[llvm-bugs] [Bug 83671] [Clang] 19.0.0 SIGSEGV due to NULL Pointer dereference caused by receiving an NULL `BaseDecl` at EmptySubobjectMap::ComputeEmptySubobjectSizes()

Sat, 02 Mar 2024 03:37:45 -0800

Issue 83671
Summary [Clang] 19.0.0 SIGSEGV due to NULL Pointer dereference caused by receiving an NULL `BaseDecl` at EmptySubobjectMap::ComputeEmptySubobjectSizes()
Labels clang
Assignees
Reporter bjrjk 
    Note: This is related to dump record layout feature with option `-Xclang -fdump-record-layouts-complete`.

When I want to use that option to dump `class` and `struct`'s layout, the clang crashes with SIGSEGV signal.

Crashsite Screenshot:
![crashsite](https://github.com/llvm/llvm-project/assets/6657270/7a8a9354-e84c-4f73-82f6-4657852b89bd)

Through my simple debugging, I found the problem might related to `EmptySubobjectMap::ComputeEmptySubobjectSizes()` in `clang/lib/AST/RecordLayoutBuilder.cpp`.

```cpp
void EmptySubobjectMap::ComputeEmptySubobjectSizes() {
  // Check the bases.
  for (const CXXBaseSpecifier &Base : Class->bases()) {
 const CXXRecordDecl *BaseDecl = Base.getType()->getAsCXXRecordDecl(); // [!]

    CharUnits EmptySize;
    const ASTRecordLayout &Layout = Context.getASTRecordLayout(BaseDecl); // [1]
    if (BaseDecl->isEmpty()) {
      // If the class decl is empty, get its size.
      EmptySize = Layout.getSize();
    } else {
      // Otherwise, we get the largest empty subobject for the decl.
      EmptySize = Layout.getSizeOfLargestEmptySubobject();
    }

    if (EmptySize > SizeOfLargestEmptySubobject)
      SizeOfLargestEmptySubobject = EmptySize;
  }

  // Check the fields.
  for (const FieldDecl *FD : Class->fields()) {
    const RecordType *RT =
 Context.getBaseElementType(FD->getType())->getAs<RecordType>();

    // We only care about record types.
    if (!RT)
      continue;

 CharUnits EmptySize;
    const CXXRecordDecl *MemberDecl = RT->getAsCXXRecordDecl();
    const ASTRecordLayout &Layout = Context.getASTRecordLayout(MemberDecl);
    if (MemberDecl->isEmpty()) {
      // If the class decl is empty, get its size.
      EmptySize = Layout.getSize();
    } else {
      // Otherwise, we get the largest empty subobject for the decl.
      EmptySize = Layout.getSizeOfLargestEmptySubobject();
    }

    if (EmptySize > SizeOfLargestEmptySubobject)
      SizeOfLargestEmptySubobject = EmptySize;
  }
}
```

At position `[!]`, `Base.getType()->getAsCXXRecordDecl()` will return a NULL pointer then causes crash in `Context.getASTRecordLayout(BaseDecl)` at position `[1]`.

Nullptr Introduce Site Screenshot:
![nullptr-introduce](https://github.com/llvm/llvm-project/assets/6657270/662d7379-819c-405d-978b-e68dc8f9a266)

This is crash site, including the crash backtrace, preprocessed source, and associated run script.
[crashsite.zip](https://github.com/llvm/llvm-project/files/14469084/crashsite.zip)

Thanks!

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to