r356187 - [Sema] Fix a use-after-free of a _Nonnull ParsedAttr

Erik Pilkington via cfe-commits cfe-commits at lists.llvm.org
Thu Mar 14 11:38:02 PDT 2019 

Author: epilk
Date: Thu Mar 14 11:38:02 2019
New Revision: 356187

URL: http://llvm.org/viewvc/llvm-project?rev=356187&view=rev
Log:
[Sema] Fix a use-after-free of a _Nonnull ParsedAttr

We were allocating the implicit attribute in the declarator's attribute pool,
but putting into the declaration specifier's ParsedAttributesView. If there are
multiple declarators, then we'll use the attribute from the declaration
specifier after clearing out the declarators attribute pool. Fix this by
allocating the attribute in the declaration specifier's pool.

rdar://48529718

Differential revision: https://reviews.llvm.org/D59327

Modified:
    cfe/trunk/lib/Sema/SemaType.cpp
    cfe/trunk/test/SemaObjC/nonnull.m

Modified: cfe/trunk/lib/Sema/SemaType.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Sema/SemaType.cpp?rev=356187&r1=356186&r2=356187&view=diff
==============================================================================
--- cfe/trunk/lib/Sema/SemaType.cpp (original)
+++ cfe/trunk/lib/Sema/SemaType.cpp Thu Mar 14 11:38:02 2019
@@ -4221,7 +4221,7 @@ static TypeSourceInfo *GetFullTypeForDec
   auto inferPointerNullability =
       [&](SimplePointerKind pointerKind, SourceLocation pointerLoc,
           SourceLocation pointerEndLoc,
-          ParsedAttributesView &attrs) -> ParsedAttr * {
+          ParsedAttributesView &attrs, AttributePool &Pool) -> ParsedAttr * {
     // We've seen a pointer.
     if (NumPointersRemaining > 0)
       --NumPointersRemaining;
@@ -4235,11 +4235,9 @@ static TypeSourceInfo *GetFullTypeForDec
       ParsedAttr::Syntax syntax = inferNullabilityCS
                                       ? ParsedAttr::AS_ContextSensitiveKeyword
                                       : ParsedAttr::AS_Keyword;
-      ParsedAttr *nullabilityAttr =
-          state.getDeclarator().getAttributePool().create(
-              S.getNullabilityKeyword(*inferNullability),
-              SourceRange(pointerLoc), nullptr, SourceLocation(), nullptr, 0,
-              syntax);
+      ParsedAttr *nullabilityAttr = Pool.create(
+          S.getNullabilityKeyword(*inferNullability), SourceRange(pointerLoc),
+          nullptr, SourceLocation(), nullptr, 0, syntax);
 
       attrs.addAtEnd(nullabilityAttr);
 
@@ -4298,7 +4296,8 @@ static TypeSourceInfo *GetFullTypeForDec
         if (auto *attr = inferPointerNullability(
                 pointerKind, D.getDeclSpec().getTypeSpecTypeLoc(),
                 D.getDeclSpec().getEndLoc(),
-                D.getMutableDeclSpec().getAttributes())) {
+                D.getMutableDeclSpec().getAttributes(),
+                D.getMutableDeclSpec().getAttributePool())) {
           T = state.getAttributedType(
               createNullabilityAttr(Context, *attr, *inferNullability), T, T);
         }
@@ -4338,7 +4337,8 @@ static TypeSourceInfo *GetFullTypeForDec
 
       // Handle pointer nullability.
       inferPointerNullability(SimplePointerKind::BlockPointer, DeclType.Loc,
-                              DeclType.EndLoc, DeclType.getAttrs());
+                              DeclType.EndLoc, DeclType.getAttrs(),
+                              state.getDeclarator().getAttributePool());
 
       T = S.BuildBlockPointerType(T, D.getIdentifierLoc(), Name);
       if (DeclType.Cls.TypeQuals || LangOpts.OpenCL) {
@@ -4360,7 +4360,8 @@ static TypeSourceInfo *GetFullTypeForDec
 
       // Handle pointer nullability
       inferPointerNullability(SimplePointerKind::Pointer, DeclType.Loc,
-                              DeclType.EndLoc, DeclType.getAttrs());
+                              DeclType.EndLoc, DeclType.getAttrs(),
+                              state.getDeclarator().getAttributePool());
 
       if (LangOpts.ObjC && T->getAs<ObjCObjectType>()) {
         T = Context.getObjCObjectPointerType(T);
@@ -4892,7 +4893,8 @@ static TypeSourceInfo *GetFullTypeForDec
 
       // Handle pointer nullability.
       inferPointerNullability(SimplePointerKind::MemberPointer, DeclType.Loc,
-                              DeclType.EndLoc, DeclType.getAttrs());
+                              DeclType.EndLoc, DeclType.getAttrs(),
+                              state.getDeclarator().getAttributePool());
 
       if (SS.isInvalid()) {
         // Avoid emitting extra errors if we already errored on the scope.

Modified: cfe/trunk/test/SemaObjC/nonnull.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/SemaObjC/nonnull.m?rev=356187&r1=356186&r2=356187&view=diff
==============================================================================
--- cfe/trunk/test/SemaObjC/nonnull.m (original)
+++ cfe/trunk/test/SemaObjC/nonnull.m Thu Mar 14 11:38:02 2019
@@ -125,3 +125,9 @@ void PR18795_helper() {
 }
 
 void (^PR23117)(int *) = ^(int *p1) __attribute__((nonnull(1))) {};
+
+typedef int *intptr;
+#pragma clang assume_nonnull begin
+intptr a, b;
+intptr c, (*d)();
+#pragma clang assume_nonnull end

More information about the cfe-commits mailing list