Fix crash with invalid VLA in a type trait (llvm#138543)

AaronBallman · web-flow · commit e7e204234362 · 2025-05-05T13:14:31.000-04:00
Transforming an expression to a potentially evaluated expression can fail. If it does so, no longer attempt to make the type trait expression, instead return an error expression. This ensures we don't try to compute the dependence for an invalid type. Fixes llvm#138444
diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst
@@ -287,6 +287,8 @@ Non-comprehensive list of changes in this release
   stack space when running on Apple AArch64 based platforms. This means that
   stack traces of Clang from debuggers, crashes, and profilers may look
   different than before.
+- Fixed a crash when a VLA with an invalid size expression was used within a
+  ``sizeof`` or ``typeof`` expression. (#GH138444)
 
 New Compiler Flags
 ------------------
diff --git a/clang/lib/Sema/SemaExpr.cpp b/clang/lib/Sema/SemaExpr.cpp
@@ -4700,6 +4700,10 @@ ExprResult Sema::CreateUnaryExprOrTypeTraitExpr(TypeSourceInfo *TInfo,
       TInfo->getType()->isVariablyModifiedType())
     TInfo = TransformToPotentiallyEvaluated(TInfo);
 
+  // It's possible that the transformation above failed.
+  if (!TInfo)
+    return ExprError();
+
   // C99 6.5.3.4p4: the type (an unsigned integer type) is size_t.
   return new (Context) UnaryExprOrTypeTraitExpr(
       ExprKind, TInfo, Context.getSizeType(), OpLoc, R.getEnd());
diff --git a/clang/test/SemaCXX/vla.cpp b/clang/test/SemaCXX/vla.cpp
@@ -41,3 +41,17 @@ void func(int expr) {
   int array[sizeof(Ty) ? sizeof(Ty{}) : sizeof(int)];
   int old_style_assert[expr ? Ty::one : Ty::Neg_one]; // We don't diagnose as a VLA until instantiation
 }
+
+namespace GH138444 {
+struct S {         // expected-note {{candidate constructor (the implicit copy constructor) not viable: no known conversion from 'int' to 'const S &' for 1st argument}} \
+                      expected-note {{candidate constructor (the implicit move constructor) not viable: no known conversion from 'int' to 'S &&' for 1st argument}}
+  S(const char *); // expected-note {{candidate constructor not viable: no known conversion from 'int' to 'const char *' for 1st argument}}
+  int size() const;
+};
+
+void test() {
+  S vec1 = 2; // expected-error {{no viable conversion from 'int' to 'S'}}
+  // Previously, this call to sizeof would cause a crash.
+  sizeof(int[vec1.size()]);
+}
+}
