Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[clangd] Buffer overflow on completion request #132169

Open
henryhchchc opened this issue Mar 20, 2025 · 3 comments
Open

[clangd] Buffer overflow on completion request #132169

henryhchchc opened this issue Mar 20, 2025 · 3 comments
Labels
clangd crash Prefer [crash-on-valid] or [crash-on-invalid]

Comments

@henryhchchc
Copy link

For the following C code snippet:

int main(int argc, char **argv) {
// {{'กssss'?}}
  
  return  423;
}

A textDocument/completion at the beginning of the blank line causes global-buffer-overflow (caught by ASAN).

I[08:51:30.230] clangd version 20.1.0 (https://github.com/llvm/llvm-project.git 24a30daaa559829ad079f2ff7f73eb4e18095f88)
I[08:51:30.230] Features: linux+debug+asan
I[08:51:30.230] PID: 435398
I[08:51:30.230] Working directory: /tmp/export/input_3/workspace
I[08:51:30.230] argv[0]: /llvm/build/bin/clangd
I[08:51:30.231] argv[1]: --log=verbose
V[08:51:30.231] User config file is /root/.config/clangd/config.yaml
I[08:51:30.231] Starting LSP over stdin/stdout
V[08:51:30.232] <<< {"id":0,"jsonrpc":"2.0","method":"initialize","params":{"capabilities":{"general":{"markdown":{"parser":"marked","version":"1.1.0"},"positionEncodings":["utf-16"],"regularExpressions":{"engine":"ECMAScript","version":"ES2020"},"staleRequestSupport":{"cancel":true,"retryOnContentModified":["textDocument/semanticTokens/full","textDocument/semanticTokens/range","textDocument/semanticTokens/full/delta"]}},"notebookDocument":{"synchronization":{"dynamicRegistration":true,"executionSummarySupport":true}},"textDocument":{"callHierarchy":{"dynamicRegistration":true},"codeAction":{"codeActionLiteralSupport":{"codeActionKind":{"valueSet":["","quickfix","refactor","refactor.extract","refactor.inline","refactor.rewrite","source","source.organizeImports"]}},"dataSupport":true,"disabledSupport":true,"dynamicRegistration":true,"honorsChangeAnnotations":false,"isPreferredSupport":true,"resolveSupport":{"properties":["edit"]}},"codeLens":{"dynamicRegistration":true},"colorProvider":{"dynamicRegistration":true},"completion":{"completionItem":{"commitCharactersSupport":true,"deprecatedSupport":true,"documentationFormat":["markdown","plaintext"],"insertReplaceSupport":true,"insertTextModeSupport":{"valueSet":[1,2]},"labelDetailsSupport":true,"preselectSupport":true,"resolveSupport":{"properties":["documentation","detail","additionalTextEdits"]},"snippetSupport":true,"tagSupport":{"valueSet":[1]}},"completionItemKind":{"valueSet":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]},"completionList":{"itemDefaults":["commitCharacters","editRange","insertTextFormat","insertTextMode"]},"contextSupport":true,"dynamicRegistration":true,"editsNearCursor":true,"insertTextMode":2},"declaration":{"dynamicRegistration":true,"linkSupport":true},"definition":{"dynamicRegistration":true,"linkSupport":true},"diagnostic":{"dynamicRegistration":true,"relatedDocumentSupport":false},"documentHighlight":{"dynamicRegistration":true},"documentLink":{"dynamicRegistration":true,"tooltipSupport":true},"documentSymbol":{"dynamicRegistration":true,"hierarchicalDocumentSymbolSupport":true,"labelSupport":true,"symbolKind":{"valueSet":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26]},"tagSupport":{"valueSet":[1]}},"foldingRange":{"dynamicRegistration":true,"foldingRange":{"collapsedText":false},"foldingRangeKind":{"valueSet":["comment","imports","region"]},"lineFoldingOnly":true,"rangeLimit":5000},"formatting":{"dynamicRegistration":true},"hover":{"contentFormat":["markdown","plaintext"],"dynamicRegistration":true},"implementation":{"dynamicRegistration":true,"linkSupport":true},"inactiveRegionsCapabilities":{"inactiveRegions":true},"inlayHint":{"dynamicRegistration":true,"resolveSupport":{"properties":["tooltip","textEdits","label.tooltip","label.location","label.command"]}},"inlineValue":{"dynamicRegistration":true},"linkedEditingRange":{"dynamicRegistration":true},"onTypeFormatting":{"dynamicRegistration":true},"publishDiagnostics":{"codeDescriptionSupport":true,"dataSupport":true,"relatedInformation":true,"tagSupport":{"valueSet":[1,2]},"versionSupport":false},"rangeFormatting":{"dynamicRegistration":true},"references":{"dynamicRegistration":true},"rename":{"dynamicRegistration":true,"honorsChangeAnnotations":true,"prepareSupport":true,"prepareSupportDefaultBehavior":1},"selectionRange":{"dynamicRegistration":true},"semanticTokens":{"augmentsSyntaxTokens":true,"dynamicRegistration":true,"formats":["relative"],"multilineTokenSupport":false,"overlappingTokenSupport":false,"requests":{"full":{"delta":true},"range":true},"serverCancelSupport":true,"tokenModifiers":["declaration","definition","readonly","static","deprecated","abstract","async","modification","documentation","defaultLibrary"],"tokenTypes":["namespace","type","class","enum","interface","struct","typeParameter","parameter","variable","property","enumMember","event","function","method","macro","keyword","modifier","comment","string","number","regexp","operator","decorator"]},"signatureHelp":{"contextSupport":true,"dynamicRegistration":true,"signatureInformation":{"activeParameterSupport":true,"documentationFormat":["markdown","plaintext"],"parameterInformation":{"labelOffsetSupport":true}}},"synchronization":{"didSave":true,"dynamicRegistration":true,"willSave":true,"willSaveWaitUntil":true},"typeDefinition":{"dynamicRegistration":true,"linkSupport":true},"typeHierarchy":{"dynamicRegistration":true}},"window":{"showDocument":{"support":true},"showMessage":{"messageActionItem":{"additionalPropertiesSupport":true}},"workDoneProgress":true},"workspace":{"applyEdit":true,"codeLens":{"refreshSupport":true},"configuration":true,"diagnostics":{"refreshSupport":true},"didChangeConfiguration":{"dynamicRegistration":true},"didChangeWatchedFiles":{"dynamicRegistration":true,"relativePatternSupport":true},"executeCommand":{"dynamicRegistration":true},"fileOperations":{"didCreate":true,"didDelete":true,"didRename":true,"dynamicRegistration":true,"willCreate":true,"willDelete":true,"willRename":true},"inlayHint":{"refreshSupport":true},"inlineValue":{"refreshSupport":true},"semanticTokens":{"refreshSupport":true},"symbol":{"dynamicRegistration":true,"resolveSupport":{"properties":["location.range"]},"symbolKind":{"valueSet":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26]},"tagSupport":{"valueSet":[1]}},"workspaceEdit":{"changeAnnotationSupport":{"groupsOnLabel":true},"documentChanges":true,"failureHandling":"textOnlyTransactional","normalizesLineEndings":true,"resourceOperations":["create","rename","delete"]},"workspaceFolders":true}},"clientInfo":{"name":"Visual Studio Code","version":"1.98.1"},"initializationOptions":{"clangdFileStatus":true,"fallbackFlags":[]},"locale":"en","processId":419726,"rootPath":"/tmp/export/input_3/workspace","rootUri":"file:///tmp/export/input_3/workspace","trace":"off","workspaceFolders":[{"name":"workspace","uri":"file:///tmp/export/input_3/workspace"}]}}

I[08:51:30.232] <-- initialize(0)
I[08:51:30.260] --> reply:initialize(0) 27 ms
V[08:51:30.260] >>> {"id":0,"jsonrpc":"2.0","result":{"capabilities":{"astProvider":true,"callHierarchyProvider":true,"clangdInlayHintsProvider":true,"codeActionProvider":{"codeActionKinds":["quickfix","refactor","info"]},"compilationDatabase":{"automaticReload":true},"completionProvider":{"resolveProvider":false,"triggerCharacters":[".","<",">",":","\"","/","*"]},"declarationProvider":true,"definitionProvider":true,"documentFormattingProvider":true,"documentHighlightProvider":true,"documentLinkProvider":{"resolveProvider":false},"documentOnTypeFormattingProvider":{"firstTriggerCharacter":"\n","moreTriggerCharacter":[]},"documentRangeFormattingProvider":true,"documentSymbolProvider":true,"executeCommandProvider":{"commands":["clangd.applyFix","clangd.applyRename","clangd.applyTweak"]},"foldingRangeProvider":true,"hoverProvider":true,"implementationProvider":true,"inactiveRegionsProvider":true,"inlayHintProvider":true,"memoryUsageProvider":true,"referencesProvider":true,"renameProvider":{"prepareProvider":true},"selectionRangeProvider":true,"semanticTokensProvider":{"full":{"delta":true},"legend":{"tokenModifiers":["declaration","definition","deprecated","deduced","readonly","static","abstract","virtual","dependentName","defaultLibrary","usedAsMutableReference","usedAsMutablePointer","constructorOrDestructor","userDefined","functionScope","classScope","fileScope","globalScope"],"tokenTypes":["variable","variable","parameter","function","method","function","property","variable","class","interface","enum","enumMember","type","type","unknown","namespace","typeParameter","concept","type","macro","modifier","operator","bracket","label","comment"]},"range":false},"signatureHelpProvider":{"triggerCharacters":["(",")","{","}","<",">",","]},"standardTypeHierarchyProvider":true,"textDocumentSync":{"change":2,"openClose":true,"save":true},"typeDefinitionProvider":true,"typeHierarchyProvider":true,"workspaceSymbolProvider":true},"serverInfo":{"name":"clangd","version":"clangd version 20.1.0 (https://github.com/llvm/llvm-project.git 24a30daaa559829ad079f2ff7f73eb4e18095f88) linux+debug+asan x86_64-unknown-linux-gnu"}}}

V[08:51:30.260] <<< {"jsonrpc":"2.0","method":"initialized","params":{}}

I[08:51:30.260] <-- initialized
V[08:51:30.261] <<< {"jsonrpc":"2.0","method":"textDocument/didOpen","params":{"textDocument":{"languageId":"c","text":"int main(int argc, char **argv) {\n// {{'กssss'?}}\n  \n  return  423;\n}\n","uri":"file:///tmp/export/input_3/workspace/main.c","version":356}}}

I[08:51:30.261] <-- textDocument/didOpen
I[08:51:30.263] Failed to find compilation database for /tmp/export/input_3/workspace/main.c
I[08:51:30.263] ASTWorker building file /tmp/export/input_3/workspace/main.c version 356 with command clangd fallback
[/tmp/export/input_3/workspace]
/usr/bin/clang -resource-dir=/llvm/build/lib/clang/20 -- /tmp/export/input_3/workspace/main.c
V[08:51:30.267] Driver produced command: cc1 -cc1 -triple x86_64-unknown-linux-gnu -fsyntax-only -disable-free -clear-ast-before-backend -main-file-name main.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/tmp/export/input_3/workspace -fcoverage-compilation-dir=/tmp/export/input_3/workspace -resource-dir /llvm/build/lib/clang/20 -internal-isystem /llvm/build/lib/clang/20/include -internal-isystem /usr/local/include -internal-isystem /usr/bin/../lib/gcc/x86_64-redhat-linux/11/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -ferror-limit 19 -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -no-round-trip-args -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -x c /tmp/export/input_3/workspace/main.c
I[08:51:30.267] --> textDocument/clangd.fileStatus
V[08:51:30.267] >>> {"jsonrpc":"2.0","method":"textDocument/clangd.fileStatus","params":{"state":"parsing includes, running Update","uri":"file:///tmp/export/input_3/workspace/main.c"}}

V[08:51:30.268] Building first preamble for /tmp/export/input_3/workspace/main.c version 356
I[08:51:30.282] Built preamble of size 266776 for file /tmp/export/input_3/workspace/main.c version 356 in 0.01 seconds
I[08:51:30.283] --> workspace/semanticTokens/refresh(0)
I[08:51:30.283] --> textDocument/clangd.fileStatus
V[08:51:30.283] >>> {"id":0,"jsonrpc":"2.0","method":"workspace/semanticTokens/refresh","params":null}

V[08:51:30.283] >>> {"jsonrpc":"2.0","method":"textDocument/clangd.fileStatus","params":{"state":"parsing includes, running Build AST","uri":"file:///tmp/export/input_3/workspace/main.c"}}

V[08:51:30.283] <<< {"id":0,"jsonrpc":"2.0","result":null}

I[08:51:30.283] <-- reply(0)
V[08:51:30.285] indexed preamble AST for /tmp/export/input_3/workspace/main.c version 356:
  symbol slab: 0 symbols, 120 bytes
  ref slab: 0 symbols, 0 refs, 128 bytes
  relations slab: 0 relations, 24 bytes
I[08:51:30.303] Indexing c17 standard library in the context of /tmp/export/input_3/workspace/main.c
V[08:51:30.304] indexed file AST for /tmp/export/input_3/workspace/main.c version 356:
  symbol slab: 1 symbols, 4448 bytes
  ref slab: 1 symbols, 1 refs, 4248 bytes
  relations slab: 0 relations, 24 bytes
V[08:51:30.304] Build dynamic index for main-file symbols with estimated memory usage of 11520 bytes
I[08:51:30.304] --> textDocument/publishDiagnostics
V[08:51:30.304] >>> {"jsonrpc":"2.0","method":"textDocument/publishDiagnostics","params":{"diagnostics":[],"uri":"file:///tmp/export/input_3/workspace/main.c","version":356}}

...

V[08:51:58.954] <<< {"id":10,"jsonrpc":"2.0","method":"textDocument/completion","params":{"context":{"triggerKind":1},"position":{"character":0,"line":2},"textDocument":{"uri":"file:///tmp/export/input_3/workspace/main.c"}}}

I[08:51:58.954] <-- textDocument/completion(10)
=================================================================
==435398==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002500298 at pc 0x00000ba59740 bp 0x7fff57b42600 sp 0x7fff57b425f8
READ of size 1 at 0x000002500298 thread T135
    #0 0xba5973f in clang::clangd::CharType clang::clangd::packedLookup<clang::clangd::CharType>(unsigned char const*, int) /llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:152:26
    #1 0xba5973f in clang::clangd::calculateRoles(llvm::StringRef, llvm::MutableArrayRef<clang::clangd::CharRole>) /llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:168:12
    #2 0xbcf7d13 in clang::clangd::collectWords(llvm::StringRef) /llvm/clang-tools-extra/clangd/SourceCode.cpp:878:3
    #3 0xb898be4 in clang::clangd::(anonymous namespace)::CodeCompleteFlow::populateContextWords(llvm::StringRef) /llvm/clang-tools-extra/clangd/CodeComplete.cpp:1813:20
    #4 0xb893f07 in clang::clangd::(anonymous namespace)::CodeCompleteFlow::run(clang::clangd::(anonymous namespace)::SemaCompleteInput const&) && /llvm/clang-tools-extra/clangd/CodeComplete.cpp:1637:5
    #5 0xb893f07 in clang::clangd::codeComplete(llvm::StringRef, clang::clangd::Position, clang::clangd::PreambleData const*, clang::clangd::ParseInputs const&, clang::clangd::CodeCompleteOptions, clang::clangd::SpeculativeFuzzyFind*) /llvm/clang-tools-extra/clangd/CodeComplete.cpp:2289:32
    #6 0xb81e59d in clang::clangd::ClangdServer::codeComplete(llvm::StringRef, clang::clangd::Position, clang::clangd::CodeCompleteOptions const&, llvm::unique_function<void (llvm::Expected<clang::clangd::CodeCompleteResult>)>)::$_0::operator()(llvm::Expected<clang::clangd::InputsAndPreamble>) /llvm/clang-tools-extra/clangd/ClangdServer.cpp:460:33
    #7 0xb81e59d in void llvm::detail::UniqueFunctionBase<void, llvm::Expected<clang::clangd::InputsAndPreamble>>::CallImpl<clang::clangd::ClangdServer::codeComplete(llvm::StringRef, clang::clangd::Position, clang::clangd::CodeCompleteOptions const&, llvm::unique_function<void (llvm::Expected<clang::clangd::CodeCompleteResult>)>)::$_0>(void*, llvm::Expected<clang::clangd::InputsAndPreamble>&) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:222:12
    #8 0xbd25e53 in llvm::unique_function<void (llvm::Expected<clang::clangd::InputsAndPreamble>)>::operator()(llvm::Expected<clang::clangd::InputsAndPreamble>) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:387:12
    #9 0xbd25e53 in clang::clangd::TUScheduler::runWithPreamble(llvm::StringRef, llvm::StringRef, clang::clangd::TUScheduler::PreambleConsistency, llvm::unique_function<void (llvm::Expected<clang::clangd::InputsAndPreamble>)>)::$_0::operator()() /llvm/clang-tools-extra/clangd/TUScheduler.cpp:1811:5
    #10 0xbd25e53 in void llvm::detail::UniqueFunctionBase<void>::CallImpl<clang::clangd::TUScheduler::runWithPreamble(llvm::StringRef, llvm::StringRef, clang::clangd::TUScheduler::PreambleConsistency, llvm::unique_function<void (llvm::Expected<clang::clangd::InputsAndPreamble>)>)::$_0>(void*) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:222:12
    #11 0xc0a134d in llvm::unique_function<void ()>::operator()() /llvm/llvm/include/llvm/ADT/FunctionExtras.h:387:12
    #12 0xc0a134d in clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1::operator()() /llvm/clang-tools-extra/clangd/support/Threading.cpp:101:5
    #13 0xc0a134d in auto void llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>>(void*)::'lambda'(auto&&, auto&&...)::operator()<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1&>(auto&&, auto&&...) const /llvm/llvm/include/llvm/Support/thread.h:43:11
    #14 0xc0a134d in auto std::__invoke_impl<void, void llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>>(void*)::'lambda'(auto&&, auto&&...), clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1&>(std::__invoke_other, void llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>>(void*)::'lambda'(auto&&, auto&&...)&&, clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:61:14
    #15 0xc0a134d in std::__invoke_result<auto, auto...>::type std::__invoke<void llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>>(void*)::'lambda'(auto&&, auto&&...), clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1&>(auto&&, auto&&...) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:96:14
    #16 0xc0a134d in decltype(auto) std::__apply_impl<void llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>>(void*)::'lambda'(auto&&, auto&&...), std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>&, 0ul>(auto&&, std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>&, std::integer_sequence<unsigned long, 0ul>) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/tuple:2302:14
    #17 0xc0a134d in decltype(auto) std::apply<void llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>>(void*)::'lambda'(auto&&, auto&&...), std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>&>(auto&&, std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>&) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/tuple:2313:14
    #18 0xc0a134d in void llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>>(void*) /llvm/llvm/include/llvm/Support/thread.h:41:5
    #19 0xc0a134d in void* llvm::thread::ThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>>(void*) /llvm/llvm/include/llvm/Support/thread.h:55:5
    #20 0x837269c in asan_thread_start(void*) crtstuff.c
    #21 0x7ffff7b0bd21 in start_thread (/lib64/libc.so.6+0x89d21) (BuildId: d78a44ae94f1d320342e0ff6c2315b2b589063f8)
    #22 0x7ffff7b90d3f in __GI___clone3 (/lib64/libc.so.6+0x10ed3f) (BuildId: d78a44ae94f1d320342e0ff6c2315b2b589063f8)

0x000002500298 is located 8 bytes before global variable 'clang::clangd::CharTypes' defined in '/llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:114' (0x25002a0) of size 64
0x000002500298 is located 28 bytes after global variable '__PRETTY_FUNCTION__._ZN5clang6clangd14calculateRolesEN4llvm9StringRefENS1_15MutableArrayRefINS0_8CharRoleEEE' defined in '/llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:156' (0x2500220) of size 92
  '__PRETTY_FUNCTION__._ZN5clang6clangd14calculateRolesEN4llvm9StringRefENS1_15MutableArrayRefINS0_8CharRoleEEE' is ascii string 'CharTypeSet clang::clangd::calculateRoles(llvm::StringRef, llvm::MutableArrayRef<CharRole>)'
SUMMARY: AddressSanitizer: global-buffer-overflow /llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:152:26 in clang::clangd::CharType clang::clangd::packedLookup<clang::clangd::CharType>(unsigned char const*, int)
Shadow bytes around the buggy address:
  0x000002500000: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000002500080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000002500100: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000002500180: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 06 f9 f9
  0x000002500200: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 04
=>0x000002500280: f9 f9 f9[f9]00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000002500300: 00 00 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
  0x000002500380: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000002500400: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000002500480: 06 f9 f9 f9 03 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
  0x000002500500: 00 00 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T135 created by T0 here:
    #0 0x835be55 in pthread_create (/llvm/build/bin/clangd+0x835be55) (BuildId: dd254a849ebc49d7)
    #1 0x89541e8 in llvm::llvm_execute_on_thread_impl(void* (*)(void*), void*, std::optional<unsigned int>) /llvm/llvm/lib/Support/Unix/Threading.inc:96:17
    #2 0xc0a0fc1 in llvm::thread::thread<clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1>(std::optional<unsigned int>, clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>)::$_1&&) /llvm/llvm/include/llvm/Support/thread.h:131:12
    #3 0xc0a0fc1 in clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&, llvm::unique_function<void ()>) /llvm/clang-tools-extra/clangd/support/Threading.cpp:107:16
    #4 0xbd55bb1 in clang::clangd::TUScheduler::runWithPreamble(llvm::StringRef, llvm::StringRef, clang::clangd::TUScheduler::PreambleConsistency, llvm::unique_function<void (llvm::Expected<clang::clangd::InputsAndPreamble>)>) /llvm/clang-tools-extra/clangd/TUScheduler.cpp:1814:18
    #5 0xb835c07 in clang::clangd::ClangdServer::codeComplete(llvm::StringRef, clang::clangd::Position, clang::clangd::CodeCompleteOptions const&, llvm::unique_function<void (llvm::Expected<clang::clangd::CodeCompleteResult>)>) /llvm/clang-tools-extra/clangd/ClangdServer.cpp:478:18
    #6 0xb75f4a7 in clang::clangd::ClangdLSPServer::onCompletion(clang::clangd::CompletionParams const&, llvm::unique_function<void (llvm::Expected<clang::clangd::CompletionList>)>) /llvm/clang-tools-extra/clangd/ClangdLSPServer.cpp:1133:11
    #7 0xb7ca1e7 in void clang::clangd::LSPBinder::method<clang::clangd::CompletionParams, clang::clangd::CompletionList, clang::clangd::ClangdLSPServer>(llvm::StringLiteral, clang::clangd::ClangdLSPServer*, void (clang::clangd::ClangdLSPServer::*)(clang::clangd::CompletionParams const&, llvm::unique_function<void (llvm::Expected<clang::clangd::CompletionList>)>))::'lambda'(llvm::json::Value, llvm::unique_function<void (llvm::Expected<llvm::json::Value>)>)::operator()(llvm::json::Value, llvm::unique_function<void (llvm::Expected<llvm::json::Value>)>) const /llvm/clang-tools-extra/clangd/LSPBinder.h:141:5
    #8 0xb7c9c92 in void llvm::detail::UniqueFunctionBase<void, llvm::json::Value, llvm::unique_function<void (llvm::Expected<llvm::json::Value>)>>::CallImpl<void clang::clangd::LSPBinder::method<clang::clangd::CompletionParams, clang::clangd::CompletionList, clang::clangd::ClangdLSPServer>(llvm::StringLiteral, clang::clangd::ClangdLSPServer*, void (clang::clangd::ClangdLSPServer::*)(clang::clangd::CompletionParams const&, llvm::unique_function<void (llvm::Expected<clang::clangd::CompletionList>)>))::'lambda'(llvm::json::Value, llvm::unique_function<void (llvm::Expected<llvm::json::Value>)>)>(void*, llvm::json::Value&, llvm::unique_function<void (llvm::Expected<llvm::json::Value>)>&) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:222:12
    #9 0xb7e2d09 in llvm::unique_function<void (llvm::json::Value, llvm::unique_function<void (llvm::Expected<llvm::json::Value>)>)>::operator()(llvm::json::Value, llvm::unique_function<void (llvm::Expected<llvm::json::Value>)>) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:387:12
    #10 0xb7e2d09 in clang::clangd::ClangdLSPServer::MessageHandler::onCall(llvm::StringRef, llvm::json::Value, llvm::json::Value) /llvm/clang-tools-extra/clangd/ClangdLSPServer.cpp:243:7
    #11 0xbb379b2 in clang::clangd::(anonymous namespace)::JSONTransport::handleMessage(llvm::json::Value, clang::clangd::Transport::MessageHandler&) /llvm/clang-tools-extra/clangd/JSONTransport.cpp:194:20
    #12 0xbb379b2 in clang::clangd::(anonymous namespace)::JSONTransport::loop(clang::clangd::Transport::MessageHandler&) /llvm/clang-tools-extra/clangd/JSONTransport.cpp:119:16
    #13 0xb7ecbc9 in clang::clangd::ClangdLSPServer::run() /llvm/clang-tools-extra/clangd/ClangdLSPServer.cpp:1741:25
    #14 0xb615935 in clang::clangd::clangdMain(int, char**) /llvm/clang-tools-extra/clangd/tool/ClangdMain.cpp:1049:28
    #15 0x7ffff7aab5cf in __libc_start_call_main (/lib64/libc.so.6+0x295cf) (BuildId: d78a44ae94f1d320342e0ff6c2315b2b589063f8)

==435398==ABORTING
@llvmbot
Copy link
Member

llvmbot commented Mar 20, 2025

@llvm/issue-subscribers-clangd

Author: Henry Chu (henryhchchc)

For the following C code snippet: 
int main(int argc, char **argv) {
// {{'กssss'?}}
  
  return  423;
}

A textDocument/completion at the beginning of the blank line causes global-buffer-overflow (caught by ASAN).

I[08:51:30.230] clangd version 20.1.0 (https://github.com/llvm/llvm-project.git 24a30daaa559829ad079f2ff7f73eb4e18095f88)
I[08:51:30.230] Features: linux+debug+asan
I[08:51:30.230] PID: 435398
I[08:51:30.230] Working directory: /tmp/export/input_3/workspace
I[08:51:30.230] argv[0]: /llvm/build/bin/clangd
I[08:51:30.231] argv[1]: --log=verbose
V[08:51:30.231] User config file is /root/.config/clangd/config.yaml
I[08:51:30.231] Starting LSP over stdin/stdout
V[08:51:30.232] &lt;&lt;&lt; {"id":0,"jsonrpc":"2.0","method":"initialize","params":{"capabilities":{"general":{"markdown":{"parser":"marked","version":"1.1.0"},"positionEncodings":["utf-16"],"regularExpressions":{"engine":"ECMAScript","version":"ES2020"},"staleRequestSupport":{"cancel":true,"retryOnContentModified":["textDocument/semanticTokens/full","textDocument/semanticTokens/range","textDocument/semanticTokens/full/delta"]}},"notebookDocument":{"synchronization":{"dynamicRegistration":true,"executionSummarySupport":true}},"textDocument":{"callHierarchy":{"dynamicRegistration":true},"codeAction":{"codeActionLiteralSupport":{"codeActionKind":{"valueSet":["","quickfix","refactor","refactor.extract","refactor.inline","refactor.rewrite","source","source.organizeImports"]}},"dataSupport":true,"disabledSupport":true,"dynamicRegistration":true,"honorsChangeAnnotations":false,"isPreferredSupport":true,"resolveSupport":{"properties":["edit"]}},"codeLens":{"dynamicRegistration":true},"colorProvider":{"dynamicRegistration":true},"completion":{"completionItem":{"commitCharactersSupport":true,"deprecatedSupport":true,"documentationFormat":["markdown","plaintext"],"insertReplaceSupport":true,"insertTextModeSupport":{"valueSet":[1,2]},"labelDetailsSupport":true,"preselectSupport":true,"resolveSupport":{"properties":["documentation","detail","additionalTextEdits"]},"snippetSupport":true,"tagSupport":{"valueSet":[1]}},"completionItemKind":{"valueSet":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]},"completionList":{"itemDefaults":["commitCharacters","editRange","insertTextFormat","insertTextMode"]},"contextSupport":true,"dynamicRegistration":true,"editsNearCursor":true,"insertTextMode":2},"declaration":{"dynamicRegistration":true,"linkSupport":true},"definition":{"dynamicRegistration":true,"linkSupport":true},"diagnostic":{"dynamicRegistration":true,"relatedDocumentSupport":false},"documentHighlight":{"dynamicRegistration":true},"documentLink":{"dynamicRegistration":true,"tooltipSupport":true},"documentSymbol":{"dynamicRegistration":true,"hierarchicalDocumentSymbolSupport":true,"labelSupport":true,"symbolKind":{"valueSet":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26]},"tagSupport":{"valueSet":[1]}},"foldingRange":{"dynamicRegistration":true,"foldingRange":{"collapsedText":false},"foldingRangeKind":{"valueSet":["comment","imports","region"]},"lineFoldingOnly":true,"rangeLimit":5000},"formatting":{"dynamicRegistration":true},"hover":{"contentFormat":["markdown","plaintext"],"dynamicRegistration":true},"implementation":{"dynamicRegistration":true,"linkSupport":true},"inactiveRegionsCapabilities":{"inactiveRegions":true},"inlayHint":{"dynamicRegistration":true,"resolveSupport":{"properties":["tooltip","textEdits","label.tooltip","label.location","label.command"]}},"inlineValue":{"dynamicRegistration":true},"linkedEditingRange":{"dynamicRegistration":true},"onTypeFormatting":{"dynamicRegistration":true},"publishDiagnostics":{"codeDescriptionSupport":true,"dataSupport":true,"relatedInformation":true,"tagSupport":{"valueSet":[1,2]},"versionSupport":false},"rangeFormatting":{"dynamicRegistration":true},"references":{"dynamicRegistration":true},"rename":{"dynamicRegistration":true,"honorsChangeAnnotations":true,"prepareSupport":true,"prepareSupportDefaultBehavior":1},"selectionRange":{"dynamicRegistration":true},"semanticTokens":{"augmentsSyntaxTokens":true,"dynamicRegistration":true,"formats":["relative"],"multilineTokenSupport":false,"overlappingTokenSupport":false,"requests":{"full":{"delta":true},"range":true},"serverCancelSupport":true,"tokenModifiers":["declaration","definition","readonly","static","deprecated","abstract","async","modification","documentation","defaultLibrary"],"tokenTypes":["namespace","type","class","enum","interface","struct","typeParameter","parameter","variable","property","enumMember","event","function","method","macro","keyword","modifier","comment","string","number","regexp","operator","decorator"]},"signatureHelp":{"contextSupport":true,"dynamicRegistration":true,"signatureInformation":{"activeParameterSupport":true,"documentationFormat":["markdown","plaintext"],"parameterInformation":{"labelOffsetSupport":true}}},"synchronization":{"didSave":true,"dynamicRegistration":true,"willSave":true,"willSaveWaitUntil":true},"typeDefinition":{"dynamicRegistration":true,"linkSupport":true},"typeHierarchy":{"dynamicRegistration":true}},"window":{"showDocument":{"support":true},"showMessage":{"messageActionItem":{"additionalPropertiesSupport":true}},"workDoneProgress":true},"workspace":{"applyEdit":true,"codeLens":{"refreshSupport":true},"configuration":true,"diagnostics":{"refreshSupport":true},"didChangeConfiguration":{"dynamicRegistration":true},"didChangeWatchedFiles":{"dynamicRegistration":true,"relativePatternSupport":true},"executeCommand":{"dynamicRegistration":true},"fileOperations":{"didCreate":true,"didDelete":true,"didRename":true,"dynamicRegistration":true,"willCreate":true,"willDelete":true,"willRename":true},"inlayHint":{"refreshSupport":true},"inlineValue":{"refreshSupport":true},"semanticTokens":{"refreshSupport":true},"symbol":{"dynamicRegistration":true,"resolveSupport":{"properties":["location.range"]},"symbolKind":{"valueSet":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26]},"tagSupport":{"valueSet":[1]}},"workspaceEdit":{"changeAnnotationSupport":{"groupsOnLabel":true},"documentChanges":true,"failureHandling":"textOnlyTransactional","normalizesLineEndings":true,"resourceOperations":["create","rename","delete"]},"workspaceFolders":true}},"clientInfo":{"name":"Visual Studio Code","version":"1.98.1"},"initializationOptions":{"clangdFileStatus":true,"fallbackFlags":[]},"locale":"en","processId":419726,"rootPath":"/tmp/export/input_3/workspace","rootUri":"file:///tmp/export/input_3/workspace","trace":"off","workspaceFolders":[{"name":"workspace","uri":"file:///tmp/export/input_3/workspace"}]}}

I[08:51:30.232] &lt;-- initialize(0)
I[08:51:30.260] --&gt; reply:initialize(0) 27 ms
V[08:51:30.260] &gt;&gt;&gt; {"id":0,"jsonrpc":"2.0","result":{"capabilities":{"astProvider":true,"callHierarchyProvider":true,"clangdInlayHintsProvider":true,"codeActionProvider":{"codeActionKinds":["quickfix","refactor","info"]},"compilationDatabase":{"automaticReload":true},"completionProvider":{"resolveProvider":false,"triggerCharacters":[".","&lt;","&gt;",":","\"","/","*"]},"declarationProvider":true,"definitionProvider":true,"documentFormattingProvider":true,"documentHighlightProvider":true,"documentLinkProvider":{"resolveProvider":false},"documentOnTypeFormattingProvider":{"firstTriggerCharacter":"\n","moreTriggerCharacter":[]},"documentRangeFormattingProvider":true,"documentSymbolProvider":true,"executeCommandProvider":{"commands":["clangd.applyFix","clangd.applyRename","clangd.applyTweak"]},"foldingRangeProvider":true,"hoverProvider":true,"implementationProvider":true,"inactiveRegionsProvider":true,"inlayHintProvider":true,"memoryUsageProvider":true,"referencesProvider":true,"renameProvider":{"prepareProvider":true},"selectionRangeProvider":true,"semanticTokensProvider":{"full":{"delta":true},"legend":{"tokenModifiers":["declaration","definition","deprecated","deduced","readonly","static","abstract","virtual","dependentName","defaultLibrary","usedAsMutableReference","usedAsMutablePointer","constructorOrDestructor","userDefined","functionScope","classScope","fileScope","globalScope"],"tokenTypes":["variable","variable","parameter","function","method","function","property","variable","class","interface","enum","enumMember","type","type","unknown","namespace","typeParameter","concept","type","macro","modifier","operator","bracket","label","comment"]},"range":false},"signatureHelpProvider":{"triggerCharacters":["(",")","{","}","&lt;","&gt;",","]},"standardTypeHierarchyProvider":true,"textDocumentSync":{"change":2,"openClose":true,"save":true},"typeDefinitionProvider":true,"typeHierarchyProvider":true,"workspaceSymbolProvider":true},"serverInfo":{"name":"clangd","version":"clangd version 20.1.0 (https://github.com/llvm/llvm-project.git 24a30daaa559829ad079f2ff7f73eb4e18095f88) linux+debug+asan x86_64-unknown-linux-gnu"}}}

V[08:51:30.260] &lt;&lt;&lt; {"jsonrpc":"2.0","method":"initialized","params":{}}

I[08:51:30.260] &lt;-- initialized
V[08:51:30.261] &lt;&lt;&lt; {"jsonrpc":"2.0","method":"textDocument/didOpen","params":{"textDocument":{"languageId":"c","text":"int main(int argc, char **argv) {\n// {{'กssss'?}}\n  \n  return  423;\n}\n","uri":"file:///tmp/export/input_3/workspace/main.c","version":356}}}

I[08:51:30.261] &lt;-- textDocument/didOpen
I[08:51:30.263] Failed to find compilation database for /tmp/export/input_3/workspace/main.c
I[08:51:30.263] ASTWorker building file /tmp/export/input_3/workspace/main.c version 356 with command clangd fallback
[/tmp/export/input_3/workspace]
/usr/bin/clang -resource-dir=/llvm/build/lib/clang/20 -- /tmp/export/input_3/workspace/main.c
V[08:51:30.267] Driver produced command: cc1 -cc1 -triple x86_64-unknown-linux-gnu -fsyntax-only -disable-free -clear-ast-before-backend -main-file-name main.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/tmp/export/input_3/workspace -fcoverage-compilation-dir=/tmp/export/input_3/workspace -resource-dir /llvm/build/lib/clang/20 -internal-isystem /llvm/build/lib/clang/20/include -internal-isystem /usr/local/include -internal-isystem /usr/bin/../lib/gcc/x86_64-redhat-linux/11/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -ferror-limit 19 -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -no-round-trip-args -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -x c /tmp/export/input_3/workspace/main.c
I[08:51:30.267] --&gt; textDocument/clangd.fileStatus
V[08:51:30.267] &gt;&gt;&gt; {"jsonrpc":"2.0","method":"textDocument/clangd.fileStatus","params":{"state":"parsing includes, running Update","uri":"file:///tmp/export/input_3/workspace/main.c"}}

V[08:51:30.268] Building first preamble for /tmp/export/input_3/workspace/main.c version 356
I[08:51:30.282] Built preamble of size 266776 for file /tmp/export/input_3/workspace/main.c version 356 in 0.01 seconds
I[08:51:30.283] --&gt; workspace/semanticTokens/refresh(0)
I[08:51:30.283] --&gt; textDocument/clangd.fileStatus
V[08:51:30.283] &gt;&gt;&gt; {"id":0,"jsonrpc":"2.0","method":"workspace/semanticTokens/refresh","params":null}

V[08:51:30.283] &gt;&gt;&gt; {"jsonrpc":"2.0","method":"textDocument/clangd.fileStatus","params":{"state":"parsing includes, running Build AST","uri":"file:///tmp/export/input_3/workspace/main.c"}}

V[08:51:30.283] &lt;&lt;&lt; {"id":0,"jsonrpc":"2.0","result":null}

I[08:51:30.283] &lt;-- reply(0)
V[08:51:30.285] indexed preamble AST for /tmp/export/input_3/workspace/main.c version 356:
  symbol slab: 0 symbols, 120 bytes
  ref slab: 0 symbols, 0 refs, 128 bytes
  relations slab: 0 relations, 24 bytes
I[08:51:30.303] Indexing c17 standard library in the context of /tmp/export/input_3/workspace/main.c
V[08:51:30.304] indexed file AST for /tmp/export/input_3/workspace/main.c version 356:
  symbol slab: 1 symbols, 4448 bytes
  ref slab: 1 symbols, 1 refs, 4248 bytes
  relations slab: 0 relations, 24 bytes
V[08:51:30.304] Build dynamic index for main-file symbols with estimated memory usage of 11520 bytes
I[08:51:30.304] --&gt; textDocument/publishDiagnostics
V[08:51:30.304] &gt;&gt;&gt; {"jsonrpc":"2.0","method":"textDocument/publishDiagnostics","params":{"diagnostics":[],"uri":"file:///tmp/export/input_3/workspace/main.c","version":356}}

...

V[08:51:58.954] &lt;&lt;&lt; {"id":10,"jsonrpc":"2.0","method":"textDocument/completion","params":{"context":{"triggerKind":1},"position":{"character":0,"line":2},"textDocument":{"uri":"file:///tmp/export/input_3/workspace/main.c"}}}

I[08:51:58.954] &lt;-- textDocument/completion(10)
=================================================================
==435398==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002500298 at pc 0x00000ba59740 bp 0x7fff57b42600 sp 0x7fff57b425f8
READ of size 1 at 0x000002500298 thread T135
    #<!-- -->0 0xba5973f in clang::clangd::CharType clang::clangd::packedLookup&lt;clang::clangd::CharType&gt;(unsigned char const*, int) /llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:152:26
    #<!-- -->1 0xba5973f in clang::clangd::calculateRoles(llvm::StringRef, llvm::MutableArrayRef&lt;clang::clangd::CharRole&gt;) /llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:168:12
    #<!-- -->2 0xbcf7d13 in clang::clangd::collectWords(llvm::StringRef) /llvm/clang-tools-extra/clangd/SourceCode.cpp:878:3
    #<!-- -->3 0xb898be4 in clang::clangd::(anonymous namespace)::CodeCompleteFlow::populateContextWords(llvm::StringRef) /llvm/clang-tools-extra/clangd/CodeComplete.cpp:1813:20
    #<!-- -->4 0xb893f07 in clang::clangd::(anonymous namespace)::CodeCompleteFlow::run(clang::clangd::(anonymous namespace)::SemaCompleteInput const&amp;) &amp;&amp; /llvm/clang-tools-extra/clangd/CodeComplete.cpp:1637:5
    #<!-- -->5 0xb893f07 in clang::clangd::codeComplete(llvm::StringRef, clang::clangd::Position, clang::clangd::PreambleData const*, clang::clangd::ParseInputs const&amp;, clang::clangd::CodeCompleteOptions, clang::clangd::SpeculativeFuzzyFind*) /llvm/clang-tools-extra/clangd/CodeComplete.cpp:2289:32
    #<!-- -->6 0xb81e59d in clang::clangd::ClangdServer::codeComplete(llvm::StringRef, clang::clangd::Position, clang::clangd::CodeCompleteOptions const&amp;, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::CodeCompleteResult&gt;)&gt;)::$_0::operator()(llvm::Expected&lt;clang::clangd::InputsAndPreamble&gt;) /llvm/clang-tools-extra/clangd/ClangdServer.cpp:460:33
    #<!-- -->7 0xb81e59d in void llvm::detail::UniqueFunctionBase&lt;void, llvm::Expected&lt;clang::clangd::InputsAndPreamble&gt;&gt;::CallImpl&lt;clang::clangd::ClangdServer::codeComplete(llvm::StringRef, clang::clangd::Position, clang::clangd::CodeCompleteOptions const&amp;, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::CodeCompleteResult&gt;)&gt;)::$_0&gt;(void*, llvm::Expected&lt;clang::clangd::InputsAndPreamble&gt;&amp;) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:222:12
    #<!-- -->8 0xbd25e53 in llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::InputsAndPreamble&gt;)&gt;::operator()(llvm::Expected&lt;clang::clangd::InputsAndPreamble&gt;) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:387:12
    #<!-- -->9 0xbd25e53 in clang::clangd::TUScheduler::runWithPreamble(llvm::StringRef, llvm::StringRef, clang::clangd::TUScheduler::PreambleConsistency, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::InputsAndPreamble&gt;)&gt;)::$_0::operator()() /llvm/clang-tools-extra/clangd/TUScheduler.cpp:1811:5
    #<!-- -->10 0xbd25e53 in void llvm::detail::UniqueFunctionBase&lt;void&gt;::CallImpl&lt;clang::clangd::TUScheduler::runWithPreamble(llvm::StringRef, llvm::StringRef, clang::clangd::TUScheduler::PreambleConsistency, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::InputsAndPreamble&gt;)&gt;)::$_0&gt;(void*) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:222:12
    #<!-- -->11 0xc0a134d in llvm::unique_function&lt;void ()&gt;::operator()() /llvm/llvm/include/llvm/ADT/FunctionExtras.h:387:12
    #<!-- -->12 0xc0a134d in clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1::operator()() /llvm/clang-tools-extra/clangd/support/Threading.cpp:101:5
    #<!-- -->13 0xc0a134d in auto void llvm::thread::GenericThreadProxy&lt;std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&gt;(void*)::'lambda'(auto&amp;&amp;, auto&amp;&amp;...)::operator()&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&amp;&gt;(auto&amp;&amp;, auto&amp;&amp;...) const /llvm/llvm/include/llvm/Support/thread.h:43:11
    #<!-- -->14 0xc0a134d in auto std::__invoke_impl&lt;void, void llvm::thread::GenericThreadProxy&lt;std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&gt;(void*)::'lambda'(auto&amp;&amp;, auto&amp;&amp;...), clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&amp;&gt;(std::__invoke_other, void llvm::thread::GenericThreadProxy&lt;std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&gt;(void*)::'lambda'(auto&amp;&amp;, auto&amp;&amp;...)&amp;&amp;, clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&amp;) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:61:14
    #<!-- -->15 0xc0a134d in std::__invoke_result&lt;auto, auto...&gt;::type std::__invoke&lt;void llvm::thread::GenericThreadProxy&lt;std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&gt;(void*)::'lambda'(auto&amp;&amp;, auto&amp;&amp;...), clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&amp;&gt;(auto&amp;&amp;, auto&amp;&amp;...) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/bits/invoke.h:96:14
    #<!-- -->16 0xc0a134d in decltype(auto) std::__apply_impl&lt;void llvm::thread::GenericThreadProxy&lt;std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&gt;(void*)::'lambda'(auto&amp;&amp;, auto&amp;&amp;...), std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&amp;, 0ul&gt;(auto&amp;&amp;, std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&amp;, std::integer_sequence&lt;unsigned long, 0ul&gt;) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/tuple:2302:14
    #<!-- -->17 0xc0a134d in decltype(auto) std::apply&lt;void llvm::thread::GenericThreadProxy&lt;std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&gt;(void*)::'lambda'(auto&amp;&amp;, auto&amp;&amp;...), std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&amp;&gt;(auto&amp;&amp;, std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&amp;) /opt/rh/gcc-toolset-13/root/usr/lib/gcc/x86_64-redhat-linux/13/../../../../include/c++/13/tuple:2313:14
    #<!-- -->18 0xc0a134d in void llvm::thread::GenericThreadProxy&lt;std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&gt;(void*) /llvm/llvm/include/llvm/Support/thread.h:41:5
    #<!-- -->19 0xc0a134d in void* llvm::thread::ThreadProxy&lt;std::tuple&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;&gt;(void*) /llvm/llvm/include/llvm/Support/thread.h:55:5
    #<!-- -->20 0x837269c in asan_thread_start(void*) crtstuff.c
    #<!-- -->21 0x7ffff7b0bd21 in start_thread (/lib64/libc.so.6+0x89d21) (BuildId: d78a44ae94f1d320342e0ff6c2315b2b589063f8)
    #<!-- -->22 0x7ffff7b90d3f in __GI___clone3 (/lib64/libc.so.6+0x10ed3f) (BuildId: d78a44ae94f1d320342e0ff6c2315b2b589063f8)

0x000002500298 is located 8 bytes before global variable 'clang::clangd::CharTypes' defined in '/llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:114' (0x25002a0) of size 64
0x000002500298 is located 28 bytes after global variable '__PRETTY_FUNCTION__._ZN5clang6clangd14calculateRolesEN4llvm9StringRefENS1_15MutableArrayRefINS0_8CharRoleEEE' defined in '/llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:156' (0x2500220) of size 92
  '__PRETTY_FUNCTION__._ZN5clang6clangd14calculateRolesEN4llvm9StringRefENS1_15MutableArrayRefINS0_8CharRoleEEE' is ascii string 'CharTypeSet clang::clangd::calculateRoles(llvm::StringRef, llvm::MutableArrayRef&lt;CharRole&gt;)'
SUMMARY: AddressSanitizer: global-buffer-overflow /llvm/clang-tools-extra/clangd/FuzzyMatch.cpp:152:26 in clang::clangd::CharType clang::clangd::packedLookup&lt;clang::clangd::CharType&gt;(unsigned char const*, int)
Shadow bytes around the buggy address:
  0x000002500000: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000002500080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000002500100: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000002500180: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 06 f9 f9
  0x000002500200: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 04
=&gt;0x000002500280: f9 f9 f9[f9]00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x000002500300: 00 00 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
  0x000002500380: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000002500400: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000002500480: 06 f9 f9 f9 03 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
  0x000002500500: 00 00 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T135 created by T0 here:
    #<!-- -->0 0x835be55 in pthread_create (/llvm/build/bin/clangd+0x835be55) (BuildId: dd254a849ebc49d7)
    #<!-- -->1 0x89541e8 in llvm::llvm_execute_on_thread_impl(void* (*)(void*), void*, std::optional&lt;unsigned int&gt;) /llvm/llvm/lib/Support/Unix/Threading.inc:96:17
    #<!-- -->2 0xc0a0fc1 in llvm::thread::thread&lt;clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&gt;(std::optional&lt;unsigned int&gt;, clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;)::$_1&amp;&amp;) /llvm/llvm/include/llvm/Support/thread.h:131:12
    #<!-- -->3 0xc0a0fc1 in clang::clangd::AsyncTaskRunner::runAsync(llvm::Twine const&amp;, llvm::unique_function&lt;void ()&gt;) /llvm/clang-tools-extra/clangd/support/Threading.cpp:107:16
    #<!-- -->4 0xbd55bb1 in clang::clangd::TUScheduler::runWithPreamble(llvm::StringRef, llvm::StringRef, clang::clangd::TUScheduler::PreambleConsistency, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::InputsAndPreamble&gt;)&gt;) /llvm/clang-tools-extra/clangd/TUScheduler.cpp:1814:18
    #<!-- -->5 0xb835c07 in clang::clangd::ClangdServer::codeComplete(llvm::StringRef, clang::clangd::Position, clang::clangd::CodeCompleteOptions const&amp;, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::CodeCompleteResult&gt;)&gt;) /llvm/clang-tools-extra/clangd/ClangdServer.cpp:478:18
    #<!-- -->6 0xb75f4a7 in clang::clangd::ClangdLSPServer::onCompletion(clang::clangd::CompletionParams const&amp;, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::CompletionList&gt;)&gt;) /llvm/clang-tools-extra/clangd/ClangdLSPServer.cpp:1133:11
    #<!-- -->7 0xb7ca1e7 in void clang::clangd::LSPBinder::method&lt;clang::clangd::CompletionParams, clang::clangd::CompletionList, clang::clangd::ClangdLSPServer&gt;(llvm::StringLiteral, clang::clangd::ClangdLSPServer*, void (clang::clangd::ClangdLSPServer::*)(clang::clangd::CompletionParams const&amp;, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::CompletionList&gt;)&gt;))::'lambda'(llvm::json::Value, llvm::unique_function&lt;void (llvm::Expected&lt;llvm::json::Value&gt;)&gt;)::operator()(llvm::json::Value, llvm::unique_function&lt;void (llvm::Expected&lt;llvm::json::Value&gt;)&gt;) const /llvm/clang-tools-extra/clangd/LSPBinder.h:141:5
    #<!-- -->8 0xb7c9c92 in void llvm::detail::UniqueFunctionBase&lt;void, llvm::json::Value, llvm::unique_function&lt;void (llvm::Expected&lt;llvm::json::Value&gt;)&gt;&gt;::CallImpl&lt;void clang::clangd::LSPBinder::method&lt;clang::clangd::CompletionParams, clang::clangd::CompletionList, clang::clangd::ClangdLSPServer&gt;(llvm::StringLiteral, clang::clangd::ClangdLSPServer*, void (clang::clangd::ClangdLSPServer::*)(clang::clangd::CompletionParams const&amp;, llvm::unique_function&lt;void (llvm::Expected&lt;clang::clangd::CompletionList&gt;)&gt;))::'lambda'(llvm::json::Value, llvm::unique_function&lt;void (llvm::Expected&lt;llvm::json::Value&gt;)&gt;)&gt;(void*, llvm::json::Value&amp;, llvm::unique_function&lt;void (llvm::Expected&lt;llvm::json::Value&gt;)&gt;&amp;) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:222:12
    #<!-- -->9 0xb7e2d09 in llvm::unique_function&lt;void (llvm::json::Value, llvm::unique_function&lt;void (llvm::Expected&lt;llvm::json::Value&gt;)&gt;)&gt;::operator()(llvm::json::Value, llvm::unique_function&lt;void (llvm::Expected&lt;llvm::json::Value&gt;)&gt;) /llvm/llvm/include/llvm/ADT/FunctionExtras.h:387:12
    #<!-- -->10 0xb7e2d09 in clang::clangd::ClangdLSPServer::MessageHandler::onCall(llvm::StringRef, llvm::json::Value, llvm::json::Value) /llvm/clang-tools-extra/clangd/ClangdLSPServer.cpp:243:7
    #<!-- -->11 0xbb379b2 in clang::clangd::(anonymous namespace)::JSONTransport::handleMessage(llvm::json::Value, clang::clangd::Transport::MessageHandler&amp;) /llvm/clang-tools-extra/clangd/JSONTransport.cpp:194:20
    #<!-- -->12 0xbb379b2 in clang::clangd::(anonymous namespace)::JSONTransport::loop(clang::clangd::Transport::MessageHandler&amp;) /llvm/clang-tools-extra/clangd/JSONTransport.cpp:119:16
    #<!-- -->13 0xb7ecbc9 in clang::clangd::ClangdLSPServer::run() /llvm/clang-tools-extra/clangd/ClangdLSPServer.cpp:1741:25
    #<!-- -->14 0xb615935 in clang::clangd::clangdMain(int, char**) /llvm/clang-tools-extra/clangd/tool/ClangdMain.cpp:1049:28
    #<!-- -->15 0x7ffff7aab5cf in __libc_start_call_main (/lib64/libc.so.6+0x295cf) (BuildId: d78a44ae94f1d320342e0ff6c2315b2b589063f8)

==435398==ABORTING

@EugeneZelenko EugeneZelenko added the crash Prefer [crash-on-valid] or [crash-on-invalid] label Mar 20, 2025
@HighCommander4
Copy link
Collaborator

Where can one get a clangd build with ASAN enabled to test this?

@henryhchchc
Copy link
Author

henryhchchc commented Mar 21, 2025
edited
Loading

@HighCommander4

I compiled clangd with the following commands

git clone --depth=1 --branch=llvmorg-20.1.0 https://github.com/llvm/llvm-project.git /llvm

mkdir /llvm/build
export LLVM_ROOT=/llvm

cd /llvm/build

CC=clang CXX=clang++ CFLAGS='-fsanitize=address' CXXFLAGS='-fsanitize=address' \
  cmake $LLVM_ROOT/llvm/ \
  -DCMAKE_BUILD_TYPE=RelWithDebInfo \
  -DLLVM_ENABLE_ASSERTIONS=ON \
  -DLLVM_ENABLE_PROJECTS="clang;clang-tools-extra" \
  -DLLVM_ENABLE_LTO=true \
  -DLLVM_USE_LINKER=lld

CC=clang CXX=clang++ CFLAGS='-fsanitize=address' CXXFLAGS='-fsanitize=address' \
  cmake --build . --target clangd

Do you want me to upload the binary to facilitate testing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clangd crash Prefer [crash-on-valid] or [crash-on-invalid]
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@HighCommander4 @henryhchchc @EugeneZelenko @frederick-vs-ja @llvmbot