From: Erik Pilkington Date: Thu, 14 Mar 2019 18:38:02 +0000 (+0000) Subject: [Sema] Fix a use-after-free of a _Nonnull ParsedAttr X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bcc9b7f48e0e739f34114f6776a8ae317cbe9a56;p=clang [Sema] Fix a use-after-free of a _Nonnull ParsedAttr We were allocating the implicit attribute in the declarator's attribute pool, but putting into the declaration specifier's ParsedAttributesView. If there are multiple declarators, then we'll use the attribute from the declaration specifier after clearing out the declarators attribute pool. Fix this by allocating the attribute in the declaration specifier's pool. rdar://48529718 Differential revision: https://reviews.llvm.org/D59327 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@356187 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/Sema/SemaType.cpp b/lib/Sema/SemaType.cpp index 62d9e3dc7f..7c36abfa5b 100644 --- a/lib/Sema/SemaType.cpp +++ b/lib/Sema/SemaType.cpp @@ -4221,7 +4221,7 @@ static TypeSourceInfo *GetFullTypeForDeclarator(TypeProcessingState &state, auto inferPointerNullability = [&](SimplePointerKind pointerKind, SourceLocation pointerLoc, SourceLocation pointerEndLoc, - ParsedAttributesView &attrs) -> ParsedAttr * { + ParsedAttributesView &attrs, AttributePool &Pool) -> ParsedAttr * { // We've seen a pointer. if (NumPointersRemaining > 0) --NumPointersRemaining; @@ -4235,11 +4235,9 @@ static TypeSourceInfo *GetFullTypeForDeclarator(TypeProcessingState &state, ParsedAttr::Syntax syntax = inferNullabilityCS ? ParsedAttr::AS_ContextSensitiveKeyword : ParsedAttr::AS_Keyword; - ParsedAttr *nullabilityAttr = - state.getDeclarator().getAttributePool().create( - S.getNullabilityKeyword(*inferNullability), - SourceRange(pointerLoc), nullptr, SourceLocation(), nullptr, 0, - syntax); + ParsedAttr *nullabilityAttr = Pool.create( + S.getNullabilityKeyword(*inferNullability), SourceRange(pointerLoc), + nullptr, SourceLocation(), nullptr, 0, syntax); attrs.addAtEnd(nullabilityAttr); @@ -4298,7 +4296,8 @@ static TypeSourceInfo *GetFullTypeForDeclarator(TypeProcessingState &state, if (auto *attr = inferPointerNullability( pointerKind, D.getDeclSpec().getTypeSpecTypeLoc(), D.getDeclSpec().getEndLoc(), - D.getMutableDeclSpec().getAttributes())) { + D.getMutableDeclSpec().getAttributes(), + D.getMutableDeclSpec().getAttributePool())) { T = state.getAttributedType( createNullabilityAttr(Context, *attr, *inferNullability), T, T); } @@ -4338,7 +4337,8 @@ static TypeSourceInfo *GetFullTypeForDeclarator(TypeProcessingState &state, // Handle pointer nullability. inferPointerNullability(SimplePointerKind::BlockPointer, DeclType.Loc, - DeclType.EndLoc, DeclType.getAttrs()); + DeclType.EndLoc, DeclType.getAttrs(), + state.getDeclarator().getAttributePool()); T = S.BuildBlockPointerType(T, D.getIdentifierLoc(), Name); if (DeclType.Cls.TypeQuals || LangOpts.OpenCL) { @@ -4360,7 +4360,8 @@ static TypeSourceInfo *GetFullTypeForDeclarator(TypeProcessingState &state, // Handle pointer nullability inferPointerNullability(SimplePointerKind::Pointer, DeclType.Loc, - DeclType.EndLoc, DeclType.getAttrs()); + DeclType.EndLoc, DeclType.getAttrs(), + state.getDeclarator().getAttributePool()); if (LangOpts.ObjC && T->getAs()) { T = Context.getObjCObjectPointerType(T); @@ -4892,7 +4893,8 @@ static TypeSourceInfo *GetFullTypeForDeclarator(TypeProcessingState &state, // Handle pointer nullability. inferPointerNullability(SimplePointerKind::MemberPointer, DeclType.Loc, - DeclType.EndLoc, DeclType.getAttrs()); + DeclType.EndLoc, DeclType.getAttrs(), + state.getDeclarator().getAttributePool()); if (SS.isInvalid()) { // Avoid emitting extra errors if we already errored on the scope. diff --git a/test/SemaObjC/nonnull.m b/test/SemaObjC/nonnull.m index e1f31937a5..4859432719 100644 --- a/test/SemaObjC/nonnull.m +++ b/test/SemaObjC/nonnull.m @@ -125,3 +125,9 @@ void PR18795_helper() { } void (^PR23117)(int *) = ^(int *p1) __attribute__((nonnull(1))) {}; + +typedef int *intptr; +#pragma clang assume_nonnull begin +intptr a, b; +intptr c, (*d)(); +#pragma clang assume_nonnull end