r188623 - Fix a use-after-free found in libclang when doing code completion. The

[Chandler Carruth]

Author: chandlerc
Date: Sun Aug 18 02:20:52 2013
New Revision: 188623

URL: http://llvm.org/viewvc/llvm-project?rev=188623&view=rev
Log:
Fix a use-after-free found in libclang when doing code completion. The
loop processing the candidates can cause new declerations to be added to
the context, invalidating lookup_result. To avoid that, make a copy of
the list of declarations to iterate over.

I don't have a way to check in a test case for this as it involves
a giant pile of source code and a generated PCH file used to accelerate
code completion, all of this running under ASan.

Modified:
    cfe/trunk/lib/Sema/SemaLookup.cpp

Modified: cfe/trunk/lib/Sema/SemaLookup.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Sema/SemaLookup.cpp?rev=188623&r1=188622&r2=188623&view=diff
==============================================================================
--- cfe/trunk/lib/Sema/SemaLookup.cpp (original)
+++ cfe/trunk/lib/Sema/SemaLookup.cpp Sun Aug 18 02:20:52 2013
@@ -2505,11 +2505,17 @@ Sema::SpecialMemberOverloadResult *Sema:
   // will always be a (possibly implicit) declaration to shadow any others.
   OverloadCandidateSet OCS((SourceLocation()));
   DeclContext::lookup_result R = RD->lookup(Name);
-
   assert(!R.empty() &&
          "lookup for a constructor or assignment operator was empty");
-  for (DeclContext::lookup_iterator I = R.begin(), E = R.end(); I != E; ++I) {
-    Decl *Cand = *I;
+
+  // Copy the candidates as our processing of them may load new declarations
+  // from an external source and invalidate lookup_result.
+  SmallVector<NamedDecl *, 8> Candidates(R.begin(), R.end());
+
+  for (SmallVectorImpl<NamedDecl *>::iterator I = Candidates.begin(),
+                                         E = Candidates.end();
+       I != E; ++I) {
+    NamedDecl *Cand = *I;
 
     if (Cand->isInvalidDecl())
       continue;