stumbled on this while engaging similar symptoms; clang and ios, example for within “a-shell” app. sounds like there may likely be a lot more across ecosystems from where this came from. https://github.com/holzschu/a-shell/issues/306 a-Shell 180 (1.7.4) | iPad8,12 | iPhone OS 14.7.1 (18G82) | Crash | PoC | EXC_BAD_ACCESS (SIGSEGV)

Hello-

Crasher PoC: printf 'k80x&::((**\ne::' | clang -x c++ -

Hardware Model: iPad8,12 OS Version: iPhone OS 14.7.1 (18G82)

Run Twice, See Seg Fault 11

A few comments:

1. There is no printf obviously 2. The PoC needs to be run twice to SegFault 11

Hopefully this is enough info to be able to reproduce the Crash.

If I should Report this Issue elsewhere, please let me know.

Thank You

``` Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000030 VM Region Info: 0x30 is not in any region. Bytes before following region: 4310319056 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 100ea4000-100eb4000 [ 64K] r-x/r-x SM=COW ...l.app/a-Shell

Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [873] Triggered by Thread: 7 ```

``` Thread 7 Crashed: 0 libLLVM 0x000000011ac0b3ac 0x11aa70000 + 1684396 1 libLLVM 0x000000011ac0b3ac 0x11aa70000 + 1684396 2 libLLVM 0x000000011ac0a654 0x11aa70000 + 1680980 3 clang 0x0000000118a6a4fc 0x1179b8000 + 17507580 4 clang 0x0000000118a65e34 0x1179b8000 + 17489460 5 clang 0x0000000118cac278 0x1179b8000 + 19874424 6 clang 0x0000000117b91770 0x1179b8000 + 1939312 7 clang 0x000000011978c108 0x1179b8000 + 31277320 8 clang 0x00000001197284b8 0x1179b8000 + 30868664 9 clang 0x00000001181719e8 0x1179b8000 + 8100328 10 clang 0x00000001179ff258 0x1179b8000 + 291416 11 clang 0x00000001179fdc8c 0x1179b8000 + 285836 12 clang 0x00000001179fd7c0 0x1179b8000 + 284608 13 ios_system 0x000000010106f9ec 0x10105c000 + 80364 14 libsystem_pthread.dylib 0x00000001e2d84bfc _pthread_start + 320 15 libsystem_pthread.dylib 0x00000001e2d8d758 thread_start + 8 ```

``` Binary Images: 0x100ea4000 - 0x100fa3fff a-Shell arm64 <88956ced9ba437d88874ba38cc57427e> /var/containers/Bundle/Application/86CDE0DF-BA4F-48FC-81C7-69FFE57C266C/a-Shell.app/a-Shell 0x10105c000 - 0x101073fff ios_system arm64 <2a600cbb4ddd34c2adfde7d5935447d5> /var/containers/Bundle/Application/86CDE0DF-BA4F-48FC-81C7-69FFE57C266C/a-Shell.app/Frameworks/ios_system.framework/ios_system 0x10116c000 - 0x101177fff libobjc-trampolines.dylib arm64e <bc30b5bd95c23ac1972f6d7eeb3d252f> /usr/lib/libobjc-trampolines.dylib 0x101318000 - 0x10138bfff dyld arm64e <b8adece0d2cc3c958d01c5fa21bc74ea> /usr/lib/dyld 0x1179b8000 - 0x119a1ffff clang arm64 <91b77adf969f34c8b7287a0b7fe11038> /var/containers/Bundle/Application/86CDE0DF-BA4F-48FC-81C7-69FFE57C266C/a-Shell.app/Frameworks/clang.framework/clang 0x11aa70000 - 0x11cf93fff libLLVM arm64 <46390f69e7cb36fd98844c6164b4e274> /var/containers/Bundle/Application/86CDE0DF-BA4F-48FC-81C7-69FFE57C266C/a-Shell.app/Frameworks/libLLVM.framework/libLLVM ```

Hi, thanks for the report; I can confirm that this example also fails on my machine. I'll see if I can fix it. Update: it does not fail when running in Debug mode, which would point towards non-initialized variables.

Out of curiosity, how did you arrive at that example? Would any non-existant command also produce the issue?

Hi,

I'm using an Apple Security Research Device and working outward to points of impact. Then, I'm running the Reproducer on retail Run Targets to Confirm & Report.

* running in Debug mode, which would point towards non-initialized variables.

Yes, I noted this in my updated Feedback to Apple. I am now making Reports downstream to IOS Projects where the Community can evaluate the issues transparently and I can cull the Results.

-Out of curiosity, how did you arrive at that example? Would any non-existant command also produce the issue

The PoC was found circa 2015 in LLDB Bug Reports from myself and others, I was not the original Reporter, but performed significant Fuzzing at that time which still has a Corpus that delivers PoC Crashers across the XNU ecosystem. I too am looking at the non-existant command issue. Apple so far is No-Fix on this issue so I am now Reporting the Issue to Downstream Projects.

The Feedback Case == FB9591834 with Subject == 20G95 | 13A5212g | clang-1300.0.29.3 | Logic Bug | PoC | Segmentation fault: 11

Please let me know if I can provide any additional information.

Thank You!

New

Hello-

Here is another Crasher PoC. It will need to be run a few times to generate the Crash. This is another circa 2015 CLANG Crasher that has been won't fix like the other PoC. I've tested this on iPad 12 Pro, iPhone 12 Pro both running Retail iOS15, and also verified on SRD running iOS 15.1 Beta.

echo "g34( struct Yunsignedp char32_t=char32_t_35==ZcregisterZtypename&&S=4autobitand8 &&or* xor{static_cast&char32_t&welseconst auto" | clang -x c++ -