Fix use after free. Incrementing an use_iterator after its user is erased is unsafe.

author Benjamin Kramer <benny.kra@googlemail.com>

Sat, 10 Apr 2010 11:02:40 +0000 (11:02 +0000)

committer Benjamin Kramer <benny.kra@googlemail.com>

Sat, 10 Apr 2010 11:02:40 +0000 (11:02 +0000)
author Benjamin Kramer <benny.kra@googlemail.com>
Sat, 10 Apr 2010 11:02:40 +0000 (11:02 +0000)
committer Benjamin Kramer <benny.kra@googlemail.com>
Sat, 10 Apr 2010 11:02:40 +0000 (11:02 +0000)
diff --git a/lib/CodeGen/CodeGenModule.cpp b/lib/CodeGen/CodeGenModule.cpp

index 3a59c4cf3dedd54b881e244cb2f0204ae957f88b..565f83c69081d190c69be26730af1eba694d7822 100644 (file)
--- a/lib/CodeGen/CodeGenModule.cpp
+++ b/lib/CodeGen/CodeGenModule.cpp
@@ -1203,11 +1203,12 @@ static void ReplaceUsesOfNonProtoTypeWithRealFunction(llvm::GlobalValue *Old,
    llvm::SmallVector<llvm::Value*, 4> ArgList;
  
    for (llvm::Value::use_iterator UI = OldFn->use_begin(), E = OldFn->use_end();
-       UI != E; ++UI) {
+       UI != E; ) {
      // TODO: Do invokes ever occur in C code?  If so, we should handle them too.
-    llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*UI);
+    llvm::Value::use_iterator I = UI++; // Increment before the CI is erased.
+    llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*I);
      llvm::CallSite CS(CI);
-    if (!CI || !CS.isCallee(UI)) continue;
+    if (!CI || !CS.isCallee(I)) continue;
  
      // If the return types don't match exactly, and if the call isn't dead, then
      // we can't transform this call.
author	Benjamin Kramer <benny.kra@googlemail.com>
	Sat, 10 Apr 2010 11:02:40 +0000 (11:02 +0000)
committer	Benjamin Kramer <benny.kra@googlemail.com>
	Sat, 10 Apr 2010 11:02:40 +0000 (11:02 +0000)