[llvm-bugs] [Bug 177245] [clang] Assertion failure in `Sema::getPackSubstitutedTemplateArgument` during constraint checking (ArrayRef OOB)

LLVM Bugs via llvm-bugs Wed, 21 Jan 2026 13:21:10 -0800

Issue	177245
Summary	[clang] Assertion failure in `Sema::getPackSubstitutedTemplateArgument` during constraint checking (ArrayRef OOB)
Labels
Assignees
Reporter	matt-gb

    https://godbolt.org/z/YKoe6vv9M

This code crashes clang 22 in C++26 mode (`-std=c++2c` or `-std=c++26`). Seen with clang 22.1.0-rc1 (built locally from 8164f1a) and godbolt's clang-trunk. Release builds segfault, assertion-enabled builds hit a bounds check in `ArrayRef.h`.


Clang 21.1.0 and GCC 15.2 both accept it with no warnings.

Bisected to e9972de (#161671).

#### Repro (reduced from some code in stdexec 24.09):
```cpp
// crash.cpp

template <class _Fun, class... _As>
concept __callable = requires (_Fun __fun, _As...) { __fun(); };

template <class... _Args>
struct __mdispatch {
  template <class... _Ts>
    requires (__callable<_Args, _Ts...> && ...)
  void operator()();
};

static_assert(!__callable<__mdispatch<int>>);
```
```bash
clang-22 -std=c++26 -fsyntax-only crash.cpp # No crash with -std=c++23/2b
```

#### Clang 22.1.0-rc1 built with options:
```
cmake -S llvm -B build-debug-rc1 -G Ninja \
  -DCMAKE_BUILD_TYPE=Debug \
 -DCMAKE_C_COMPILER=/usr/bin/clang-19 \
 -DCMAKE_CXX_COMPILER=/usr/bin/clang++-19 \
  -DLLVM_ENABLE_PROJECTS=clang \
  -DLLVM_TARGETS_TO_BUILD=X86
```

#### Crash output:

<details>

```bash
clang: /llvm-project/llvm/include/llvm/ADT/ArrayRef.h:248: const T &llvm::ArrayRef<clang::TemplateArgument>::operator[](size_t) const [T = clang::TemplateArgument]: Assertion `Index < Length && "Invalid index!"' failed.
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.      Program arguments: /llvm-project/build-debug-rc1/bin/clang -std=c++26 -fsyntax-only crash.cpp
1.      crash.cpp:11:44: current parser token ')'
  #0 0x000000000379588d llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) /llvm-project/llvm/lib/Support/Unix/Signals.inc:842:11
  #1 0x0000000003795dbb PrintStackTraceSignalHandler(void*) /llvm-project/llvm/lib/Support/Unix/Signals.inc:924:1
  #2 0x0000000003793c74 llvm::sys::RunSignalHandlers() /llvm-project/llvm/lib/Support/Signals.cpp:108:5
  #3 0x000000000379517e llvm::sys::CleanupOnSignal(unsigned long) /llvm-project/llvm/lib/Support/Unix/Signals.inc:377:1
  #4 0x00000000036b94e2 (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) /llvm-project/llvm/lib/Support/CrashRecoveryContext.cpp:0:7
  #5 0x00000000036b9896 CrashRecoverySignalHandler(int) /llvm-project/llvm/lib/Support/CrashRecoveryContext.cpp:391:1
  #6 0x00007f6a26c3ebf0 __restore_rt (/lib64/libc.so.6+0x3ebf0)
  #7 0x00007f6a26c8bedc __pthread_kill_implementation (/lib64/libc.so.6+0x8bedc)
 #8 0x00007f6a26c3eb46 gsignal (/lib64/libc.so.6+0x3eb46)
  #9 0x00007f6a26c28833 abort (/lib64/libc.so.6+0x28833)
 #10 0x00007f6a26c2875b _nl_load_domain.cold (/lib64/libc.so.6+0x2875b)
 #11 0x00007f6a26c37886 (/lib64/libc.so.6+0x37886)
 #12 0x0000000003b1cf48 llvm::ArrayRef<clang::TemplateArgument>::operator[](unsigned long) const /llvm-project/llvm/include/llvm/ADT/ArrayRef.h:0:7
 #13 0x000000000722826e clang::Sema::getPackSubstitutedTemplateArgument(clang::TemplateArgument) const /llvm-project/clang/include/clang/Sema/Sema.h:11767:11
 #14 0x0000000007144396 (anonymous namespace)::HashParameterMapping::VisitTemplateTypeParmType(clang::TemplateTypeParmType*) /llvm-project/clang/lib/Sema/SemaConcept.cpp:295:11
 #15 0x00000000071441c0 clang::RecursiveASTVisitor<(anonymous namespace)::HashParameterMapping>::WalkUpFromTemplateTypeParmType(clang::TemplateTypeParmType*) /llvm-project/build-debug-rc1/tools/clang/include/clang/AST/TypeNodes.inc:80:1
 #16 0x00000000071417a7 clang::RecursiveASTVisitor<(anonymous namespace)::HashParameterMapping>::TraverseTemplateTypeParmType(clang::TemplateTypeParmType*, bool) /llvm-project/clang/include/clang/AST/RecursiveASTVisitor.h:1139:1
 #17 0x000000000713ddf6 clang::RecursiveASTVisitor<(anonymous namespace)::HashParameterMapping>::TraverseType(clang::QualType, bool) /llvm-project/build-debug-rc1/tools/clang/include/clang/AST/TypeNodes.inc:80:1
 #18 0x000000000713d179 clang::RecursiveASTVisitor<(anonymous namespace)::HashParameterMapping>::TraverseTemplateArgument(clang::TemplateArgument const&) /llvm-project/clang/include/clang/AST/RecursiveASTVisitor.h:889:5
 #19 0x000000000713d0e4 (anonymous namespace)::HashParameterMapping::TraverseTemplateArgument(clang::TemplateArgument const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:378:5
 #20 0x000000000713e595 clang::RecursiveASTVisitor<(anonymous namespace)::HashParameterMapping>::TraverseTemplateArguments(llvm::ArrayRef<clang::TemplateArgument>) /llvm-project/clang/include/clang/AST/RecursiveASTVisitor.h:951:5
 #21 0x000000000713d20d clang::RecursiveASTVisitor<(anonymous namespace)::HashParameterMapping>::TraverseTemplateArgument(clang::TemplateArgument const&) /llvm-project/clang/include/clang/AST/RecursiveASTVisitor.h:900:5
 #22 0x000000000713d0e4 (anonymous namespace)::HashParameterMapping::TraverseTemplateArgument(clang::TemplateArgument const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:378:5
 #23 0x000000000713c903 (anonymous namespace)::HashParameterMapping::VisitConstraint(clang::NormalizedConstraintWithParamMapping const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:422:23
 #24 0x000000000713b7a9 (anonymous namespace)::ConstraintSatisfactionChecker::Evaluate(clang::AtomicConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:749:3
 #25 0x000000000713b2b5 (anonymous namespace)::ConstraintSatisfactionChecker::Evaluate(clang::NormalizedConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1095:12
 #26 0x000000000713bf94 (anonymous namespace)::ConstraintSatisfactionChecker::Evaluate(clang::ConceptIdConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1001:18
 #27 0x000000000713b2e3 (anonymous namespace)::ConstraintSatisfactionChecker::Evaluate(clang::NormalizedConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1102:12
 #28 0x00000000071af8f7 (anonymous namespace)::ConstraintSatisfactionChecker::EvaluateSlow(clang::FoldExpandedConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:840:14
 #29 0x000000000713bcc5 (anonymous namespace)::ConstraintSatisfactionChecker::Evaluate(clang::FoldExpandedConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:888:18
 #30 0x000000000713b2cc (anonymous namespace)::ConstraintSatisfactionChecker::Evaluate(clang::NormalizedConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1098:12
 #31 0x000000000713458d CheckConstraintSatisfaction(clang::Sema&, clang::NamedDecl const*, llvm::ArrayRef<clang::AssociatedConstraint>, clang::MultiLevelTemplateArgumentList const&, clang::SourceRange, clang::ConstraintSatisfaction&, clang::Expr**, clang::ConceptReference const*) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1169:25
 #32 0x0000000007134217 clang::Sema::CheckConstraintSatisfaction(llvm::PointerUnion<clang::NamedDecl const*, clang::concepts::NestedRequirement const*>, llvm::ArrayRef<clang::AssociatedConstraint>, clang::MultiLevelTemplateArgumentList const&, clang::SourceRange, clang::ConstraintSatisfaction&, clang::ConceptReference const*, clang::Expr**) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1230:7
 #33 0x0000000007136867 CheckFunctionConstraintsWithoutInstantiation(clang::Sema&, clang::SourceLocation, clang::FunctionTemplateDecl*, llvm::ArrayRef<clang::TemplateArgument>, clang::ConstraintSatisfaction&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1678:3
 #34 0x00000000071361ee clang::Sema::CheckFunctionTemplateConstraints(clang::SourceLocation, clang::FunctionDecl*, llvm::ArrayRef<clang::TemplateArgument>, clang::ConstraintSatisfaction&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1690:5
 #35 0x0000000007b97e0d clang::Sema::FinishTemplateArgumentDeduction(clang::FunctionTemplateDecl*, llvm::SmallVectorImpl<clang::DeducedTemplateArgument>&, unsigned int, clang::FunctionDecl*&, clang::sema::TemplateDeductionInfo&, llvm::SmallVectorImpl<clang::Sema::OriginalCallArg> const*, bool, bool, bool, llvm::function_ref<bool (bool)>) /llvm-project/clang/lib/Sema/SemaTemplateDeduction.cpp:3981:9
 #36 0x0000000007c237da clang::Sema::DeduceTemplateArguments(clang::FunctionTemplateDecl*, clang::TemplateArgumentListInfo*, llvm::ArrayRef<clang::Expr*>, clang::FunctionDecl*&, clang::sema::TemplateDeductionInfo&, bool, bool, bool, clang::QualType, clang::Expr::Classification, bool, llvm::function_ref<bool (llvm::ArrayRef<clang::QualType>, bool)>)::$_2::operator()() const /llvm-project/clang/lib/Sema/SemaTemplateDeduction.cpp:4719:14
 #37 0x0000000007c236c5 void llvm::function_ref<void ()>::callback_fn<clang::Sema::DeduceTemplateArguments(clang::FunctionTemplateDecl*, clang::TemplateArgumentListInfo*, llvm::ArrayRef<clang::Expr*>, clang::FunctionDecl*&, clang::sema::TemplateDeductionInfo&, bool, bool, bool, clang::QualType, clang::Expr::Classification, bool, llvm::function_ref<bool (llvm::ArrayRef<clang::QualType>, bool)>)::$_2>(long) /llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:46:5
 #38 0x00000000022c8ce9 llvm::function_ref<void ()>::operator()() const /llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:69:5
 #39 0x000000000923ad73 clang::runWithSufficientStackSpace(llvm::function_ref<void ()>, llvm::function_ref<void ()>) /llvm-project/clang/include/clang/Basic/Stack.h:55:3
 #40 0x000000000923abe0 clang::StackExhaustionHandler::runWithSufficientStackSpace(clang::SourceLocation, llvm::function_ref<void ()>) /llvm-project/clang/lib/Basic/StackExhaustionHandler.cpp:21:1
 #41 0x0000000006fad508 clang::Sema::runWithSufficientStackSpace(clang::SourceLocation, llvm::function_ref<void ()>) /llvm-project/clang/lib/Sema/Sema.cpp:628:1
 #42 0x0000000007b9a5a5 clang::Sema::DeduceTemplateArguments(clang::FunctionTemplateDecl*, clang::TemplateArgumentListInfo*, llvm::ArrayRef<clang::Expr*>, clang::FunctionDecl*&, clang::sema::TemplateDeductionInfo&, bool, bool, bool, clang::QualType, clang::Expr::Classification, bool, llvm::function_ref<bool (llvm::ArrayRef<clang::QualType>, bool)>) /llvm-project/clang/lib/Sema/SemaTemplateDeduction.cpp:4729:12
 #43 0x00000000079a8faf AddMethodTemplateCandidateImmediately(clang::Sema&, clang::OverloadCandidateSet&, clang::FunctionTemplateDecl*, clang::DeclAccessPair, clang::CXXRecordDecl*, clang::TemplateArgumentListInfo*, clang::QualType, clang::Expr::Classification, llvm::ArrayRef<clang::Expr*>, bool, bool, clang::OverloadCandidateParamOrder) /llvm-project/clang/lib/Sema/SemaOverload.cpp:7976:31
 #44 0x00000000079b56d4 AddTemplateOverloadCandidate(clang::Sema&, clang::OverloadCandidateSet&, clang::DeferredMethodTemplateOverloadCandidate&) /llvm-project/clang/lib/Sema/SemaOverload.cpp:11322:1
 #45 0x00000000079b5489 clang::OverloadCandidateSet::InjectNonDeducedTemplateCandidates(clang::Sema&) /llvm-project/clang/lib/Sema/SemaOverload.cpp:11357:7
 #46 0x00000000079a3d3f clang::OverloadCandidateSet::BestViableFunction(clang::Sema&, clang::SourceLocation, clang::OverloadCandidate*&) /llvm-project/clang/lib/Sema/SemaOverload.cpp:11445:3
 #47 0x00000000079c999f clang::Sema::BuildCallToObjectOfClassType(clang::Scope*, clang::Expr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>, clang::SourceLocation) /llvm-project/clang/lib/Sema/SemaOverload.cpp:16509:3
 #48 0x00000000074324df clang::Sema::BuildCallExpr(clang::Scope*, clang::Expr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr*, bool, bool) /llvm-project/clang/lib/Sema/SemaExpr.cpp:6714:14
 #49 0x000000000744b48f clang::Sema::ActOnCallExpr(clang::Scope*, clang::Expr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr*) /llvm-project/clang/lib/Sema/SemaExpr.cpp:6598:7
 #50 0x0000000007d58f82 clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::RebuildCallExpr(clang::Expr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*>, clang::SourceLocation, clang::Expr*) /llvm-project/clang/lib/Sema/TreeTransform.h:2934:22
 #51 0x0000000007d44461 clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformCallExpr(clang::CallExpr*) /llvm-project/clang/lib/Sema/TreeTransform.h:13615:23
 #52 0x0000000007cbe92e clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformExpr(clang::Expr*) /llvm-project/build-debug-rc1/tools/clang/include/clang/AST/StmtNodes.inc:614:1
 #53 0x0000000007d50862 (anonymous namespace)::TemplateInstantiator::TransformExprRequirement(clang::concepts::ExprRequirement*) /llvm-project/clang/lib/Sema/SemaTemplateInstantiate.cpp:2639:31
 #54 0x0000000007d4efa9 (anonymous namespace)::TemplateInstantiator::TransformRequiresExprRequirements(llvm::ArrayRef<clang::concepts::Requirement*>, llvm::SmallVectorImpl<clang::concepts::Requirement*>&) /llvm-project/clang/lib/Sema/SemaTemplateInstantiate.cpp:1798:22
 #55 0x0000000007d4e91e clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformRequiresExpr(clang::RequiresExpr*) /llvm-project/clang/lib/Sema/TreeTransform.h:15214:7
 #56 0x0000000007d3ce34 (anonymous namespace)::TemplateInstantiator::TransformRequiresExpr(clang::RequiresExpr*) /llvm-project/clang/lib/Sema/SemaTemplateInstantiate.cpp:1770:40
 #57 0x0000000007cbdad3 clang::TreeTransform<(anonymous namespace)::TemplateInstantiator>::TransformExpr(clang::Expr*) /llvm-project/build-debug-rc1/tools/clang/include/clang/AST/StmtNodes.inc:116:1
 #58 0x0000000007cbd80d clang::Sema::SubstExpr(clang::Expr*, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaTemplateInstantiate.cpp:4358:23
 #59 0x0000000007cbf445 clang::Sema::SubstConstraintExpr(clang::Expr*, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaTemplateInstantiate.cpp:4377:10
 #60 0x00000000071af1de (anonymous namespace)::ConstraintSatisfactionChecker::EvaluateAtomicConstraint(clang::Expr const*, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:537:11
 #61 0x000000000713caeb (anonymous namespace)::ConstraintSatisfactionChecker::EvaluateSlow(clang::AtomicConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:676:38
 #62 0x000000000713b925 (anonymous namespace)::ConstraintSatisfactionChecker::Evaluate(clang::AtomicConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:762:18
 #63 0x000000000713b2b5 (anonymous namespace)::ConstraintSatisfactionChecker::Evaluate(clang::NormalizedConstraint const&, clang::MultiLevelTemplateArgumentList const&) /llvm-project/clang/lib/Sema/SemaConcept.cpp:1095:12
 #64 0x000000000713bf94 (anonymous namespace)::ConstraintSatisfactionChecker::Evalua<truncated>Please see the issue for the entire body.

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 177245] [clang] Assertion failure in `Sema::getPackSubstitutedTemplateArgument` during constraint checking (ArrayRef OOB)

Reply via email to