Possible use-after-free in readConstraintSatisfaction (original) (raw)

The following code seems to have a bug.

     if (/* IsDiagnostic */Record.readInt()) {
        SourceLocation DiagLocation = Record.readSourceLocation();
        std::string DiagMessage = Record.readString();
        Satisfaction.Details.emplace_back(
            ConstraintExpr, new (Record.getContext())
                                ConstraintSatisfaction::SubstitutionDiagnostic{
                                    DiagLocation, DiagMessage});
      } else
        Satisfaction.Details.emplace_back(ConstraintExpr, Record.readExpr());

std::string DiagMessage gets destructed when it goes out of scope at the end of the if statement, but its storage is being passed to the constructor of SubstitutionDiagnostic. SubstitutionDiagnostic is a typedef of std::pair<SourceLocation, StringRef>, so the StringRef holds a pointer to a deallocated array.

We are seeing a use-after-free crash that seems to be caused by the code above.