Don't stack-allocate an IntegerLiteral which can be referred to after the current method returns. PR11744, part 2.

llvm-svn: 148995

clang/lib/Sema/TreeTransform.h

@@ -8325,9 +8325,12 @@ TreeTransform<Derived>::RebuildArrayType(QualType ElementType,
       break;
     }
 
-  IntegerLiteral ArraySize(SemaRef.Context, *Size, SizeType,
+  // Note that we can return a VariableArrayType here in the case where
-                           /*FIXME*/BracketsRange.getBegin());
+  // the element type was a dependent VariableArrayType.
-  return SemaRef.BuildArrayType(ElementType, SizeMod, &ArraySize,
+  IntegerLiteral *ArraySize
+      = IntegerLiteral::Create(SemaRef.Context, *Size, SizeType,
+                               /*FIXME*/BracketsRange.getBegin());
+  return SemaRef.BuildArrayType(ElementType, SizeMod, ArraySize,
                                 IndexTypeQuals, BracketsRange,
                                 getDerived().getBaseEntity());
 }

clang/test/CodeGenCXX/c99-variable-length-array.cpp

@@ -25,3 +25,13 @@ void f(int argc, const char* argv[]) {
   // CHECK: call void @_ZN1XD1Ev
   // CHECK: ret void
 }
+
+namespace PR11744 {
+  // Make sure this doesn't crash; there was a use-after-free issue
+  // for this testcase.
+  template<typename T> int f(int n) {
+    T arr[3][n];
+    return 3;
+  }
+  int test = f<int>(0);
+}