coroutines: miscompilation when using ternary operator and co_await (use after free) #59181
Description
https://godbolt.org/z/avrxq5zb9
res ok(bool cond) {
if (cond) {
co_return res{co_await foo_error()};
} else {
co_return res{5};
}
}
res notok(bool cond) {
co_return cond ? res{co_await foo_error()} : res{5};
}
int main() {
ok(false); //ok
ok(true); //ok
notok(false); //ok
notok(true); //crash
}results in:
=================================================================
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000001ae at pc 0x5555f4f0091e bp 0x7fff81013350 sp 0x7fff81013348
READ of size 1 at 0x6070000001ae thread T0
#0 0x5555f4f0091d in notok(bool) /app/example.cpp:104:26
#1 0x5555f4f013e5 in main /app/example.cpp:111:5
#2 0x7f9da9a28082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#3 0x5555f4e2739d in _start (/app/output.s+0x1f39d)
0x6070000001ae is located 62 bytes inside of 72-byte region [0x607000000170,0x6070000001b8)
freed by thread T0 here:
#0 0x5555f4efd30d in operator delete(void*) /root/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:152:3
#1 0x5555f4f05442 in notok(bool) (.destroy) /app/example.cpp:103:5
#2 0x5555f4f0a8f4 in std::__1::coroutine_handle<void>::destroy[abi:v160000]() const /opt/compiler-explorer/clang-trunk-20221123/bin/../include/c++/v1/__coroutine/coroutine_handle.h:84:9
#3 0x5555f4f07554 in res_promise_type::await_transform(res)::Suspension::await_suspend(std::__1::coroutine_handle<void>) /app/example.cpp:73:22
#4 0x5555f4f008da in notok(bool) /app/example.cpp:104:26
#5 0x5555f4f013e5 in main /app/example.cpp:111:5
#6 0x7f9da9a28082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
previously allocated by thread T0 here:
#0 0x5555f4efcaad in operator new(unsigned long) /root/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
#1 0x5555f4f00017 in notok(bool) /app/example.cpp:103:5
#2 0x5555f4f013e5 in main /app/example.cpp:111:5
#3 0x7f9da9a28082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
SUMMARY: AddressSanitizer: heap-use-after-free /app/example.cpp:104:26 in notok(bool)
Shadow bytes around the buggy address:
0x606fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x606fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x607000000000: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
0x607000000080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x607000000100: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
=>0x607000000180: fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa fa
0x607000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x607000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x607000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x607000000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x607000000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1==ABORTING