r357516 - [Sema] Fix a use-after-deallocate of a ParsedAttr
Erik Pilkington via cfe-commits
cfe-commits at lists.llvm.org
Tue Apr 2 12:48:11 PDT 2019
Author: epilk
Date: Tue Apr 2 12:48:11 2019
New Revision: 357516
URL: http://llvm.org/viewvc/llvm-project?rev=357516&view=rev
Log:
[Sema] Fix a use-after-deallocate of a ParsedAttr
moveAttrFromListToList only makes sense when moving an attribute to a list with
a pool that's either equivalent, or has a shorter lifetime. Therefore, using it
to move a ParsedAttr from a declarator to a declaration specifier doesn't make
sense, since the declaration specifier's pool outlives the declarator's. The
patch adds a new function, ParsedAttributes::takeOneFrom, which transfers the
attribute from one pool to another, fixing the use-after-deallocate.
rdar://49175426
Differential revision: https://reviews.llvm.org/D60101
Modified:
cfe/trunk/include/clang/Sema/ParsedAttr.h
cfe/trunk/lib/Sema/SemaType.cpp
cfe/trunk/test/SemaObjC/arc-property-decl-attrs.m
Modified: cfe/trunk/include/clang/Sema/ParsedAttr.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Sema/ParsedAttr.h?rev=357516&r1=357515&r2=357516&view=diff
==============================================================================
--- cfe/trunk/include/clang/Sema/ParsedAttr.h (original)
+++ cfe/trunk/include/clang/Sema/ParsedAttr.h Tue Apr 2 12:48:11 2019
@@ -659,6 +659,7 @@ public:
class AttributePool {
friend class AttributeFactory;
+ friend class ParsedAttributes;
AttributeFactory &Factory;
llvm::TinyPtrVector<ParsedAttr *> Attrs;
@@ -892,6 +893,13 @@ public:
pool.takeAllFrom(attrs.pool);
}
+ void takeOneFrom(ParsedAttributes &Attrs, ParsedAttr *PA) {
+ Attrs.getPool().remove(PA);
+ Attrs.remove(PA);
+ getPool().add(PA);
+ addAtEnd(PA);
+ }
+
void clear() {
clearListOnly();
pool.clear();
Modified: cfe/trunk/lib/Sema/SemaType.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Sema/SemaType.cpp?rev=357516&r1=357515&r2=357516&view=diff
==============================================================================
--- cfe/trunk/lib/Sema/SemaType.cpp (original)
+++ cfe/trunk/lib/Sema/SemaType.cpp Tue Apr 2 12:48:11 2019
@@ -534,8 +534,8 @@ static void distributeObjCPointerTypeAtt
// attribute from being applied multiple times and gives
// the source-location-filler something to work with.
state.saveDeclSpecAttrs();
- moveAttrFromListToList(attr, declarator.getAttributes(),
- declarator.getMutableDeclSpec().getAttributes());
+ declarator.getMutableDeclSpec().getAttributes().takeOneFrom(
+ declarator.getAttributes(), &attr);
return;
}
}
Modified: cfe/trunk/test/SemaObjC/arc-property-decl-attrs.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/SemaObjC/arc-property-decl-attrs.m?rev=357516&r1=357515&r2=357516&view=diff
==============================================================================
--- cfe/trunk/test/SemaObjC/arc-property-decl-attrs.m (original)
+++ cfe/trunk/test/SemaObjC/arc-property-decl-attrs.m Tue Apr 2 12:48:11 2019
@@ -287,3 +287,7 @@ __attribute__((objc_root_class))
@synthesize collision = _collision; // expected-note {{property synthesized here}}
@end
+
+// This used to crash because we'd temporarly store the weak attribute on the
+// declaration specifier, then deallocate it when clearing the declarator.
+id i1, __weak i2, i3;
More information about the cfe-commits
mailing list