[Lldb-commits] [lldb] [lldb] Fix a use-after-free in SymbolFileCTF (PR #151586)
Jonas Devlieghere via lldb-commits
lldb-commits at lists.llvm.org
Thu Jul 31 14:06:57 PDT 2025
JDevlieghere wrote:
> I think I'm missing something. Instead of removing it at the end of `ResolveTypeUID`, you remove it right _after_ the call to `ResolveTypeUID`. What's the difference?
I should've mentioned that this function is (indirectly) recursive, because that's totally fine (e.g. a struct having a pointer to itself). Here's the stack trace from ASan that illustrates this.
```
lldb_private::SymbolFileCTF::ResolveTypeUID(unsigned long long) SymbolFileCTF.cpp:1022
lldb_private::SymbolFileCTF::CreateModifier(lldb_private::CTFModifier const&) SymbolFileCTF.cpp:378
lldb_private::SymbolFileCTF::CreateType(lldb_private::CTFType*) SymbolFileCTF.cpp:583
lldb_private::SymbolFileCTF::ResolveTypeUID(unsigned long long) SymbolFileCTF.cpp:1001
lldb_private::SymbolFileCTF::CompleteType(lldb_private::CompilerType&) SymbolFileCTF.cpp:531
lldb_private::Type::ResolveCompilerType(lldb_private::Type::ResolveState) Type.cpp:733
lldb_private::Type::GetFullCompilerType() Type.cpp:773
lldb_private::SymbolFileCTF::CreateTypedef(lldb_private::CTFTypedef const&) SymbolFileCTF.cpp:421
lldb_private::SymbolFileCTF::CreateType(lldb_private::CTFType*) SymbolFileCTF.cpp:585
lldb_private::SymbolFileCTF::ResolveTypeUID(unsigned long long) SymbolFileCTF.cpp:1001
```
In the process of resolving the type, we have to create another type, which includes a type modifier of the original type.
https://github.com/llvm/llvm-project/pull/151586
More information about the lldb-commits
mailing list