The Following Code Causes Segfault in Clang

If your are looking for code to break a C compiler, you can try my tool Quest <a href="https://github.com/lindig/quest" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;lindig&#x2F;quest</a>. It tries to to generate code that shows that a C compiler handles parameter passing wrong. I usually run it in a loop, like here on Mac OS X 10.9.4 witch gcc:<p><pre><code> :quest $ gcc --version Configured with: --prefix=&#x2F;Library&#x2F;Developer&#x2F;CommandLineTools&#x2F;usr --with-gxx-include-dir=&#x2F;usr&#x2F;include&#x2F;c++&#x2F;4.2.1 Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn) Target: x86_64-apple-darwin13.3.0 Thread model: posix :quest $ while true; do &gt; .&#x2F;main.native -test gcc -n 1 &gt; foo.c &gt; gcc -O2 -o foo foo.c &gt; .&#x2F;foo || break &gt; echo -n . &gt; done ................................................................ ................................................................ ................................................. Assertion failed: (b32 == b43), function callee_b0f, file foo.c, line 128. Abort trap: 6 </code></pre> This means the tool found C code where parameter passing is not compiled properly. It took about 10 seconds to find this. The test case is pretty small:<p><pre><code> :quest $ wc foo.c 140 444 3485 foo.c </code></pre> The generated code that where the assertion checks that parameters are received correctly looks like this:<p><pre><code> static union bt8 * callee_b0f(struct bt4 *bp7, double *bp8, struct bt6 bp9, float bp10, struct bt7 bp11, double bp12, short int bp13, ...) { va_list ap; typedef int bd0; typedef struct bt0 bd1; typedef int bd2; typedef union bt3 bd3; bd0 b41; bd1 b42; bd2 b43; bd3 b44; &#x2F;* seed: 2040 *&#x2F; va_start(ap, bp13); QUEST_ASSERT(b34 == bp7); QUEST_ASSERT(b35 == bp8); QUEST_ASSERT(b36.b24.b18 == bp9.b24.b18); QUEST_ASSERT(b36.b24.b19 == bp9.b24.b19); QUEST_ASSERT(b36.b24.b20 == bp9.b24.b20); QUEST_ASSERT(b36.b24.b21 == bp9.b24.b21); QUEST_ASSERT(b36.b24.b22 == bp9.b24.b22); QUEST_ASSERT(b36.b24.b23 == bp9.b24.b23); QUEST_ASSERT(b36.b25 == bp9.b25); QUEST_ASSERT(b36.b26 == bp9.b26); QUEST_ASSERT(b37 == bp10); QUEST_ASSERT(b38.b27 == bp11.b27); QUEST_ASSERT(b39 == bp12); QUEST_ASSERT(b40 == bp13); b41 = va_arg(ap, bd0); b42 = va_arg(ap, bd1); b43 = va_arg(ap, bd2); b44 = va_arg(ap, bd3); QUEST_ASSERT(b30 == b41); QUEST_ASSERT(b31.b0 == b42.b0); QUEST_ASSERT(b32 == b43); QUEST_ASSERT(b33.b10.b1 == b44.b10.b1); va_end(ap); return b29; }</code></pre>

While we&#x27;re at segfaulting compiler&#x27;s, here&#x27;s what I found just a few days ago:<p><pre><code> python -S -c &#x27;print(&quot;void f(){} int main(){return (&quot; + &quot;*&quot;*10**7 + &quot;f)();}&quot;)&#x27; | gcc -xc - </code></pre> (This is legal C -- look it up. Don&#x27;t argue with me over the practical relevance of this please)

Hmm...<p><pre><code> Unable to find instantiation of declaration! UNREACHABLE executed at SemaTemplateInstantiateDecl.cpp:4384! </code></pre> Not quite so unreachable...<p><a href="https://gist.github.com/cwgreene/d689f010619310dbbc77" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;cwgreene&#x2F;d689f010619310dbbc77</a><p><a href="https://github.com/llvm-mirror/clang/blob/b310439121c875937d78cc49cc969bc1197fc025/lib/Sema/SemaTemplateInstantiateDecl.cpp#L4384" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;llvm-mirror&#x2F;clang&#x2F;blob&#x2F;b310439121c875937d...</a>

Something I found last week that crashes with clang-503.0.40:<p><pre><code> template&lt;class T&gt; class foo { public: ~ foo() { } foo &amp;operator = (const foo &amp;rhs) { foo::~foo(); new (this) foo (rhs); return *this; } }; int main(int argc, char * argv[]) { foo&lt;int&gt; a, b; b = a; }</code></pre>

Is there some legitimate reason to want to have A&#x27;s destructor called twice on a single instance?

Something tells me C++ isn&#x27;t the best thing to implement a compiler with.