[cfe-dev] Really nasty use-after-free problems surrounding StoredDeclsList

Chandler Carruth chandlerc at google.com
Sat Aug 17 22:43:29 PDT 2013


Greetings folks,

Manuel pointed me at a use-after-free issue that is really nasty. We've got
a lot of these while using preambles in libclang for code completion. The
crux of the problem seems to stem from the following:

- DeclContext::lookup(...) returns a MutableArrayRef<NamedDecl*> which
points into a particular StoredDeclsList looked up in a StoredDeclsMap.

- In some cases, the StoredDeclsList only has one element, and it stores it
internally.

- In other cases, the StoredDeclsList stores the elements in a small vector
which can grow and be re-allocated...

- Thus, things which add decls to an AST have a very real chance of
invalidating the pointer stored in the MutableArrayRef returned by
DeclContext::lookup.

=/

My question is how best to fix this long term? I can go in and add targeted
copying of the NamedDecl*s in the lookup result when there are clearly
operations that might shift the AST... I've started looking for these and
may commit a few strategic fixes that are causing crashes for us, but it
seems like a losing proposition because the results of a lookup are
sometimes rather long lived -- we store them in CXXBasePaths for example.

Is there a better long-term solution? Other ideas or suggestions? Have I
messed up my analysis somewhere?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130817/27ac796d/attachment.html>


More information about the cfe-dev mailing list