[clang-fuzzer] Crash in `clang::ASTContext::getTypeInfo`

[gal1ium]

Hi, while testing clang by the fuzzing driver clang-fuzzer, it found a crashing case:

Version: 531fd45

Flags:

mkdir build
cd build
cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="lld;clang;compiler-rt" ../llvm -DLLVM_ENABLE_ASSERTIONS=ON -DLLVM_BUILD_RUNTIME=Off -DLLVM_BUILD_INSTRUMENTED_COVERAGE=On -DCLANG_ENABLE_PROTO_FUZZER=ON
ninja clang-fuzzer

PoC:

template<typename...Ts>oid Pac00nsideLocal0lass(){[]{f class L0{Ts t};L0 l}}template oid Pac00nsideLocal0lass<>(;

Reproduction:
./bin/clang-fuzzer ./poc

Crashing thread backtrace: (it looks like a recursive stack overflow)

#0  0x000055555cac9623 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1966

#1  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#2  0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#3  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#4  0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#5  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#6  0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#7  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#8  0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#9  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#10 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#11 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#12 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#13 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#14 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#15 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#16 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#17 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#18 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#19 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

[llvmbot]

@llvm/issue-subscribers-clang-frontend

Author: None (gal1ium)

Hi, while testing clang by the fuzzing driver `clang-fuzzer`, it found a crashing case:

Version: 531fd45

Flags:

mkdir build
cd build
cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="lld;clang;compiler-rt" ../llvm -DLLVM_ENABLE_ASSERTIONS=ON -DLLVM_BUILD_RUNTIME=Off -DLLVM_BUILD_INSTRUMENTED_COVERAGE=On -DCLANG_ENABLE_PROTO_FUZZER=ON
ninja clang-fuzzer

PoC:

template<typename...Ts>oid Pac00nsideLocal0lass(){[]{f class L0{Ts t};L0 l}}template oid Pac00nsideLocal0lass<>(;

Reproduction:
./bin/clang-fuzzer ./poc

Crashing thread backtrace: (it looks like a recursive stack overflow)

#<!-- -->0  0x000055555cac9623 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1966

#<!-- -->1  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->2  0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->3  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->4  0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->5  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->6  0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->7  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->8  0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->9  0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->10 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->11 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->12 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->13 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->14 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->15 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->16 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->17 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

#<!-- -->18 0x000055555cac97e7 in clang::ASTContext::getTypeInfo (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:1972

#<!-- -->19 0x000055555cae481f in clang::ASTContext::getTypeInfoImpl (fuzz-binaries/clang-fuzzer)
                       at /src/llvm/clang/lib/AST/ASTContext.cpp:2465

[gal1ium]

This one goes back to clang-9 with the following assertion and stack dump from https://godbolt.org/z/vxoxsx9Ts

clang-9: /root/llvm-project/clang/lib/Sema/SemaTemplateVariadic.cpp:393: bool clang::Sema::DiagnoseUnexpandedParameterPack(clang::Expr*, clang::Sema::UnexpandedParameterPackContext): Assertion `!Unexpanded.empty() && "Unable to find unexpanded parameter packs"' failed.
Stack dump:
...
 #0 0x00005a43637249aa llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x2d249aa)
...
#10 0x00005a4364ea1197 clang::Sema::ActOnFinishFullExpr(clang::Expr*, clang::SourceLocation, bool, bool) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x44a1197)
#11 0x00005a43650179d4 clang::Sema::ActOnExprStmt(clang::ActionResult<clang::Expr*, true>, bool) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x46179d4)
#12 0x00005a4364b9a7f3 clang::Parser::ParseExprStatement(clang::Parser::ParsedStmtContext) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x419a7f3)
#13 0x00005a4364b9b090 clang::Parser::ParseStatementOrDeclarationAfterAttributes(llvm::SmallVector<clang::Stmt*, 32u>&, clang::Parser::ParsedStmtContext, clang::SourceLocation*, clang::Parser::ParsedAttributesWithRange&) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x419b090)
#14 0x00005a4364b9b9e9 clang::Parser::ParseStatementOrDeclaration(llvm::SmallVector<clang::Stmt*, 32u>&, clang::Parser::ParsedStmtContext, clang::SourceLocation*) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x419b9e9)
#15 0x00005a4364b9f3f1 clang::Parser::ParseCompoundStatementBody(bool) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x419f3f1)
#16 0x00005a4364ba181b clang::Parser::ParseFunctionStatementBody(clang::Decl*, clang::Parser::ParseScope&) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x41a181b)
#17 0x00005a4364b1973c clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x411973c)
#18 0x00005a4364bb2e89 clang::Parser::ParseSingleDeclarationAfterTemplate(clang::DeclaratorContext, clang::Parser::ParsedTemplateInfo const&, clang::ParsingDeclRAIIObject&, clang::SourceLocation&, clang::ParsedAttributes&, clang::AccessSpecifier) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x41b2e89)
#19 0x00005a4364bb3897 clang::Parser::ParseTemplateDeclarationOrSpecialization(clang::DeclaratorContext, clang::SourceLocation&, clang::ParsedAttributes&, clang::AccessSpecifier) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x41b3897)
#20 0x00005a4364bb3e49 clang::Parser::ParseDeclarationStartingWithTemplate(clang::DeclaratorContext, clang::SourceLocation&, clang::ParsedAttributes&, clang::AccessSpecifier) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x41b3e49)
#21 0x00005a4364b3c397 clang::Parser::ParseDeclaration(clang::DeclaratorContext, clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x413c397)
#22 0x00005a4364b1af9a clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x411af9a)
#23 0x00005a4364b1c2b9 clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, bool) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x411c2b9)
#24 0x00005a4364b1c657 clang::Parser::ParseFirstTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x411c657)
#25 0x00005a4364b120a6 clang::ParseAST(clang::Sema&, bool, bool) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x41120a6)
#26 0x00005a43644d5be8 clang::CodeGenAction::ExecuteAction() (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x3ad5be8)
#27 0x00005a4363e05ec9 clang::FrontendAction::Execute() (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x3405ec9)
#28 0x00005a4363dc9fc1 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x33c9fc1)
#29 0x00005a4363eb086f clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x34b086f)
#30 0x00005a4361a4a36f cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0x104a36f)
#31 0x00005a43619b35a9 main (/cefs/47/47da702b3b994998a316a0fc_consolidated/compilers_c++_clang_assertions-9.0.0/bin/clang-9+0xfb35a9)
...
clang-9: error: unable to execute command: Aborted (core dumped)
clang-9: error: clang frontend command failed due to signal (use -v to see invocation)
Compiler returned: 254