[cfe-commits] [Patch] Fix use after free in AnalysisConsumer::HandleTranslationUnit

[Anna Zaks]

Committed in r147732.

Cheers,
Anna.
On Jan 7, 2012, at 6:08 AM, Dmitri Gribenko wrote:

> On Sat, Jan 7, 2012 at 5:51 AM, Anna Zaks <ganna at apple.com> wrote:
>> Great find!
>> 
>> Is BugReporterData actually being used in the destructor? If yes, would be great to get a test case.
> 
> Yes, here's how:
> 
> (gdb) bt
> #0  clang::ento::AnalysisManager::getPathDiagnosticConsumer (this=0x3c15ab0)
>    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/../../../include/clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h:136
> #1  0x0000000001474287 in
> clang::ento::BugReporter::getPathDiagnosticConsumer
> (this=0x7fffffffc590)
>    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/../../../include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h:269
> #2  0x0000000001471716 in clang::ento::BugReporter::FlushReport
> (this=0x7fffffffc590, EQ=...)
>    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:1860
> #3  0x000000000146f88a in clang::ento::BugReporter::FlushReports
> (this=0x7fffffffc590) at
> /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:1366
> #4  0x000000000146f5d7 in clang::ento::BugReporter::~BugReporter
> (this=0x7fffffffc590, __in_chrg=<optimized out>)
>    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:1338
> #5  0x0000000001387dc4 in (anonymous
> namespace)::AnalysisConsumer::HandleDeclContextDecl (this=0x3bf7cc0,
> C=..., D=0x3c34d00)
>    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:184
> #6  0x0000000001387cf6 in (anonymous
> namespace)::AnalysisConsumer::HandleDeclContext (this=0x3bf7cc0,
> C=..., dc=0x3bf6ec0)
>    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:177
> #7  0x000000000138821e in (anonymous
> namespace)::AnalysisConsumer::HandleTranslationUnit (this=0x3bf7cc0,
> C=...)
>    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:242
> #8  0x0000000000ffb63a in clang::ParseAST (S=..., PrintStats=false) at
> /home/storage_1/grib/clang/llvm/tools/clang/lib/Parse/ParseAST.cpp:110
> #9  0x0000000000cec193 in clang::ASTFrontendAction::ExecuteAction
> (this=0x3bcdf60) at
> /home/storage_1/grib/clang/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:402
> #10 0x0000000000cebded in clang::FrontendAction::Execute
> (this=0x3bcdf60) at
> /home/storage_1/grib/clang/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:322
> #11 0x0000000000cc65fe in clang::CompilerInstance::ExecuteAction
> (this=0x3bcc210, Act=...) at
> /home/storage_1/grib/clang/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:658
> #12 0x0000000000c99691 in clang::ExecuteCompilerInvocation
> (Clang=0x3bcc210) at
> /home/storage_1/grib/clang/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:173
> #13 0x0000000000c88aeb in cc1_main (ArgBegin=0x7fffffffd180,
> ArgEnd=0x7fffffffd1a0, Argv0=0x3bcbeb8
> "/home/storage_1/grib/clang/llvm-build/Debug+Asserts/bin/clang",
> MainAddr=0xc93510)
>    at /home/storage_1/grib/clang/llvm/tools/clang/tools/driver/cc1_main.cpp:165
> #14 0x0000000000c94cd7 in main (argc_=6, argv_=0x7fffffffe298) at
> /home/storage_1/grib/clang/llvm/tools/clang/tools/driver/driver.cpp:353
> 
> A crash happens only when reports have been added in
> AnalysisConsumer::HandleTranslationUnit's BugReporter.
> 
> class StdSmartPointerChecker : public
> Checker<check::ASTDecl<TranslationUnitDecl> > {
> public:
>  void checkASTDecl(const TranslationUnitDecl *D, AnalysisManager
> &mgr, BugReporter &BR) const {
>    add bug reports;
> 
> We don't have such checkers in clang, so I can't create a test.
> 
> Dmitri
> 
> -- 
> main(i,j){for(i=2;;i++){for(j=2;j<i;j++){if(!(i%j)){j=0;break;}}if
> (j){printf("%d\n",i);}}} /*Dmitri Gribenko <gribozavr at gmail.com>*/