[cfe-commits] r100926 - /cfe/trunk/lib/CodeGen/CodeGenModule.cpp
Benjamin Kramer
benny.kra at googlemail.com
Sat Apr 10 04:02:40 PDT 2010
Author: d0k
Date: Sat Apr 10 06:02:40 2010
New Revision: 100926
URL: http://llvm.org/viewvc/llvm-project?rev=100926&view=rev
Log:
Fix use after free. Incrementing an use_iterator after its user is erased is unsafe.
Modified:
cfe/trunk/lib/CodeGen/CodeGenModule.cpp
Modified: cfe/trunk/lib/CodeGen/CodeGenModule.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/CodeGenModule.cpp?rev=100926&r1=100925&r2=100926&view=diff
==============================================================================
--- cfe/trunk/lib/CodeGen/CodeGenModule.cpp (original)
+++ cfe/trunk/lib/CodeGen/CodeGenModule.cpp Sat Apr 10 06:02:40 2010
@@ -1203,11 +1203,12 @@
llvm::SmallVector<llvm::Value*, 4> ArgList;
for (llvm::Value::use_iterator UI = OldFn->use_begin(), E = OldFn->use_end();
- UI != E; ++UI) {
+ UI != E; ) {
// TODO: Do invokes ever occur in C code? If so, we should handle them too.
- llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*UI);
+ llvm::Value::use_iterator I = UI++; // Increment before the CI is erased.
+ llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*I);
llvm::CallSite CS(CI);
- if (!CI || !CS.isCallee(UI)) continue;
+ if (!CI || !CS.isCallee(I)) continue;
// If the return types don't match exactly, and if the call isn't dead, then
// we can't transform this call.
More information about the cfe-commits
mailing list