<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/98667>98667</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            Possible use-after-free in `readConstraintSatisfaction`
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            clang,
            clang:modules,
            concepts
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          ahatanak
      </td>
    </tr>
</table>

<pre>
    The following code seems to have a bug. 

```
     if (/* IsDiagnostic */Record.readInt()) {
        SourceLocation DiagLocation = Record.readSourceLocation();
        std::string DiagMessage = Record.readString();
        Satisfaction.Details.emplace_back(
 ConstraintExpr, new (Record.getContext())
 ConstraintSatisfaction::SubstitutionDiagnostic{
 DiagLocation, DiagMessage});
      } else
 Satisfaction.Details.emplace_back(ConstraintExpr, Record.readExpr());
```

`std::string DiagMessage` gets destructed when it goes out of scope at the end of the if statement, but its storage is being passed to the constructor of `SubstitutionDiagnostic`. `SubstitutionDiagnostic` is a typedef of `std::pair<SourceLocation, StringRef>`, so the `StringRef` holds a pointer to a deallocated array.

We are seeing a use-after-free crash that seems to be caused by the code above.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyMVMGO4zYM_Rr5QozhyIntHHzIJhtggRYodgv0WNASbaurWIZIz-z8faEkm6QzmEWDILFo8T29R1LI7IaJqFWbT2pzyHCRMcQWRxSc8HvWBfva_jkS9MH78OKmAUywBEx0YpAAIz4TIHTLkIMqDqrYXX-r4vo9LyF9XA9KN0ofld7BFz44HKbA4gwovVP6-JVMiDaPhPbLJOetW6W3oOpPDygA8C0s0dBvwaC4MEECui1UeYAHoP9uvWKWb_BYrCp3qtyxxCQxAf5OzDjQO7zzjg9wvqE47tEkqvxAgs5zTqfZo6G_OzTfU94lYx8mlohuks8_5qj0HiZ6SfZcuQaSfZiEftx9eJf5SHc5_7elY3GypMjd3rt_j04lzgehqj68l6TqA5Bnusb-j773wh7cu4R-6vnJ9aZXbsFflEVVBQwkDJZY4mKELLyMNIETGAIxhEUg9MAmzAQoICMBTTbF0qPrgQWFTpQabQ_dIuCEgSXEVHXH0FHinJGZbOr0lGbO4hYjISYkVRUfOF4V-S_fJgIEeZ3JUn-Fusmd0UVV7t-27h4uzfeVelV-TnbpPfDlYInr9rIqYAzeJoY5uEkopvMjWELvExxZwBjxNX80_C8CjOfJTroRFqYn7IXiUx-JwETkEWREuQ9_R2BwSf50r1d_LAF24ZnyzLal3ZZbzKhd1bpoik1TFdnYbrDssVo1_bovVwV1jTG2LvW2s0XX27rLXKsLvS7qlV7VZb0ucmrqrinX_Vrrfl2ZRq0LOqHzuffPpzzEIXPMC7XbpqrqzGNHns8XmtbGY5pWrfT-tip3p2AXT3yPh8nQLOfA5pDFNgE_dcvAal14x8J3KnHiqf0jMLvO01uX3JRKkVr9gzGtimyJvh1FZk7VTpfhcXAyLl1uwknpY2K6_j3NMfxDRpQ-nhWy0seLyOdW_xsAAP__h5DWeQ">