This is an archive of the discontinued LLVM Phabricator instance.

Differential D60101

[Sema] Fix a use-after-deallocate of a ParsedAttr
ClosedPublic

Authored by erik.pilkington on Apr 1 2019, 3:26 PM.

Details

Reviewers
aaron.ballman
Commits
rGaf913156685a: [Sema] Fix a use-after-deallocate of a ParsedAttr
rL357516: [Sema] Fix a use-after-deallocate of a ParsedAttr
rC357516: [Sema] Fix a use-after-deallocate of a ParsedAttr
Summary

moveAttrFromListToList only makes sense when moving an attribute to a list with a pool that's either equivalent, or has a shorter lifetime. Therefore, using it to move a ParsedAttr from a declarator to a declaration specifier doesn't make sense, since the declaration specifier's pool outlives the declarator's. The patch adds a new function, ParsedAttributes::takeOneFrom, which transfers the attribute from one pool to another, fixing the use-after-deallocate.

rdar://49175426

Thanks for taking a look!
Erik

Diff Detail

Event Timeline

erik.pilkington created this revision.Apr 1 2019, 3:26 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 1 2019, 3:26 PM
Herald added subscribers: dexonsmith, jkorous. · View Herald Transcript
aaron.ballman accepted this revision.Apr 2 2019, 7:46 AM

LGTM aside from some minor nits. Thanks for this!

clang/include/clang/Sema/ParsedAttr.h
896

How about Attrs and PA to fit with usual naming conventions?

clang/test/SemaObjC/arc-property-decl-attrs.m
291

Can you add a comment here that explains what this test is intending to cover?

This revision is now accepted and ready to land.Apr 2 2019, 7:46 AM
Closed by commit rC357516: [Sema] Fix a use-after-deallocate of a ParsedAttr (authored by epilk). · Explain WhyApr 2 2019, 12:49 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
Sema/
8 lines
lib/
Sema/
4 lines
test/
SemaObjC/
2 lines

Diff 193185

clang/include/clang/Sema/ParsedAttr.h

Show First 20 LinesShow All 492 Lines▼ Show 20 Lines
public: public:
AttributeFactory(); AttributeFactory();
~AttributeFactory(); ~AttributeFactory();
}; };
class AttributePool { class AttributePool {
friend class AttributeFactory; friend class AttributeFactory;
friend class ParsedAttributes;
AttributeFactory &Factory; AttributeFactory &Factory;
llvm::TinyPtrVector<ParsedAttr *> Attrs; llvm::TinyPtrVector<ParsedAttr *> Attrs;
void *allocate(size_t size) { void *allocate(size_t size) {
return Factory.allocate(size); return Factory.allocate(size);
} }
ParsedAttr *add(ParsedAttr *attr) { ParsedAttr *add(ParsedAttr *attr) {
▲ Show 20 LinesShow All 217 Lines▼ Show 20 Lines
AttributePool &getPool() const { return pool; } AttributePool &getPool() const { return pool; }
void takeAllFrom(ParsedAttributes &attrs) { void takeAllFrom(ParsedAttributes &attrs) {
addAll(attrs.begin(), attrs.end()); addAll(attrs.begin(), attrs.end());
attrs.clearListOnly(); attrs.clearListOnly();
pool.takeAllFrom(attrs.pool); pool.takeAllFrom(attrs.pool);
} }
void takeOneFrom(ParsedAttributes &attrs, ParsedAttr *attr) {
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

How about Attrs and PA to fit with usual naming conventions?

aaron.ballman: How about `Attrs` and `PA` to fit with usual naming conventions?
attrs.getPool().remove(attr);
attrs.remove(attr);
getPool().add(attr);
addAtEnd(attr);
}
void clear() { void clear() {
clearListOnly(); clearListOnly();
pool.clear(); pool.clear();
} }
/// Add attribute with expression arguments. /// Add attribute with expression arguments.
ParsedAttr *addNew(IdentifierInfo *attrName, SourceRange attrRange, ParsedAttr *addNew(IdentifierInfo *attrName, SourceRange attrRange,
IdentifierInfo *scopeName, SourceLocation scopeLoc, IdentifierInfo *scopeName, SourceLocation scopeLoc,
▲ Show 20 LinesShow All 136 LinesShow Last 20 Lines

clang/lib/Sema/SemaType.cpp

Show First 20 LinesShow All 492 Lines▼ Show 20 Lines
// That might actually be the decl spec if we weren't blocked by // That might actually be the decl spec if we weren't blocked by
// anything in the declarator. // anything in the declarator.
if (considerDeclSpec) { if (considerDeclSpec) {
if (handleObjCPointerTypeAttr(state, attr, declSpecType)) { if (handleObjCPointerTypeAttr(state, attr, declSpecType)) {
// Splice the attribute into the decl spec. Prevents the // Splice the attribute into the decl spec. Prevents the
// attribute from being applied multiple times and gives // attribute from being applied multiple times and gives
// the source-location-filler something to work with. // the source-location-filler something to work with.
state.saveDeclSpecAttrs(); state.saveDeclSpecAttrs();
moveAttrFromListToList(attr, declarator.getAttributes(), declarator.getMutableDeclSpec().getAttributes().takeOneFrom(
declarator.getMutableDeclSpec().getAttributes()); declarator.getAttributes(), &attr);
return; return;
} }
} }
// Otherwise, if we found an appropriate chunk, splice the attribute // Otherwise, if we found an appropriate chunk, splice the attribute
// into it. // into it.
if (innermost != -1U) { if (innermost != -1U) {
moveAttrFromListToList(attr, declarator.getAttributes(), moveAttrFromListToList(attr, declarator.getAttributes(),
▲ Show 20 LinesShow All 492 LinesShow Last 20 Lines

clang/test/SemaObjC/arc-property-decl-attrs.m

Show First 20 LinesShow All 281 Lines▼ Show 20 Lines
// no error // no error
@synthesize p = _p; @synthesize p = _p;
@synthesize p2 = _p2; @synthesize p2 = _p2;
@synthesize collision = _collision; // expected-note {{property synthesized here}} @synthesize collision = _collision; // expected-note {{property synthesized here}}
@end @end
id i1, __weak i2, i3;
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Can you add a comment here that explains what this test is intending to cover?

aaron.ballman: Can you add a comment here that explains what this test is intending to cover?