From ab4e0c0ad9cbb744e159f6ff6022a9b7f889147c Mon Sep 17 00:00:00 2001 From: Chandler Carruth Date: Sun, 18 Aug 2013 07:20:52 +0000 Subject: [PATCH] Fix a use-after-free found in libclang when doing code completion. The loop processing the candidates can cause new declerations to be added to the context, invalidating lookup_result. To avoid that, make a copy of the list of declarations to iterate over. I don't have a way to check in a test case for this as it involves a giant pile of source code and a generated PCH file used to accelerate code completion, all of this running under ASan. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188623 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Sema/SemaLookup.cpp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/Sema/SemaLookup.cpp b/lib/Sema/SemaLookup.cpp index adda1b9479..07379d5100 100644 --- a/lib/Sema/SemaLookup.cpp +++ b/lib/Sema/SemaLookup.cpp @@ -2505,11 +2505,17 @@ Sema::SpecialMemberOverloadResult *Sema::LookupSpecialMember(CXXRecordDecl *RD, // will always be a (possibly implicit) declaration to shadow any others. OverloadCandidateSet OCS((SourceLocation())); DeclContext::lookup_result R = RD->lookup(Name); - assert(!R.empty() && "lookup for a constructor or assignment operator was empty"); - for (DeclContext::lookup_iterator I = R.begin(), E = R.end(); I != E; ++I) { - Decl *Cand = *I; + + // Copy the candidates as our processing of them may load new declarations + // from an external source and invalidate lookup_result. + SmallVector Candidates(R.begin(), R.end()); + + for (SmallVectorImpl::iterator I = Candidates.begin(), + E = Candidates.end(); + I != E; ++I) { + NamedDecl *Cand = *I; if (Cand->isInvalidDecl()) continue; -- 2.40.0