wangtao
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix use after free. Incrementing an use_iterator after its user is erased is unsafe. 

llvm-svn: 100926
This commit is contained in:
Benjamin Kramer 2010-04-10 11:02:40 +00:00
parent c72350ea9f
commit 2e8ca0b86d
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
clang/lib/CodeGen/CodeGenModule.cpp
View File

@ -1203,11 +1203,12 @@ static void ReplaceUsesOfNonProtoTypeWithRealFunction(llvm::GlobalValue *Old,
llvm::SmallVector<llvm::Value*, 4> ArgList; llvm::SmallVector<llvm::Value*, 4> ArgList;
for (llvm::Value::use_iterator UI = OldFn->use_begin(), E = OldFn->use_end(); for (llvm::Value::use_iterator UI = OldFn->use_begin(), E = OldFn->use_end();
UI != E; ++UI) { UI != E; ) {
// TODO: Do invokes ever occur in C code? If so, we should handle them too. // TODO: Do invokes ever occur in C code? If so, we should handle them too.
llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*UI); llvm::Value::use_iterator I = UI++; // Increment before the CI is erased.
llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*I);
llvm::CallSite CS(CI); llvm::CallSite CS(CI);
if (!CI || !CS.isCallee(UI)) continue; if (!CI || !CS.isCallee(I)) continue;
// If the return types don't match exactly, and if the call isn't dead, then // If the return types don't match exactly, and if the call isn't dead, then
// we can't transform this call. // we can't transform this call.