[clang-fuzzer] Crash in transformFunctionTypeParam #165560
Description
Hi, while testing clang by the fuzzing driver clang-fuzzer, it found a crashing case:
Version: 531fd45
Flags:
mkdir build
cd build
cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="lld;clang;compiler-rt" ../llvm -DLLVM_ENABLE_ASSERTIONS=ON -DLLVM_BUILD_RUNTIME=Off -DLLVM_BUILD_INSTRUMENTED_COVERAGE=On -DCLANG_ENABLE_PROTO_FUZZER=ON
ninja clang-fuzzer
PoC:
namespace
template<class T,class>truct er{using u0=T;template<c>truct Inner{nner(u0::n}}er<har,i0t>::Inner _Reproduction:
./bin/clang-fuzzer ./poc
Crashing thread backtrace:
#0 0x000055555c28d5a6 in (anonymous namespace)::ConvertConstructorToDeductionGuideTransform::transformFunctionTypeParam (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaTemplateDeductionGuide.cpp:678
#1 0x000055555c2f4247 in (anonymous namespace)::ConvertConstructorToDeductionGuideTransform::transformFunctionProtoType (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaTemplateDeductionGuide.cpp:575
#2 0x000055555c2f4247 in (anonymous namespace)::ConvertConstructorToDeductionGuideTransform::transformConstructor (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaTemplateDeductionGuide.cpp:456
#3 0x000055555c2f9df8 in clang::Sema::DeclareImplicitDeductionGuides (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaTemplateDeductionGuide.cpp:1522
#4 0x000055555b7fc927 in DeclareImplicitMemberFunctionsWithName (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaLookup.cpp:1120
#5 0x000055555b87a36f in LookupDirect (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaLookup.cpp:1135
#6 0x000055555b83a882 in clang::Sema::LookupQualifiedName (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaLookup.cpp:2479
#7 0x000055555b7acc37 in clang::Sema::DeduceTemplateSpecializationFromInitializer (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaInit.cpp:10071
#8 0x000055555aec9281 in clang::Sema::deduceVarTypeFromInitializer (fuzz-binaries/clang-fuzzer)
at /src/llvm/llvm/include/llvm/ADT/SmallVector.h:80
#9 0x000055555aee3d0d in clang::Sema::DeduceVariableDeclarationType (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/include/clang/AST/Decl.h:340
#10 0x000055555af1f79d in clang::Sema::ActOnUninitializedDecl (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Sema/SemaDecl.cpp:14288
#11 0x000055555a032980 in clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Parse/ParseDecl.cpp:2717
#12 0x000055555a05ca4b in clang::Parser::ParseDeclGroup (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Parse/ParseDecl.cpp:2356
#13 0x0000555559fea9b0 in clang::Parser::ParseDeclOrFunctionDefInternal (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Parse/Parser.cpp:1187
#14 0x0000555559fec23b in clang::Parser::ParseDeclarationOrFunctionDefinition (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Parse/Parser.cpp:1209
#15 0x000055555a0024f0 in clang::Parser::ParseExternalDeclaration (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Parse/Parser.cpp:1032
#16 0x000055555a006d15 in clang::Parser::ParseTopLevelDecl (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Parse/Parser.cpp:745
#17 0x0000555559fc003f in clang::ParseAST (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Parse/ParseAST.cpp:169
#18 0x0000555559ec1b28 in clang::ASTFrontendAction::ExecuteAction (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Frontend/FrontendAction.cpp:1432
#19 0x00005555564f8aa2 in clang::CodeGenAction::ExecuteAction (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/CodeGen/CodeGenAction.cpp:1109
#20 0x0000555559ed30d2 in clang::FrontendAction::Execute (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Frontend/FrontendAction.cpp:1312
#21 0x0000555559da3af8 in clang::CompilerInstance::ExecuteAction (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/lib/Frontend/CompilerInstance.cpp:1003
#22 0x0000555559d46f8e in clang::tooling::FrontendActionFactory::runInvocation (fuzz-binaries/clang-fuzzer)
443: bool clang::tooling::FrontendActionFactory::runInvocation(this = (clang::tooling::FrontendActionFactory * const)0x555561795b10, Invocation = (std::shared_ptr<clang::CompilerInvocation>)std::shared_ptr<clang::CompilerInvocation> (empty) = {get() = 0x0}, Files = (clang::FileManager *)0x555561771730, PCHContainerOps = (std::shared_ptr<clang::PCHContainerOperations>)std::shared_ptr<clang::PCHContainerOperations> (empty) = {get() = 0x0}, DiagConsumer = (clang::DiagnosticConsumer *)0x7fffffff99a0) {
|||:
---: }
at /usr/include/c++/9/bits/unique_ptr.h:154
#23 0x00005555564db128 in clang_fuzzer::HandleCXX (fuzz-binaries/clang-fuzzer)
23: void clang_fuzzer::HandleCXX(S = (const std::string &)"namespace\ntemplate<class T,class>truct er{using u0=T;template<c>truct Inner{nner(u0::n}}er<har,i0t>::Inner _", FileName = (const char *)0x5555558e74b7 "./test.cc", ExtraArgs = (const std::vector<char const*, std::allocator<char const*> > &)std::vector of length 1, capacity 1 = {0x5555559613a3 "-O2"}) {
||||:
1386: template<typename _Yp, typename _Yp2 = typename remove_cv<_Yp>::type>
1387: typename enable_if<!__has_esft_base<_Yp2>::value>::type
1388: _M_enable_shared_from_this_with(_Yp*) noexcept
||||:
----: }
at /usr/include/c++/9/bits/shared_ptr_base.h:1388
#24 0x00005555564d3832 in LLVMFuzzerTestOneInput (fuzz-binaries/clang-fuzzer)
at /src/llvm/clang/tools/clang-fuzzer/ClangFuzzer.cpp:23