[cfe-commits] r147732 - /cfe/trunk/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

Anna Zaks ganna at apple.com
Sat Jan 7 08:49:47 PST 2012 

Author: zaks
Date: Sat Jan  7 10:49:46 2012
New Revision: 147732

URL: http://llvm.org/viewvc/llvm-project?rev=147732&view=rev
Log:
[analyzer] Fix use-after-free in HandleTranslationUnit.

A patch by Dmitri Gribenko!

The attached patch fixes a use-after-free in AnalysisConsumer::HandleTranslationUnit.  The problem is that
BugReporter's destructor runs after AnalysisManager has been already
deleted.  The fix introduces a scope to force correct destruction
order.

A crash happens only when reports have been added in AnalysisConsumer::HandleTranslationUnit's BugReporter. We don't have such checkers in clang so no test.

Modified:
    cfe/trunk/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

Modified: cfe/trunk/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp?rev=147732&r1=147731&r2=147732&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp Sat Jan  7 10:49:46 2012
@@ -236,13 +236,16 @@
 }
 
 void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) {
-  BugReporter BR(*Mgr);
-  TranslationUnitDecl *TU = C.getTranslationUnitDecl();
-  checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR);
-  HandleDeclContext(C, TU);
+  {
+    // Introduce a scope to destroy BR before Mgr.
+    BugReporter BR(*Mgr);
+    TranslationUnitDecl *TU = C.getTranslationUnitDecl();
+    checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR);
+    HandleDeclContext(C, TU);
 
-  // After all decls handled, run checkers on the entire TranslationUnit.
-  checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);
+    // After all decls handled, run checkers on the entire TranslationUnit.
+    checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);
+  }
 
   // Explicitly destroy the PathDiagnosticConsumer.  This will flush its output.
   // FIXME: This should be replaced with something that doesn't rely on

More information about the cfe-commits mailing list