Author: epilk Date: Thu Mar 14 11:38:02 2019 New Revision: 356187 URL: http://llvm.org/viewvc/llvm-project?rev=356187&view=rev Log: [Sema] Fix a use-after-free of a _Nonnull ParsedAttr
We were allocating the implicit attribute in the declarator's attribute pool, but putting into the declaration specifier's ParsedAttributesView. If there are multiple declarators, then we'll use the attribute from the declaration specifier after clearing out the declarators attribute pool. Fix this by allocating the attribute in the declaration specifier's pool. rdar://48529718 Differential revision: https://reviews.llvm.org/D59327 Modified: cfe/trunk/lib/Sema/SemaType.cpp cfe/trunk/test/SemaObjC/nonnull.m Modified: cfe/trunk/lib/Sema/SemaType.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Sema/SemaType.cpp?rev=356187&r1=356186&r2=356187&view=diff ============================================================================== --- cfe/trunk/lib/Sema/SemaType.cpp (original) +++ cfe/trunk/lib/Sema/SemaType.cpp Thu Mar 14 11:38:02 2019 @@ -4221,7 +4221,7 @@ static TypeSourceInfo *GetFullTypeForDec auto inferPointerNullability = [&](SimplePointerKind pointerKind, SourceLocation pointerLoc, SourceLocation pointerEndLoc, - ParsedAttributesView &attrs) -> ParsedAttr * { + ParsedAttributesView &attrs, AttributePool &Pool) -> ParsedAttr * { // We've seen a pointer. if (NumPointersRemaining > 0) --NumPointersRemaining; @@ -4235,11 +4235,9 @@ static TypeSourceInfo *GetFullTypeForDec ParsedAttr::Syntax syntax = inferNullabilityCS ? ParsedAttr::AS_ContextSensitiveKeyword : ParsedAttr::AS_Keyword; - ParsedAttr *nullabilityAttr = - state.getDeclarator().getAttributePool().create( - S.getNullabilityKeyword(*inferNullability), - SourceRange(pointerLoc), nullptr, SourceLocation(), nullptr, 0, - syntax); + ParsedAttr *nullabilityAttr = Pool.create( + S.getNullabilityKeyword(*inferNullability), SourceRange(pointerLoc), + nullptr, SourceLocation(), nullptr, 0, syntax); attrs.addAtEnd(nullabilityAttr); @@ -4298,7 +4296,8 @@ static TypeSourceInfo *GetFullTypeForDec if (auto *attr = inferPointerNullability( pointerKind, D.getDeclSpec().getTypeSpecTypeLoc(), D.getDeclSpec().getEndLoc(), - D.getMutableDeclSpec().getAttributes())) { + D.getMutableDeclSpec().getAttributes(), + D.getMutableDeclSpec().getAttributePool())) { T = state.getAttributedType( createNullabilityAttr(Context, *attr, *inferNullability), T, T); } @@ -4338,7 +4337,8 @@ static TypeSourceInfo *GetFullTypeForDec // Handle pointer nullability. inferPointerNullability(SimplePointerKind::BlockPointer, DeclType.Loc, - DeclType.EndLoc, DeclType.getAttrs()); + DeclType.EndLoc, DeclType.getAttrs(), + state.getDeclarator().getAttributePool()); T = S.BuildBlockPointerType(T, D.getIdentifierLoc(), Name); if (DeclType.Cls.TypeQuals || LangOpts.OpenCL) { @@ -4360,7 +4360,8 @@ static TypeSourceInfo *GetFullTypeForDec // Handle pointer nullability inferPointerNullability(SimplePointerKind::Pointer, DeclType.Loc, - DeclType.EndLoc, DeclType.getAttrs()); + DeclType.EndLoc, DeclType.getAttrs(), + state.getDeclarator().getAttributePool()); if (LangOpts.ObjC && T->getAs<ObjCObjectType>()) { T = Context.getObjCObjectPointerType(T); @@ -4892,7 +4893,8 @@ static TypeSourceInfo *GetFullTypeForDec // Handle pointer nullability. inferPointerNullability(SimplePointerKind::MemberPointer, DeclType.Loc, - DeclType.EndLoc, DeclType.getAttrs()); + DeclType.EndLoc, DeclType.getAttrs(), + state.getDeclarator().getAttributePool()); if (SS.isInvalid()) { // Avoid emitting extra errors if we already errored on the scope. Modified: cfe/trunk/test/SemaObjC/nonnull.m URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/SemaObjC/nonnull.m?rev=356187&r1=356186&r2=356187&view=diff ============================================================================== --- cfe/trunk/test/SemaObjC/nonnull.m (original) +++ cfe/trunk/test/SemaObjC/nonnull.m Thu Mar 14 11:38:02 2019 @@ -125,3 +125,9 @@ void PR18795_helper() { } void (^PR23117)(int *) = ^(int *p1) __attribute__((nonnull(1))) {}; + +typedef int *intptr; +#pragma clang assume_nonnull begin +intptr a, b; +intptr c, (*d)(); +#pragma clang assume_nonnull end _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits