From 01f276dac946c0845f6eb3449ab253cfdba841a1 Mon Sep 17 00:00:00 2001
From: Eli Friedman <eli.friedman@gmail.com>
Date: Wed, 25 Jan 2012 23:20:27 +0000
Subject: [PATCH] Don't stack-allocate an IntegerLiteral which can be referred
 to after the current method returns.  PR11744, part 2.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148995 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/Sema/TreeTransform.h                      |  9 ++++++---
 test/CodeGenCXX/c99-variable-length-array.cpp | 10 ++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/lib/Sema/TreeTransform.h b/lib/Sema/TreeTransform.h
index 5d761d382a..240445190b 100644
--- a/lib/Sema/TreeTransform.h
+++ b/lib/Sema/TreeTransform.h
@@ -8325,9 +8325,12 @@ TreeTransform<Derived>::RebuildArrayType(QualType ElementType,
       break;
     }
 
-  IntegerLiteral ArraySize(SemaRef.Context, *Size, SizeType,
-                           /*FIXME*/BracketsRange.getBegin());
-  return SemaRef.BuildArrayType(ElementType, SizeMod, &ArraySize,
+  // Note that we can return a VariableArrayType here in the case where
+  // the element type was a dependent VariableArrayType.
+  IntegerLiteral *ArraySize
+      = IntegerLiteral::Create(SemaRef.Context, *Size, SizeType,
+                               /*FIXME*/BracketsRange.getBegin());
+  return SemaRef.BuildArrayType(ElementType, SizeMod, ArraySize,
                                 IndexTypeQuals, BracketsRange,
                                 getDerived().getBaseEntity());
 }
diff --git a/test/CodeGenCXX/c99-variable-length-array.cpp b/test/CodeGenCXX/c99-variable-length-array.cpp
index 76f99c7b41..d486f9b018 100644
--- a/test/CodeGenCXX/c99-variable-length-array.cpp
+++ b/test/CodeGenCXX/c99-variable-length-array.cpp
@@ -25,3 +25,13 @@ void f(int argc, const char* argv[]) {
   // CHECK: call void @_ZN1XD1Ev
   // CHECK: ret void
 }
+
+namespace PR11744 {
+  // Make sure this doesn't crash; there was a use-after-free issue
+  // for this testcase.
+  template<typename T> int f(int n) {
+    T arr[3][n];
+    return 3;
+  }
+  int test = f<int>(0);
+}
-- 
2.50.1