buildASTFromCodeWithArgs() accepts llvm::Twine as Code argument. However, if the argument is not a C string or std::string, the argument is being copied into a temporary buffer in order to get a null-terminated string. This lead to a potential UAF. Fixing this via calling .data() on StringRef since our Code is always null-terminated.
The issue was introduced by me in D44079 (sorry) but was not noticed.