[llvm-bugs] [Bug 181749] [Clang] Crash Behavior change from access violation reading source operand in Clang 20.1.2 to Bad Instruction execution in Clang 21.1.8

Mon, 16 Feb 2026 13:38:39 -0800

Issue 181749
Summary [Clang] Crash Behavior change from access violation reading source operand in Clang 20.1.2 to Bad Instruction execution in Clang 21.1.8
Labels clang
Assignees
Reporter apbenson00 
    ### Bug
A crashing input that CASR marked as SourceAv (access violation on a source operand) in Clang 20.1.2 now triggers a Bad Instruction crash in Clang 21.1.8. The crash is reproducible with the same test file, but the crash type and severity changed. The bug was found using AFL++ and categorized using CASR.

### Code

[crash.c](https://github.com/user-attachments/files/25349817/crash.c)

### Command
```
clang crash.c
```
### Expected Output
Syntax error and graceful exit

### Actual Output
Clang 20.1.2
```
./min_cluster_32.c:1:1: error: unknown type name 'inrint'; did you mean 'inline'?
    1 | inrint // R%clang_cc1 -<F3>syntax-only %s 2> <U+0018>
      | ^~~~~~
      | inline
./min_cluster_32.c:2:1: error: unknown type name 'm'
    2 | m  x;mgm  x;m  rict-whitespace %s
      | ^
./min_cluster_32.c:1:1: error: 'inline' can only appear on functions
 1 | inrint // R%clang_cc1 -<F3>syntax-only %s 2> <U+0018>
      | ^
./min_cluster_32.c:2:6: error: unknown type name 'mgm'
    2 | m  x;mgm x;m  rict-whitespace %s
      |      ^
./min_cluster_32.c:2:13: error: unknown type name 'm'
    2 | m  x;mgm  x;m  rict-whitespace %s
      | ^
./min_cluster_32.c:2:20: error: expected ';' after top level declarator
    2 | m  x;mgm  x;m  rict-whitespace %s
      | ^
      |                    ;
./min_cluster_32.c:15:28: error: source file is not valid UTF-8
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
./min_cluster_32.c:15:34: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
      | int
./min_cluster_32.c:15:34: error: expected ')'
./min_cluster_32.c:15:12: note: to match this '('
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
./min_cluster_32.c:15:85: error: expected ')'
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
      | )
./min_cluster_32.c:15:6: warning: GCC requires a function with the '__format__' attribute to be variadic [-Wgcc-compat]
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      |      ^
./min_cluster_32.c:15:6: warning: incompatible redeclaration of library function 'printf' [-Wincompatible-library-redeclaration]
./min_cluster_32.c:15:6: note: 'printf' is a builtin with type 'int (const char *, ...)'
./min_cluster_32.c:12:10: error: incompatible integer to pointer conversion passing 'int' to parameter of type 'int *****' [-Wint-conversion]
   12 |          x);
      | ^
./min_cluster_32.c:15:34: note: passing argument to parameter here
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
./min_cluster_32.c:11:13: warning: invalid conversion specifier 'N' [-Wformat-invalid-specifier]
   11 | printf("%+NEXT: {{^}}  ine",
      |           ~~^
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /usr/lib/llvm-20/bin/clang -cc1 -triple x86_64-pc-linux-gnu -emit-obj -dumpdir a- -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name min_cluster_32.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/home/user/test -fcoverage-compilation-dir=/home/user/test -resource-dir /usr/lib/llvm-20/lib/clang/20 -internal-isystem /usr/lib/llvm-20/lib/clang/20/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -ferror-limit 19 -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fcolor-diagnostics -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/min_cluster_32-ec0522.o -x c ./min_cluster_32.c
1.	./min_cluster_32.c:12:11: current parser token ')'
2.	./min_cluster_32.c:10:15: parsing function body 'f'
3.	./min_cluster_32.c:10:15: in compound statement ('{}')
fatal error: error in backend: IO failure on output stream: No space left on device
```
Clang 21.1.8 Error Message:
```
./crash.c:1:1: error: unknown type name 'inrint'; did you mean 'inline'?
    1 | inrint // R%clang_cc1 -<F3>syntax-only %s 2> <U+0018>
      | ^~~~~~
      | inline
./crash.c:2:1: error: unknown type name 'm'
    2 | m  x;mgm  x;m rict-whitespace %s
      | ^
./crash.c:1:1: error: 'inline' can only appear on functions
    1 | inrint // R%clang_cc1 -<F3>syntax-only %s 2> <U+0018>
 | ^
./crash.c:2:6: error: unknown type name 'mgm'
    2 | m  x;mgm x;m  rict-whitespace %s
      |      ^
./crash.c:2:13: error: unknown type name 'm'
    2 | m  x;mgm  x;m  rict-whitespace %s
      | ^
./crash.c:2:20: error: expected ';' after top level declarator
    2 | m x;mgm  x;m  rict-whitespace %s
      |                    ^
      | ;
./crash.c:15:28: error: source file is not valid UTF-8
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
./crash.c:15:34: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
      | int
./crash.c:15:34: error: expected ')'
./crash.c:15:12: note: to match this '('
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
./crash.c:15:85: error: expected ')'
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
      | )
./crash.c:15:6: warning: GCC requires a function with the '__format__' attribute to be variadic [-Wgcc-compat]
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      |      ^
./crash.c:15:6: warning: incompatible redeclaration of library function 'printf' [-Wincompatible-library-redeclaration]
./crash.c:15:6: note: 'printf' is a builtin with type 'int (const char *, ...)'
./crash.c:12:10: error: incompatible integer to pointer conversion passing 'int' to parameter of type 'int *****' [-Wint-conversion]
   12 |          x);
      | ^
./crash.c:15:34: note: passing argument to parameter here
   15 | void printf(const char *a, <F2>*****\\...) __attribute__((__format__(__printf__, 1,52))00*000000000100110000);
      | ^
./crash.c:11:13: warning: invalid conversion specifier 'N' [-Wformat-invalid-specifier]
   11 |   printf("%+NEXT: {{^}}  ine",
 |           ~~^
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.	Program arguments: /home/user/afl_versions/clang -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -dumpdir a- -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name crash.c -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/home/user/test -fcoverage-compilation-dir=/home/user/test -resource-dir /home/user/lib/clang/21 -internal-isystem /home/user/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -ferror-limit 19 -fmessage-length=204 -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fcolor-diagnostics -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/crash-ffb128.o -x c ./crash.c
1.	./crash.c:12:11: current parser token ')'
2.	./crash.c:10:15: parsing function body 'f'
3.	./crash.c:10:15: in compound statement ('{}')
fatal error: error in backend: IO failure on output stream: No space left on device
```

### Environment
- OS: Ubuntu 25
- Arch: x86_64
- RAM 64GB

### CASR Output
Clang 21.1.8:
```
 "ProcFiles": [],
  "NetworkConnections": [],
  "CrashSeverity": {
 "Type": "PROBABLY_EXPLOITABLE",
    "ShortDescription": "BadInstruction",
    "Description": "Bad instruction",
 "Explanation": "The target tried to execute a malformed or privileged instruction. This may indicate that the control flow is tainted."
 },
```
Clang 20.1.2
```
 "ProcFiles": [],
  "NetworkConnections": [],
  "CrashSeverity": {
    "Type": "NOT_EXPLOITABLE",
 "ShortDescription": "SourceAv",
    "Description": "Access violation on source operand",
    "Explanation": "The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation."
  },
```

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to