Something went wrong and we decided that in PlatformSensorProviderWin::SetSensorManagerForTesting, we could tail call IUnknownImpl::Release:

0:000> uf 0031fb66
Flow analysis was incomplete, some code may be missing
services_unittests_exe!device::PlatformSensorProviderWin::SetSensorManagerForTesting [C:\src\chromium\src\services\device\generic_sensor\platform_sensor_provider_win.cc @ 25]:
   25 0031fb66 55              push    ebp
   25 0031fb67 89e5            mov     ebp,esp
   25 0031fb69 56              push    esi
   25 0031fb6a 8d7508          lea     esi,[ebp+8]
   27 0031fb6d 83c118          add     ecx,18h
   27 0031fb70 56              push    esi
   27 0031fb71 e89acbfbff      call    services_unittests_exe!ILT+308992(??4?$ComPtrUISensorManagerWRLMicrosoftQAEAAV012ABV012Z) (002dc710)
   27 0031fb76 8b06            mov     eax,dword ptr [esi]
   27 0031fb78 85c0            test    eax,eax
   27 0031fb7a 740d            je      services_unittests_exe!device::PlatformSensorProviderWin::SetSensorManagerForTesting+0x23 (0031fb89)  Branch

services_unittests_exe!device::PlatformSensorProviderWin::SetSensorManagerForTesting+0x16 [C:\src\chromium\src\services\device\generic_sensor\platform_sensor_provider_win.cc @ 27]:
   27 0031fb7c c70600000000    mov     dword ptr [esi],0
   27 0031fb82 8b00            mov     eax,dword ptr [eax]
   27 0031fb84 5e              pop     esi
   27 0031fb85 5d              pop     ebp
   27 0031fb86 ff6008          jmp     dword ptr [eax+8]   #### TAILCALL

services_unittests_exe!device::PlatformSensorProviderWin::SetSensorManagerForTesting+0x23 [C:\src\chromium\src\services\device\generic_sensor\platform_sensor_provider_win.cc @ 28]:
   28 0031fb89 5e              pop     esi
   28 0031fb8a 5d              pop     ebp
   28 0031fb8b c20400          ret     4

LLVM is actually almost being really really clever here. We can tail call Release, because we're in a __thiscall method, which is also callee cleanup, and it take four bytes of arguments in memory. However, we don't store eax to [ebp+8] here, so the zero we stored into [esi] (the inalloca slot for the parameter scoped pointer) is passed as the 'this' value to IUnknownImpl::Release. So, we crash with a null deref. :(

Reduction:

struct Foo { virtual void __stdcall Release(); };
struct SmartFoo {
  SmartFoo(const SmartFoo &o) = delete;
  ~SmartFoo() {
    Foo *t = p;
    p = 0;
    t->Release();
  }
  Foo *p;
};
struct Bar { void f(SmartFoo); };
void Bar::f(SmartFoo f) {
  // ~SmartFoo
}

We turn that into:

?f@Bar@@QAEXUSmartFoo@@@Z (public: void __thiscall Bar::f(struct SmartFoo)):
  00000000: 8B 44 24 04        mov         eax,dword ptr [esp+4]
  00000004: C7 44 24 04 00 00  mov         dword ptr [esp+4],0
            00 00
     ## MISSING mov [esp+4], eax
  0000000C: 8B 00              mov         eax,dword ptr [eax]
  0000000E: FF 20              jmp         dword ptr [eax]   ### TAILCALL

We need to roll past clang r309343 to fix this codegen bug.

Awesome turn-around on debugging and fixing!

Let's work around it in the source until we roll in the fix: https://chromium-review.googlesource.com/590961

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3ec03002a6414356338782bb9ed7239d4b0c16d9

commit 3ec03002a6414356338782bb9ed7239d4b0c16d9
Author: Hans Wennborg <hans@chromium.org>
Date: Fri Jul 28 04:04:08 2017

services_unittests: Work around Win/Clang miscompile

The Clang bug has been fixed in r309343, but until that's been rolled into Chromium,
work around it by disabling optimization for the miscompiled function.

BUG= 749826 
TBR=timvolodine

Change-Id: Ia3180c2b7561a7d99e05939ae48bb33ce81400d2
Reviewed-on: https://chromium-review.googlesource.com/590961
Commit-Queue: Hans Wennborg <hans@chromium.org>
Reviewed-by: Nico Weber <thakis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#490254}
[modify] https://crrev.com/3ec03002a6414356338782bb9ed7239d4b0c16d9/services/device/generic_sensor/platform_sensor_provider_win.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/37c4d98f221c5b20734bc3f5123a492d0a4e7913

commit 37c4d98f221c5b20734bc3f5123a492d0a4e7913
Author: Nico Weber <thakis@chromium.org>
Date: Wed Aug 09 19:30:23 2017

Revert "services_unittests: Work around Win/Clang miscompile"

This reverts commit 3ec03002a6414356338782bb9ed7239d4b0c16d9.

Reason for revert: miscompile has been fixed

Original change's description:
> services_unittests: Work around Win/Clang miscompile
> 
> The Clang bug has been fixed in r309343, but until that's been rolled into Chromium,
> work around it by disabling optimization for the miscompiled function.
> 
> BUG= 749826 
> TBR=timvolodine
> 
> Change-Id: Ia3180c2b7561a7d99e05939ae48bb33ce81400d2
> Reviewed-on: https://chromium-review.googlesource.com/590961
> Commit-Queue: Hans Wennborg <hans@chromium.org>
> Reviewed-by: Nico Weber <thakis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#490254}

TBR=thakis@chromium.org,hans@chromium.org,rnk@chromium.org,reillyg@chromium.org,timvolodine@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  749826 
Change-Id: I624a42c253f402c620138709935a00065ac58697
Reviewed-on: https://chromium-review.googlesource.com/608861
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Hans Wennborg <hans@chromium.org>
Commit-Queue: Nico Weber <thakis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#493097}
[modify] https://crrev.com/37c4d98f221c5b20734bc3f5123a492d0a4e7913/services/device/generic_sensor/platform_sensor_provider_win.cc