[cfe-commits] [Patch] Fix use after free in AnalysisConsumer::HandleTranslationUnit

[Dmitri Gribenko]

On Sat, Jan 7, 2012 at 5:51 AM, Anna Zaks <ganna at apple.com> wrote:
> Great find!
>
> Is BugReporterData actually being used in the destructor? If yes, would be great to get a test case.

Yes, here's how:

(gdb) bt
#0  clang::ento::AnalysisManager::getPathDiagnosticConsumer (this=0x3c15ab0)
    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/../../../include/clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h:136
#1  0x0000000001474287 in
clang::ento::BugReporter::getPathDiagnosticConsumer
(this=0x7fffffffc590)
    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/../../../include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h:269
#2  0x0000000001471716 in clang::ento::BugReporter::FlushReport
(this=0x7fffffffc590, EQ=...)
    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:1860
#3  0x000000000146f88a in clang::ento::BugReporter::FlushReports
(this=0x7fffffffc590) at
/home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:1366
#4  0x000000000146f5d7 in clang::ento::BugReporter::~BugReporter
(this=0x7fffffffc590, __in_chrg=<optimized out>)
    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:1338
#5  0x0000000001387dc4 in (anonymous
namespace)::AnalysisConsumer::HandleDeclContextDecl (this=0x3bf7cc0,
C=..., D=0x3c34d00)
    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:184
#6  0x0000000001387cf6 in (anonymous
namespace)::AnalysisConsumer::HandleDeclContext (this=0x3bf7cc0,
C=..., dc=0x3bf6ec0)
    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:177
#7  0x000000000138821e in (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit (this=0x3bf7cc0,
C=...)
    at /home/storage_1/grib/clang/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:242
#8  0x0000000000ffb63a in clang::ParseAST (S=..., PrintStats=false) at
/home/storage_1/grib/clang/llvm/tools/clang/lib/Parse/ParseAST.cpp:110
#9  0x0000000000cec193 in clang::ASTFrontendAction::ExecuteAction
(this=0x3bcdf60) at
/home/storage_1/grib/clang/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:402
#10 0x0000000000cebded in clang::FrontendAction::Execute
(this=0x3bcdf60) at
/home/storage_1/grib/clang/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:322
#11 0x0000000000cc65fe in clang::CompilerInstance::ExecuteAction
(this=0x3bcc210, Act=...) at
/home/storage_1/grib/clang/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:658
#12 0x0000000000c99691 in clang::ExecuteCompilerInvocation
(Clang=0x3bcc210) at
/home/storage_1/grib/clang/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:173
#13 0x0000000000c88aeb in cc1_main (ArgBegin=0x7fffffffd180,
ArgEnd=0x7fffffffd1a0, Argv0=0x3bcbeb8
"/home/storage_1/grib/clang/llvm-build/Debug+Asserts/bin/clang",
MainAddr=0xc93510)
    at /home/storage_1/grib/clang/llvm/tools/clang/tools/driver/cc1_main.cpp:165
#14 0x0000000000c94cd7 in main (argc_=6, argv_=0x7fffffffe298) at
/home/storage_1/grib/clang/llvm/tools/clang/tools/driver/driver.cpp:353

A crash happens only when reports have been added in
AnalysisConsumer::HandleTranslationUnit's BugReporter.

class StdSmartPointerChecker : public
Checker<check::ASTDecl<TranslationUnitDecl> > {
public:
  void checkASTDecl(const TranslationUnitDecl *D, AnalysisManager
&mgr, BugReporter &BR) const {
    add bug reports;

We don't have such checkers in clang, so I can't create a test.

Dmitri

-- 
main(i,j){for(i=2;;i++){for(j=2;j<i;j++){if(!(i%j)){j=0;break;}}if
(j){printf("%d\n",i);}}} /*Dmitri Gribenko <gribozavr at gmail.com>*/