[analyzer] Fix use-after-free in HandleTranslationUnit.
A patch by Dmitri Gribenko!
The attached patch fixes a use-after-free in AnalysisConsumer::HandleTranslationUnit. The problem is that
BugReporter's destructor runs after AnalysisManager has been already
deleted. The fix introduces a scope to force correct destruction
order.
A crash happens only when reports have been added in AnalysisConsumer::HandleTranslationUnit's BugReporter. We don't have such checkers in clang so no test.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@147732 91177308-0d34-0410-b5e6-96231b3b80d8
diff --git a/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp b/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
index ded86b7..049d419 100644
--- a/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
+++ b/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
@@ -236,13 +236,16 @@
}
void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) {
- BugReporter BR(*Mgr);
- TranslationUnitDecl *TU = C.getTranslationUnitDecl();
- checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR);
- HandleDeclContext(C, TU);
+ {
+ // Introduce a scope to destroy BR before Mgr.
+ BugReporter BR(*Mgr);
+ TranslationUnitDecl *TU = C.getTranslationUnitDecl();
+ checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR);
+ HandleDeclContext(C, TU);
- // After all decls handled, run checkers on the entire TranslationUnit.
- checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);
+ // After all decls handled, run checkers on the entire TranslationUnit.
+ checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);
+ }
// Explicitly destroy the PathDiagnosticConsumer. This will flush its output.
// FIXME: This should be replaced with something that doesn't rely on
