[analyzer] Fix a use-after-free introduced in r168019.

In code like this:

void foo() {
     bar();
     baz();
}

...the location for the call to 'bar()' was being used as a backup location
for the call to 'baz()'. This is fine unless the call to 'bar()' is deemed
uninteresting and that part of the path deleted.

(This looks like a logic error as well, but in practice the only way 'baz()'
could have an invalid location is if the entire body of 'foo()' is
synthesized, meaning the call to 'bar()' will be using the location of the
call to 'foo()' anyway. Nevertheless, the new version better matches the
intent of the code.)

Found by Matt Beaumont-Gay using ASan. Thanks, Matt!

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@168080 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/StaticAnalyzer/Core/BugReporter.cpp b/lib/StaticAnalyzer/Core/BugReporter.cpp
index 5c14eaf284781e25aee67316699645910cb00af8..bceded02de9ccfb2547ee202386695c729a93ab5 100644 (file)
--- a/lib/StaticAnalyzer/Core/BugReporter.cpp
+++ b/lib/StaticAnalyzer/Core/BugReporter.cpp
@@ -227,13 +227,14 @@ bool BugReporter::RemoveUneededCalls(PathPieces &pieces, BugReport *R,
 
         // Recursively clean out the subclass.  Keep this call around if
         // it contains any informative diagnostics.
+        PathDiagnosticLocation *ThisCallLocation;
         if (call->callEnterWithin.asLocation().isValid())
-          LastCallLocation = &call->callEnterWithin;
+          ThisCallLocation = &call->callEnterWithin;
         else
-          LastCallLocation = &call->callEnter;
+          ThisCallLocation = &call->callEnter;
 
-        assert(LastCallLocation && "Outermost call has an invalid location");
-        if (!RemoveUneededCalls(call->path, R, LastCallLocation))
+        assert(ThisCallLocation && "Outermost call has an invalid location");
+        if (!RemoveUneededCalls(call->path, R, ThisCallLocation))
           continue;
         
         containsSomethingInteresting = true;