Fix use after free. Incrementing an use_iterator after its user is erased is unsafe.

llvm-svn: 100926

1 files changed, 4 insertions, 3 deletions

diff --git a/clang/lib/CodeGen/CodeGenModule.cpp b/clang/lib/CodeGen/CodeGenModule.cpp
index 3a59c4cf3de..565f83c6908 100644
--- a/clang/lib/CodeGen/CodeGenModule.cpp
+++ b/clang/lib/CodeGen/CodeGenModule.cpp
@@ -1203,11 +1203,12 @@ static void ReplaceUsesOfNonProtoTypeWithRealFunction(llvm::GlobalValue *Old,
   llvm::SmallVector<llvm::Value*, 4> ArgList;
 
   for (llvm::Value::use_iterator UI = OldFn->use_begin(), E = OldFn->use_end();
-       UI != E; ++UI) {
+       UI != E; ) {
     // TODO: Do invokes ever occur in C code?  If so, we should handle them too.
-    llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*UI);
+    llvm::Value::use_iterator I = UI++; // Increment before the CI is erased.
+    llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*I);
     llvm::CallSite CS(CI);
-    if (!CI || !CS.isCallee(UI)) continue;
+    if (!CI || !CS.isCallee(I)) continue;
 
     // If the return types don't match exactly, and if the call isn't dead, then
     // we can't transform this call.