[clang] [clang] Fix a use-after-free in expression evaluation (PR #118480)
Ilya Biryukov via cfe-commits
cfe-commits at lists.llvm.org
Wed Apr 23 08:21:35 PDT 2025
ilya-biryukov wrote:
@kadircet and I have spent some time on this.
The `LValueExprEvaluator` decides to "defer" the evaluation of compound literals to conversions, but does this in a way that assumes the evaluation happens inside the same expression.
https://github.com/llvm/llvm-project/blob/6c561604336497cbeebc90f9066a9f474458a38d/clang/lib/AST/ExprConstant.cpp#L9127
When we end up storing this resulting `LValue` anywhere (e.g. inside the value of a global `VarDecl`), we simply store a pointer to this expression inside the initializer.
Then the following code sees the expression in various random contexts it didn't belong to (e.g. when calling a constructor that happens to use the global variable)
https://github.com/llvm/llvm-project/blob/6c561604336497cbeebc90f9066a9f474458a38d/clang/lib/AST/ExprConstant.cpp#L4585
We feel that the right fix would be to instead create a proper l-value with the right lifetime (either static or block scope, depending the rules for the compound literals) and remove the "defering" logic altogether. @kadircet is preparing the fix.
This should be enough to fix the crash and properly evaluate the compound literals, but probably won't address the FIXMEs mentioned above.
@AaronBallman thanks for the pointers, they were really helpful to figure this out.
https://github.com/llvm/llvm-project/pull/118480
More information about the cfe-commits
mailing list