[llvm-bugs] [Bug 184820] [clangd] SIGSEGV when replaying specific LSP sequence in Decl.h and ExternalASTSource.h (affiliated with reprodution scripts)

LLVM Bugs via llvm-bugs Thu, 05 Mar 2026 08:11:55 -0800

Issue	184820
Summary	[clangd] SIGSEGV when replaying specific LSP sequence in Decl.h and ExternalASTSource.h (affiliated with reprodution scripts)
Labels	new issue
Assignees
Reporter	hongtaihu

    There are two crashes triggered by a specific LSP message sequence.(Geranted by a Fuzzer)
Their patterns look like that of https://github.com/llvm/llvm-project/issues/180403, maybe they share similar root causes which involves race conditions under multi-thread environment, but I am not certain whether they are duplications or not.



Environment

- clangd commit: https://github.com/llvm/llvm-project/commit/aff5afc48df63615053b2432da198a4932435c3f
- OS: Ubuntu 24.04
- Build: Release
- clangd version 23.0.0git (https://github.com/llvm/llvm-project.git https://github.com/llvm/llvm-project/commit/aff5afc48df63615053b2432da198a4932435c3f)

Steps to Reproduce

in the folder, 

```
python3 replay.py <path/to/clangd> <timeout>
```

## ASAN log

affiliated in reprodution scripts,

There are two types of output under the same input on both Decl.h:2778 and ExternalASTSource.h:363, in short:

```sh
==7476==ERROR: AddressSanitizer: use-after-poison on address 0x521000453fb0 at pc 0x5f506b488062 bp 0x7aba7107aef0 sp 0x7aba7107aee0
READ of size 8 at 0x521000453fb0 thread T12
    #0 0x5f506b488061 in clang::FunctionDecl::parameters() /home/ubuntu2404/llvm-project/clang/include/clang/AST/Decl.h:2778
    #1 0x5f506b488061 in clang::Sema::ActOnStartOfFunctionDef(clang::Scope*, clang::Decl*, clang::SkipBodyInfo*, clang::Sema::FnBodyKind) /home/ubuntu2404/llvm-project/clang/lib/Sema/SemaDecl.cpp:16261
    #2 0x5f506b539f76 in clang::Sema::ActOnStartOfFunctionDef(clang::Scope*, clang::Declarator&, llvm::MutableArrayRef<clang::TemplateParameterList*>, clang::SkipBodyInfo*, clang::Sema::FnBodyKind) /home/ubuntu2404/llvm-project/clang/lib/Sema/SemaDecl.cpp:15923
    #3 0x5f50737bbd2f in clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:1332
    #4 0x5f50738dd019 in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, clang::DeclaratorContext, clang::ParsedAttributes&, clang::Parser::ParsedTemplateInfo&, clang::SourceLocation*, clang::Parser::ForRangeInit*) /home/ubuntu2404/llvm-project/clang/lib/Parse/ParseDecl.cpp:2265
    #5 0x5f507379ca96 in clang::Parser::ParseDeclOrFunctionDefInternal(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec&, clang::AccessSpecifier) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:1148
    #6 0x5f507379effa in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec*, clang::AccessSpecifier) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:1170
    #7 0x5f50737c365f in clang::Parser::ParseExternalDeclaration(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec*) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:998
    #8 0x5f50737c8421 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, clang::Sema::ModuleImportState&) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:706
    #9 0x5f507374763d in clang::ParseAST(clang::Sema&, bool, bool) /home/ubuntu2404/llvm-project/clang/lib/Parse/ParseAST.cpp:170
    #10 0x5f507346fe49 in clang::FrontendAction::Execute() /home/ubuntu2404/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1322
 #11 0x5f506d671ed4 in clang::clangd::ParsedAST::build(llvm::StringRef, clang::clangd::ParseInputs const&, std::unique_ptr<clang::CompilerInvocation, std::default_delete<clang::CompilerInvocation> >, llvm::ArrayRef<clang::clangd::Diag>, std::shared_ptr<clang::clangd::PreambleData const>) /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/ParsedAST.cpp:714
 #12 0x5f506d934384 in generateDiagnostics /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1214
 #13 0x5f506d9377db in operator() /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1147
 #14 0x5f506d938176 in operator() /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1135
 #15 0x5f506d8eca0f in llvm::unique_function<void ()>::operator()() /home/ubuntu2404/llvm-project/llvm/include/llvm/ADT/FunctionExtras.h:364
 #16 0x5f506d8eca0f in void llvm::function_ref<void ()>::callback_fn<llvm::unique_function<void ()> >(long) /home/ubuntu2404/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:46
 #17 0x5f506d8fdbf0 in llvm::function_ref<void ()>::operator()() const /home/ubuntu2404/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:69
 #18 0x5f506d8fdbf0 in runTask /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1327
 #19 0x5f506d923eb4 in run /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1461
 #20 0x5f506df32ff8 in llvm::unique_function<void ()>::operator()() /home/ubuntu2404/llvm-project/llvm/include/llvm/ADT/FunctionExtras.h:364
 #21 0x5f506df32ff8 in operator() /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/support/Threading.cpp:101
 #22 0x5f506df32ff8 in operator()<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()>&> /home/ubuntu2404/llvm-project/llvm/include/llvm/Support/thread.h:46
    #23 0x5f506df32ff8 in __invoke_impl<void, llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > >(void*)::<lambda(auto:5&&, auto:6&& ...)>, clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()>&> /usr/include/c++/13/bits/invoke.h:61
    #24 0x5f506df32ff8 in __invoke<llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > >(void*)::<lambda(auto:5&&, auto:6&& ...)>, clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()>&> /usr/include/c++/13/bits/invoke.h:96
    #25 0x5f506df32ff8 in __apply_impl<llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > >(void*)::<lambda(auto:5&&, auto:6&& ...)>, std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> >&, 0> /usr/include/c++/13/tuple:2302
    #26 0x5f506df32ff8 in apply<llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > >(void*)::<lambda(auto:5&&, auto:6&& ...)>, std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> >&> /usr/include/c++/13/tuple:2313
    #27 0x5f506df32ff8 in GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > > /home/ubuntu2404/llvm-project/llvm/include/llvm/Support/thread.h:44
    #28 0x5f506df32ff8 in ThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > > /home/ubuntu2404/llvm-project/llvm/include/llvm/Support/thread.h:62
    #29 0x7aba8125ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
    #30 0x7aba80a9caa3 in start_thread nptl/pthread_create.c:447
    #31 0x7aba80b29c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

```

```sh
==10347==ERROR: AddressSanitizer: use-after-poison on address 0x5210003e37b8 at pc 0x59a64c204c5e bp 0x7fe3fd27a850 sp 0x7fe3fd27a840
READ of size 1 at 0x5210003e37b8 thread T12
    #0 0x59a64c204c5d in clang::LazyOffsetPtr<clang::Stmt, unsigned long, &clang::ExternalASTSource::GetExternalDeclStmt>::GetLSB() const /home/ubuntu2404/llvm-project/clang/include/clang/AST/ExternalASTSource.h:363
 #1 0x59a64c204c5d in clang::LazyOffsetPtr<clang::Stmt, unsigned long, &clang::ExternalASTSource::GetExternalDeclStmt>::isOffset() const /home/ubuntu2404/llvm-project/clang/include/clang/AST/ExternalASTSource.h:417
 #2 0x59a64c204c5d in clang::LazyOffsetPtr<clang::Stmt, unsigned long, &clang::ExternalASTSource::GetExternalDeclStmt>::operator bool() const /home/ubuntu2404/llvm-project/clang/include/clang/AST/ExternalASTSource.h:409
 #3 0x59a64c204c5d in clang::FunctionDecl::doesThisDeclarationHaveABody() const /home/ubuntu2404/llvm-project/clang/include/clang/AST/Decl.h:2327
 #4 0x59a64c204c5d in clang::FunctionDecl::isThisDeclarationADefinition() const /home/ubuntu2404/llvm-project/clang/include/clang/AST/Decl.h:2316
 #5 0x59a64c204c5d in clang::FunctionDecl::isDefined(clang::FunctionDecl const*&, bool) const /home/ubuntu2404/llvm-project/clang/lib/AST/Decl.cpp:3249
    #6 0x59a64fb36214 in clang::Sema::CheckForFunctionRedefinition(clang::FunctionDecl*, clang::FunctionDecl const*, clang::SkipBodyInfo*) /home/ubuntu2404/llvm-project/clang/lib/Sema/SemaDecl.cpp:16013
    #7 0x59a64fc3b80d in clang::Sema::ActOnStartOfFunctionDef(clang::Scope*, clang::Decl*, clang::SkipBodyInfo*, clang::Sema::FnBodyKind) /home/ubuntu2404/llvm-project/clang/lib/Sema/SemaDecl.cpp:16192
    #8 0x59a64fcedf76 in clang::Sema::ActOnStartOfFunctionDef(clang::Scope*, clang::Declarator&, llvm::MutableArrayRef<clang::TemplateParameterList*>, clang::SkipBodyInfo*, clang::Sema::FnBodyKind) /home/ubuntu2404/llvm-project/clang/lib/Sema/SemaDecl.cpp:15923
    #9 0x59a657f6fd2f in clang::Parser::ParseFunctionDefinition(clang::ParsingDeclarator&, clang::Parser::ParsedTemplateInfo const&, clang::Parser::LateParsedAttrList*) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:1332
    #10 0x59a658091019 in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, clang::DeclaratorContext, clang::ParsedAttributes&, clang::Parser::ParsedTemplateInfo&, clang::SourceLocation*, clang::Parser::ForRangeInit*) /home/ubuntu2404/llvm-project/clang/lib/Parse/ParseDecl.cpp:2265
    #11 0x59a657f50a96 in clang::Parser::ParseDeclOrFunctionDefInternal(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec&, clang::AccessSpecifier) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:1148
    #12 0x59a657f52ffa in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec*, clang::AccessSpecifier) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:1170
    #13 0x59a657f7765f in clang::Parser::ParseExternalDeclaration(clang::ParsedAttributes&, clang::ParsedAttributes&, clang::ParsingDeclSpec*) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:998
    #14 0x59a657f7c421 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, clang::Sema::ModuleImportState&) /home/ubuntu2404/llvm-project/clang/lib/Parse/Parser.cpp:706
    #15 0x59a657efb63d in clang::ParseAST(clang::Sema&, bool, bool) /home/ubuntu2404/llvm-project/clang/lib/Parse/ParseAST.cpp:170
    #16 0x59a657c23e49 in clang::FrontendAction::Execute() /home/ubuntu2404/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1322
 #17 0x59a651e25ed4 in clang::clangd::ParsedAST::build(llvm::StringRef, clang::clangd::ParseInputs const&, std::unique_ptr<clang::CompilerInvocation, std::default_delete<clang::CompilerInvocation> >, llvm::ArrayRef<clang::clangd::Diag>, std::shared_ptr<clang::clangd::PreambleData const>) /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/ParsedAST.cpp:714
 #18 0x59a6520e8384 in generateDiagnostics /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1214
 #19 0x59a6520eb7db in operator() /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1147
 #20 0x59a6520ec176 in operator() /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1135
 #21 0x59a6520a0a0f in llvm::unique_function<void ()>::operator()() /home/ubuntu2404/llvm-project/llvm/include/llvm/ADT/FunctionExtras.h:364
 #22 0x59a6520a0a0f in void llvm::function_ref<void ()>::callback_fn<llvm::unique_function<void ()> >(long) /home/ubuntu2404/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:46
 #23 0x59a6520b1bf0 in llvm::function_ref<void ()>::operator()() const /home/ubuntu2404/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:69
 #24 0x59a6520b1bf0 in runTask /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1327
 #25 0x59a6520d7eb4 in run /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/TUScheduler.cpp:1461
 #26 0x59a6526e6ff8 in llvm::unique_function<void ()>::operator()() /home/ubuntu2404/llvm-project/llvm/include/llvm/ADT/FunctionExtras.h:364
 #27 0x59a6526e6ff8 in operator() /home/ubuntu2404/llvm-project/clang-tools-extra/clangd/support/Threading.cpp:101
 #28 0x59a6526e6ff8 in operator()<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()>&> /home/ubuntu2404/llvm-project/llvm/include/llvm/Support/thread.h:46
    #29 0x59a6526e6ff8 in __invoke_impl<void, llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > >(void*)::<lambda(auto:5&&, auto:6&& ...)>, clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()>&> /usr/include/c++/13/bits/invoke.h:61
    #30 0x59a6526e6ff8 in __invoke<llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > >(void*)::<lambda(auto:5&&, auto:6&& ...)>, clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()>&> /usr/include/c++/13/bits/invoke.h:96
    #31 0x59a6526e6ff8 in __apply_impl<llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > >(void*)::<lambda(auto:5&&, auto:6&& ...)>, std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> >&, 0> /usr/include/c++/13/tuple:2302
    #32 0x59a6526e6ff8 in apply<llvm::thread::GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > >(void*)::<lambda(auto:5&&, auto:6&& ...)>, std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> >&> /usr/include/c++/13/tuple:2313
    #33 0x59a6526e6ff8 in GenericThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > > /home/ubuntu2404/llvm-project/llvm/include/llvm/Support/thread.h:44
    #34 0x59a6526e6ff8 in ThreadProxy<std::tuple<clang::clangd::AsyncTaskRunner::runAsync(const llvm::Twine&, llvm::unique_function<void()>)::<lambda()> > > /home/ubuntu2404/llvm-project/llvm/include/llvm/Support/thread.h:62
    #35 0x7fe40d45ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.c<truncated>Please see the issue for the entire body.

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 184820] [clangd] SIGSEGV when replaying specific LSP sequence in Decl.h and ExternalASTSource.h (affiliated with reprodution scripts)

Reply via email to