[clang] Fix a use-after-free crash in ResetObjCLayout (PR #170360)

Tue, 02 Dec 2025 12:40:38 -0800 

ahatanak wrote:

Without this fix, an ASan-enabled clang detects a use-after-free when compiling 
the following code:

```
@interface NSObject {
  int these, will, never, change, ever;
}
@end

@interface SuperClass2 : NSObject
@property int superClassProperty2;
@end

@interface C0 : SuperClass2
@end

@interface C1 : C0
@end

@interface C2 : C1
@end

@interface C3 : C2
@end

@interface C4 : C3
@end

@interface C5 : C4
@end

@interface C6 : C5
@end

@interface C7 : C6
@end

@interface C8 : C7
@end

@interface C9 : C8
@end

@interface C10 : C9
@end

@interface C11 : C10
@end

@interface C12 : C11
@end

@interface C13 : C12
@end

@interface C14 : C13
@end

@interface C15 : C14
@end

@interface C16 : C15
@end

@interface C17 : C16
@end

@interface C18 : C17
@end

@interface C19 : C18
@end

@interface C20 : C19
@end

@interface C21 : C20
@end

@interface C22 : C21
@end

@interface C23 : C22
@end

@interface C24 : C23
@end

@interface C25 : C24
@end

@interface C26 : C25
@end

@interface C27 : C26
@end

@interface C28 : C27
@end

@interface C29 : C28
@end

@interface C30 : C29
@end

@interface C31 : C30
@end

@interface C32 : C31
@end

@interface C33 : C32
@end

@interface C34 : C33
@end

@interface C35 : C34
@end

@interface C36 : C35
@end

@interface C37 : C36
@end

@interface C38 : C37
@end

@interface C39 : C38
@end

@interface C40 : C39
@end

@interface C41 : C40
@end

@interface C42 : C41
@end

@interface C43 : C42
@end

@interface C44 : C43
@end

@interface C45 : C44
@end

@interface IntermediateClass2 : SuperClass2
@property int IntermediateClass2Property;
@end

@interface IntermediateClass3 : SuperClass2
@property int IntermediateClass3Property;
@end

@interface IntermediateClass4 : SuperClass2
@end

@implementation IntermediateClass3
@end

@implementation SuperClass2
@end
```

The DenseMap grows from 64 entries to 128 entries when 
`ResetObjCLayout(IntermediateClass3)` is called recursively from 
`ResetObjCLayout(SuperClass2)`, invalidating the iterators in the caller.

https://github.com/llvm/llvm-project/pull/170360
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to