From: Benjamin Kramer <benny.kra@googlemail.com>
Date: Sat, 10 Apr 2010 11:02:40 +0000 (+0000)
Subject: Fix use after free. Incrementing an use_iterator after its user is erased is unsafe.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dbf02bccc9fc1115cb7dd45c84df77252d68f220;p=clang

Fix use after free. Incrementing an use_iterator after its user is erased is unsafe.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@100926 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/CodeGen/CodeGenModule.cpp b/lib/CodeGen/CodeGenModule.cpp
index 3a59c4cf3d..565f83c690 100644
--- a/lib/CodeGen/CodeGenModule.cpp
+++ b/lib/CodeGen/CodeGenModule.cpp
@@ -1203,11 +1203,12 @@ static void ReplaceUsesOfNonProtoTypeWithRealFunction(llvm::GlobalValue *Old,
   llvm::SmallVector<llvm::Value*, 4> ArgList;
 
   for (llvm::Value::use_iterator UI = OldFn->use_begin(), E = OldFn->use_end();
-       UI != E; ++UI) {
+       UI != E; ) {
     // TODO: Do invokes ever occur in C code?  If so, we should handle them too.
-    llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*UI);
+    llvm::Value::use_iterator I = UI++; // Increment before the CI is erased.
+    llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*I);
     llvm::CallSite CS(CI);
-    if (!CI || !CS.isCallee(UI)) continue;
+    if (!CI || !CS.isCallee(I)) continue;
 
     // If the return types don't match exactly, and if the call isn't dead, then
     // we can't transform this call.