CastExpr conversion function decl is sometimes corrupt · Issue #53044 · llvm/llvm-project (original) (raw)

This is a problem that surfaced in IWYU recently.

I'm pretty sure it's difficult to provoke it in the compiler proper, since CastExpr::getConversionFunction is only called in a single place, for diagnostics. Tools built on Clang tooling and the recursive AST visitor can fall victim to it, however.

I have only been able to reproduce it on plain source code (not preprocessed), and only in conjunction with the fmt library (https://github.com/fmtlib/fmt). Attached is a minimal RAV tool and instructions to reproduce.

What makes me think this is somewhat critical is that CastExpr::getConversionFunction returns an AccessSpecDecl in this scenario, which breaks all sorts of AST and LLVM RTTI invariants. I suspect we're looking at garbage data for some reason. I have tried building ubsan+asan-instrumented LLVM/Clang, but without being able to track anything down.

Repro project: ravrepro.tar.gz.

Thankful for any ideas, let me know if I can add more information.

References:

• IWYU tracking bug: Bug: parsing /usr/lib/llvm-12/include/llvm/Support/Casting.h fails? include-what-you-use/include-what-you-use#951
• Potentially same/similar issue: AddressSanitizer use-after-poison error when optimisation is disabled #44317