From 19bc88c3d425a18ad1a9e16127856b88b62058fa Mon Sep 17 00:00:00 2001 From: Jordan Rose Date: Thu, 15 Nov 2012 20:10:05 +0000 Subject: [PATCH] [analyzer] Fix a use-after-free introduced in r168019. In code like this: void foo() { bar(); baz(); } ...the location for the call to 'bar()' was being used as a backup location for the call to 'baz()'. This is fine unless the call to 'bar()' is deemed uninteresting and that part of the path deleted. (This looks like a logic error as well, but in practice the only way 'baz()' could have an invalid location is if the entire body of 'foo()' is synthesized, meaning the call to 'bar()' will be using the location of the call to 'foo()' anyway. Nevertheless, the new version better matches the intent of the code.) Found by Matt Beaumont-Gay using ASan. Thanks, Matt! llvm-svn: 168080 --- clang/lib/StaticAnalyzer/Core/BugReporter.cpp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/clang/lib/StaticAnalyzer/Core/BugReporter.cpp b/clang/lib/StaticAnalyzer/Core/BugReporter.cpp index 5c14eaf..bceded0 100644 --- a/clang/lib/StaticAnalyzer/Core/BugReporter.cpp +++ b/clang/lib/StaticAnalyzer/Core/BugReporter.cpp @@ -227,13 +227,14 @@ bool BugReporter::RemoveUneededCalls(PathPieces &pieces, BugReport *R, // Recursively clean out the subclass. Keep this call around if // it contains any informative diagnostics. + PathDiagnosticLocation *ThisCallLocation; if (call->callEnterWithin.asLocation().isValid()) - LastCallLocation = &call->callEnterWithin; + ThisCallLocation = &call->callEnterWithin; else - LastCallLocation = &call->callEnter; + ThisCallLocation = &call->callEnter; - assert(LastCallLocation && "Outermost call has an invalid location"); - if (!RemoveUneededCalls(call->path, R, LastCallLocation)) + assert(ThisCallLocation && "Outermost call has an invalid location"); + if (!RemoveUneededCalls(call->path, R, ThisCallLocation)) continue; containsSomethingInteresting = true; -- 2.7.4