[PATCH] D60101: [Sema] Fix a use-after-deallocate of a ParsedAttr

Phabricator via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Apr 2 12:49:42 PDT 2019 

This revision was automatically updated to reflect the committed changes.
Closed by commit rC357516: [Sema] Fix a use-after-deallocate of a ParsedAttr (authored by epilk, committed by ).

Changed prior to commit:
  https://reviews.llvm.org/D60101?vs=193185&id=193348#toc

Repository:
  rC Clang

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D60101/new/

https://reviews.llvm.org/D60101

Files:
  include/clang/Sema/ParsedAttr.h
  lib/Sema/SemaType.cpp
  test/SemaObjC/arc-property-decl-attrs.m


Index: test/SemaObjC/arc-property-decl-attrs.m
===================================================================
--- test/SemaObjC/arc-property-decl-attrs.m
+++ test/SemaObjC/arc-property-decl-attrs.m
@@ -287,3 +287,7 @@
 @synthesize collision = _collision; // expected-note {{property synthesized here}}
 
 @end
+
+// This used to crash because we'd temporarly store the weak attribute on the
+// declaration specifier, then deallocate it when clearing the declarator.
+id i1, __weak i2, i3;
Index: lib/Sema/SemaType.cpp
===================================================================
--- lib/Sema/SemaType.cpp
+++ lib/Sema/SemaType.cpp
@@ -534,8 +534,8 @@
       // attribute from being applied multiple times and gives
       // the source-location-filler something to work with.
       state.saveDeclSpecAttrs();
-      moveAttrFromListToList(attr, declarator.getAttributes(),
-                             declarator.getMutableDeclSpec().getAttributes());
+      declarator.getMutableDeclSpec().getAttributes().takeOneFrom(
+          declarator.getAttributes(), &attr);
       return;
     }
   }
Index: include/clang/Sema/ParsedAttr.h
===================================================================
--- include/clang/Sema/ParsedAttr.h
+++ include/clang/Sema/ParsedAttr.h
@@ -659,6 +659,7 @@
 
 class AttributePool {
   friend class AttributeFactory;
+  friend class ParsedAttributes;
   AttributeFactory &Factory;
   llvm::TinyPtrVector<ParsedAttr *> Attrs;
 
@@ -892,6 +893,13 @@
     pool.takeAllFrom(attrs.pool);
   }
 
+  void takeOneFrom(ParsedAttributes &Attrs, ParsedAttr *PA) {
+    Attrs.getPool().remove(PA);
+    Attrs.remove(PA);
+    getPool().add(PA);
+    addAtEnd(PA);
+  }
+
   void clear() {
     clearListOnly();
     pool.clear();


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D60101.193348.patch
Type: text/x-patch
Size: 1768 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20190402/0cce75ca/attachment-0001.bin>

More information about the cfe-commits mailing list