From 17f57b0a009f15065a99df73ac85352002706ac1 Mon Sep 17 00:00:00 2001 From: Anna Zaks Date: Sat, 7 Jan 2012 16:49:46 +0000 Subject: [PATCH] [analyzer] Fix use-after-free in HandleTranslationUnit. A patch by Dmitri Gribenko! The attached patch fixes a use-after-free in AnalysisConsumer::HandleTranslationUnit. The problem is that BugReporter's destructor runs after AnalysisManager has been already deleted. The fix introduces a scope to force correct destruction order. A crash happens only when reports have been added in AnalysisConsumer::HandleTranslationUnit's BugReporter. We don't have such checkers in clang so no test. llvm-svn: 147732 --- .../StaticAnalyzer/Frontend/AnalysisConsumer.cpp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp b/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp index ded86b7746a1..049d419b4bde 100644 --- a/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp +++ b/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp @@ -236,13 +236,16 @@ void AnalysisConsumer::HandleDeclContextDecl(ASTContext &C, Decl *D) { } void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) { - BugReporter BR(*Mgr); - TranslationUnitDecl *TU = C.getTranslationUnitDecl(); - checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR); - HandleDeclContext(C, TU); + { + // Introduce a scope to destroy BR before Mgr. + BugReporter BR(*Mgr); + TranslationUnitDecl *TU = C.getTranslationUnitDecl(); + checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR); + HandleDeclContext(C, TU); - // After all decls handled, run checkers on the entire TranslationUnit. - checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR); + // After all decls handled, run checkers on the entire TranslationUnit. + checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR); + } // Explicitly destroy the PathDiagnosticConsumer. This will flush its output. // FIXME: This should be replaced with something that doesn't rely on