From: Anna Zaks Date: Sat, 7 Jan 2012 16:49:46 +0000 (+0000) Subject: [analyzer] Fix use-after-free in HandleTranslationUnit. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c5bdc556f6a65c677e0ed73f918c3000ecad33af;p=clang [analyzer] Fix use-after-free in HandleTranslationUnit. A patch by Dmitri Gribenko! The attached patch fixes a use-after-free in AnalysisConsumer::HandleTranslationUnit. The problem is that BugReporter's destructor runs after AnalysisManager has been already deleted. The fix introduces a scope to force correct destruction order. A crash happens only when reports have been added in AnalysisConsumer::HandleTranslationUnit's BugReporter. We don't have such checkers in clang so no test. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147732 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp b/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp index ded86b7746..049d419b4b 100644 --- a/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp +++ b/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp @@ -236,13 +236,16 @@ void AnalysisConsumer::HandleDeclContextDecl(ASTContext &C, Decl *D) { } void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) { - BugReporter BR(*Mgr); - TranslationUnitDecl *TU = C.getTranslationUnitDecl(); - checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR); - HandleDeclContext(C, TU); + { + // Introduce a scope to destroy BR before Mgr. + BugReporter BR(*Mgr); + TranslationUnitDecl *TU = C.getTranslationUnitDecl(); + checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR); + HandleDeclContext(C, TU); - // After all decls handled, run checkers on the entire TranslationUnit. - checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR); + // After all decls handled, run checkers on the entire TranslationUnit. + checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR); + } // Explicitly destroy the PathDiagnosticConsumer. This will flush its output. // FIXME: This should be replaced with something that doesn't rely on