diff options
| author | Ted Kremenek <kremenek@apple.com> | 2011-03-08 23:18:00 +0000 |
|---|---|---|
| committer | Ted Kremenek <kremenek@apple.com> | 2011-03-08 23:18:00 +0000 |
| commit | 4bb6c6b37ed03f47fb07e1694e51c8a81ae3b33e (patch) | |
| tree | ec44a0938fe38e4b16589b1df9a47ac15026874c /clang/lib | |
| parent | ea5ebfed15907800346d069c7fe2fe9f76ff89e8 (diff) | |
| download | bcm5719-llvm-4bb6c6b37ed03f47fb07e1694e51c8a81ae3b33e.tar.gz bcm5719-llvm-4bb6c6b37ed03f47fb07e1694e51c8a81ae3b33e.zip | |
static analyzer: Fix use-after-free bug in RegionStore involving LazyCompoundValueData not reference counting Store objects.
llvm-svn: 127288
Diffstat (limited to 'clang/lib')
| -rw-r--r-- | clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp | 7 | ||||
| -rw-r--r-- | clang/lib/StaticAnalyzer/Core/RegionStore.cpp | 7 |
2 files changed, 8 insertions, 6 deletions
diff --git a/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp b/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp index 6315d83d894..d29c86adcfa 100644 --- a/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp +++ b/clang/lib/StaticAnalyzer/Core/BasicValueFactory.cpp @@ -25,8 +25,9 @@ void CompoundValData::Profile(llvm::FoldingSetNodeID& ID, QualType T, } void LazyCompoundValData::Profile(llvm::FoldingSetNodeID& ID, - const void *store,const TypedRegion *region) { - ID.AddPointer(store); + const StoreRef &store, + const TypedRegion *region) { + ID.AddPointer(store.getStore()); ID.AddPointer(region); } @@ -124,7 +125,7 @@ BasicValueFactory::getCompoundValData(QualType T, } const LazyCompoundValData* -BasicValueFactory::getLazyCompoundValData(const void *store, +BasicValueFactory::getLazyCompoundValData(const StoreRef &store, const TypedRegion *region) { llvm::FoldingSetNodeID ID; LazyCompoundValData::Profile(ID, store, region); diff --git a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp index 19e0e125721..96a9d4f5d3e 100644 --- a/clang/lib/StaticAnalyzer/Core/RegionStore.cpp +++ b/clang/lib/StaticAnalyzer/Core/RegionStore.cpp @@ -1250,12 +1250,12 @@ SVal RegionStoreManager::RetrieveLazySymbol(const TypedRegion *R) { SVal RegionStoreManager::RetrieveStruct(Store store, const TypedRegion* R) { QualType T = R->getValueType(); assert(T->isStructureOrClassType()); - return svalBuilder.makeLazyCompoundVal(store, R); + return svalBuilder.makeLazyCompoundVal(StoreRef(store, *this), R); } SVal RegionStoreManager::RetrieveArray(Store store, const TypedRegion * R) { assert(Ctx.getAsConstantArrayType(R->getValueType())); - return svalBuilder.makeLazyCompoundVal(store, R); + return svalBuilder.makeLazyCompoundVal(StoreRef(store, *this), R); } //===----------------------------------------------------------------------===// @@ -1378,7 +1378,8 @@ StoreRef RegionStoreManager::BindArray(Store store, const TypedRegion* R, // Treat the string as a lazy compound value. nonloc::LazyCompoundVal LCV = - cast<nonloc::LazyCompoundVal>(svalBuilder.makeLazyCompoundVal(store, S)); + cast<nonloc::LazyCompoundVal>(svalBuilder. + makeLazyCompoundVal(StoreRef(store, *this), S)); return CopyLazyBindings(LCV, store, R); } |
