Use-after-free/-poison bug in AST building

We’ve had a curious bug reported on IWYU, where CastExpr::getConversionFunction does not return a FunctionDecl.

After some research, it turns out we get an AccessSpecDecl instead, which seems like a strange conversion function.

I tried running with ASAN enabled for only IWYU, but didn’t get any useful results, but eventually I managed to repro a non-IWYU contained example. That in turn led me to:

https://bugs.llvm.org/show_bug.cgi?id=44972

I’m not sure where to go from there, though… It seems the parser somehow triggers a use-after-free in BumpPtrAllocator. Can I narrow it down somehow? I have an 800K preprocessed repro, but from cursory experiments ASAN triggers use-after-poison there on basically anything.

Thanks for any ideas for narrowing down the issue,

  • Kim

Personally I don’t have any advice on how to deal with ASAN errors. From experience it helps to work with clang and clang libraries built with assertions enabled, it helps to encounter inconsistencies like FunctionDecl/AccessSpecDecl pretty early. What else can be helpful is to have pure clang failing and to remove IWYU itself from the list of suspects.

You can try to minimize the repro manually or with creduce-clang-crash.py or with C-Reduce itself.

Hope this helps,
Volodymyr

Hi Volodymyr,

Thanks, all good suggestions!

I’ll try these suggestions out when I get a chance.

Cheers,
Kim

For what it’s worth, I never managed to isolate a root cause, but I opened a new issue with a smaller repro than IWYU: https://github.com/llvm/llvm-project/issues/53044.

Thanks,

  • Kim