use-after-poison error on libtooling example

Question

When testing libtooling example(https://clang.llvm.org/docs/RAVFrontendAction.html) of clang with address-sanitizer, I've encountered use-after-poison error.

I've used following source codes and instructions to test it. I'm using prebuilt version of clang 14.0.0, downloaded from https://github.com/llvm/llvm-project/releases/download/llvmorg-14.0.0/clang+llvm-14.0.0-x86_64-linux-gnu-ubuntu-18.04.tar.xz.

CMakeLists.txt

cmake_minimum_required(VERSION 3.10)
set(CMAKE_EXPORT_COMPILE_COMMANDS ON)

find_package(LLVM  REQUIRED CONFIG)
find_package(Clang REQUIRED CONFIG)
include_directories(SYSTEM "${LLVM_INCLUDE_DIRS};${CLANG_INCLUDE_DIRS}")

if(NOT LLVM_ENABLE_RTTI)
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-rtti")
endif()

add_executable(test
  test.cpp
)

target_link_libraries(test
  PRIVATE
    clang
    LLVMSupport
    clangAST
    clangASTMatchers
    clangBasic
    clangFrontend
    clangFrontendTool
    clangSerialization
    clangTooling
)

target_link_libraries(test
  PRIVATE
    pthread
    z
    dl
)

target_compile_options(test
  PRIVATE
    -fsanitize=address
)

target_link_options(test
  PRIVATE
    -fsanitize=address
)

test.cpp

#include "clang/AST/ASTConsumer.h"
#include "clang/AST/RecursiveASTVisitor.h"
#include "clang/Frontend/CompilerInstance.h"
#include "clang/Frontend/FrontendAction.h"
#include "clang/Tooling/Tooling.h"

using namespace clang;

class FindNamedClassVisitor
  : public RecursiveASTVisitor<FindNamedClassVisitor> {
public:
  explicit FindNamedClassVisitor(ASTContext *Context)
    : Context(Context) {}

  bool VisitCXXRecordDecl(CXXRecordDecl *Declaration) {
    if (Declaration->getQualifiedNameAsString() == "n::m::C") {
      FullSourceLoc FullLocation = Context->getFullLoc(Declaration->getBeginLoc());
      if (FullLocation.isValid())
        llvm::outs() << "Found declaration at "
                     << FullLocation.getSpellingLineNumber() << ":"
                     << FullLocation.getSpellingColumnNumber() << "\n";
    }
    return true;
  }

private:
  ASTContext *Context;
};

class FindNamedClassConsumer : public clang::ASTConsumer {
public:
  explicit FindNamedClassConsumer(ASTContext *Context)
    : Visitor(Context) {}

  virtual void HandleTranslationUnit(clang::ASTContext &Context) {
    Visitor.TraverseDecl(Context.getTranslationUnitDecl());
  }
private:
  FindNamedClassVisitor Visitor;
};

class FindNamedClassAction : public clang::ASTFrontendAction {
public:
  virtual std::unique_ptr<clang::ASTConsumer> CreateASTConsumer(
    clang::CompilerInstance &Compiler, llvm::StringRef InFile) {
    return std::make_unique<FindNamedClassConsumer>(&Compiler.getASTContext());
  }
};

int main(int argc, char **argv) {
  if (argc > 1) {
    clang::tooling::runToolOnCode(std::make_unique<FindNamedClassAction>(), argv[1]);
  }
}

And I've tested it with following commands:

mkdir build
cd build
CC=clang CXX=clang++ cmake ..
./test "int main() {}"

...

and address sanitizer reports use-after-poision error

=================================================================
==3172567==ERROR: AddressSanitizer: use-after-poison on address 0x62100000e748 at pc 0x7f09e999258d bp 0x7ffed63716d0 sp 0x7ffed6370e78
WRITE of size 8 at 0x62100000e748 thread T0
    #0 0x7f09e999258c in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x55c6c20ce86a in clang::Decl::setAttrs(llvm::SmallVector<clang::Attr*, 4u> const&) (/home/tom/slicer/build/test+0x86286a)
    #2 0x55c6c20ce585 in clang::Decl::addAttr(clang::Attr*) (/home/tom/slicer/build/test+0x862585)
    #3 0x55c6c1fcb895 in clang::ASTContext::buildImplicitRecord(llvm::StringRef, clang::TagTypeKind) const (/home/tom/slicer/build/test+0x75f895)
    #4 0x55c6c1fe6973 in clang::ASTContext::getCFConstantStringDecl() const (/home/tom/slicer/build/test+0x77a973)
    #5 0x55c6c2767583 in clang::Sema::Initialize() (/home/tom/slicer/build/test+0xefb583)
    #6 0x55c6c267b4a9 in clang::Parser::Initialize() (/home/tom/slicer/build/test+0xe0f4a9)
    #7 0x55c6c2677b95 in clang::ParseAST(clang::Sema&, bool, bool) (/home/tom/slicer/build/test+0xe0bb95)
    #8 0x55c6c23d9428 in clang::FrontendAction::Execute() (/home/tom/slicer/build/test+0xb6d428)
    #9 0x55c6c24041b5 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/home/tom/slicer/build/test+0xb981b5)
    #10 0x55c6c267310c in clang::tooling::FrontendActionFactory::runInvocation(std::shared_ptr<clang::CompilerInvocation>, clang::FileManager*, std::shared_ptr<clang::PCHContainerOperations>, clang::DiagnosticConsumer*) (/home/tom/slicer/build/test+0xe0710c)
    #11 0x55c6c2672e69 in clang::tooling::ToolInvocation::runInvocation(char const*, clang::driver::Compilation*, std::shared_ptr<clang::CompilerInvocation>, std::shared_ptr<clang::PCHContainerOperations>) (/home/tom/slicer/build/test+0xe06e69)
    #12 0x55c6c2671e03 in clang::tooling::ToolInvocation::run() (/home/tom/slicer/build/test+0xe05e03)
    #13 0x55c6c267160e in clang::tooling::runToolOnCodeWithArgs(std::unique_ptr<clang::FrontendAction, std::default_delete<clang::FrontendAction> >, llvm::Twine const&, llvm::IntrusiveRefCntPtr<llvm::vfs::FileSystem>, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, llvm::Twine const&, llvm::Twine const&, std::shared_ptr<clang::PCHContainerOperations>) (/home/tom/slicer/build/test+0xe0560e)
    #14 0x55c6c267126f in clang::tooling::runToolOnCodeWithArgs(std::unique_ptr<clang::FrontendAction, std::default_delete<clang::FrontendAction> >, llvm::Twine const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, llvm::Twine const&, llvm::Twine const&, std::shared_ptr<clang::PCHContainerOperations>, std::vector<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > const&) (/home/tom/slicer/build/test+0xe0526f)
    #15 0x55c6c2670f02 in clang::tooling::runToolOnCode(std::unique_ptr<clang::FrontendAction, std::default_delete<clang::FrontendAction> >, llvm::Twine const&, llvm::Twine const&, std::shared_ptr<clang::PCHContainerOperations>) (/home/tom/slicer/build/test+0xe04f02)
    #16 0x55c6c1d7f82f in main (/home/tom/slicer/build/test+0x51382f)
    #17 0x7f09e938c082 in __libc_start_main ../csu/libc-start.c:308
    #18 0x55c6c1d7f58d in _start (/home/tom/slicer/build/test+0x51358d)

0x62100000e748 is located 2632 bytes inside of 4096-byte region [0x62100000dd00,0x62100000ed00)
allocated by thread T0 here:
    #0 0x7f09e9a06587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x55c6c1d80b54 in llvm::MallocAllocator::Allocate(unsigned long, unsigned long) (/home/tom/slicer/build/test+0x514b54)
    #2 0x55c6c1ddcc3a in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul, 128ul>::StartNewSlab() (/home/tom/slicer/build/test+0x570c3a)
    #3 0x55c6c1dbd440 in llvm::BumpPtrAllocatorImpl<llvm::MallocAllocator, 4096ul, 4096ul, 128ul>::Allocate(unsigned long, llvm::Align) (/home/tom/slicer/build/test+0x551440)
    #4 0x55c6c20c4b93 in clang::Decl::operator new(unsigned long, clang::ASTContext const&, clang::DeclContext*, unsigned long) (/home/tom/slicer/build/test+0x858b93)
    #5 0xbebebebebebebebd  (<unknown module>)

SUMMARY: AddressSanitizer: use-after-poison ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0c427fff9c90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c427fff9ca0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 04
  0x0c427fff9cb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 04 00
  0x0c427fff9cc0: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
  0x0c427fff9cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7
=>0x0c427fff9ce0: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
  0x0c427fff9cf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c427fff9d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c427fff9d10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c427fff9d20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c427fff9d30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3172567==ABORTING

It works fine without -fsanitize=address flags in CMakeLists.txt. But I want to enable it to detect memory corruption errors on my libtooling programs.

What should I do for executing my libtooling program with address sanitizer?