Okay, so I’ve now tried to make findSubobject() not modify anything and instead leave that responsibility to the caller. However, that doesn’t even matter in the end.
In the reproducer I posted, clang will expand the array (the outermost APValue, which is being returned by findCompleteObject() while evaluating its array filler…
Perhaps what’s missing is an in-place evaluation of the array expansion rather than a replacement of the prior object?
… which is also why this doesn’t work (even tried adding expandArray() to APValue before you suggested this). The APValue that’s being evaluated when things go wrong is not the array itself, but an element of the array (or rather its filler, but that doesn’t matter in this case).
So, since the expandArray() in findSubobject is a requirement (so huge arrays only get expanded when accessed), I’m basically out of ideas.