
 #52 0x0000000006ad56b9 clang::Parser::ParseExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad56b9)
 #53 0x0000000006ad9494 clang::Parser::ParseParenExpression(clang::ParenParseOption&, bool, clang::ParenExprKind, clang::TypoCorrectionTypeBehavior, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad9494)
 #54 0x0000000006acfcd8 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, bool&, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6acfcd8)
 #55 0x0000000006ad1047 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad1047)
 #56 0x0000000006ad10d9 clang::Parser::ParseAssignmentExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad10d9)
 #57 0x0000000006ad56b9 clang::Parser::ParseExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad56b9)
 #58 0x0000000006ad9494 clang::Parser::ParseParenExpression(clang::ParenParseOption&, bool, clang::ParenExprKind, clang::TypoCorrectionTypeBehavior, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad9494)
 #59 0x0000000006acfcd8 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, bool&, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6acfcd8)
 #60 0x0000000006ad1047 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad1047)
 #61 0x0000000006ad10d9 clang::Parser::ParseAssignmentExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad10d9)
 #62 0x0000000006ad56b9 clang::Parser::ParseExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad56b9)
 #63 0x0000000006ad9494 clang::Parser::ParseParenExpression(clang::ParenParseOption&, bool, clang::ParenExprKind, clang::TypoCorrectionTypeBehavior, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad9494)
 #64 0x0000000006acfcd8 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, bool&, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6acfcd8)
 #65 0x0000000006ad1047 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad1047)
 #66 0x0000000006ad2116 clang::Parser::ParseRHSOfBinaryExpression(clang::ActionResult<clang::Expr*, true>, clang::prec::Level) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad2116)
 #67 0x0000000006ad56b9 clang::Parser::ParseExpression(clang::TypoCorrectionTypeBehavior) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad56b9)
 #68 0x0000000006ad9494 clang::Parser::ParseParenExpression(clang::ParenParseOption&, bool, clang::ParenExprKind, clang::TypoCorrectionTypeBehavior, clang::OpaquePtr<clang::QualType>&, clang::SourceLocation&) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6ad9494)
 #69 0x0000000006acfcd8 clang::Parser::ParseCastExpression(clang::CastParseKind, bool, bool&, clang::TypoCorrectionTypeBehavior, bool, bool*) (/opt/compiler-explorer/clang-assertions-trunk/bin/clang+++0x6acfcd8)
 #70 0x0000000006ad1047 clang::Parser::ParseCastExpression(clang::CastParseK<truncated>Please see the issue for the entire body.

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to