[Clang] Fix Undefined Behavior introduced by llvm#91199 (llvm#91718)

cor3ntin · web-flow · commit fc57f88f0074 · 2024-05-10T11:15:26.000+02:00
We stack allocated an OpaqueExpr that would be used after it was destroyed. e.g https://lab.llvm.org/buildbot/#/builders/57/builds/34909
diff --git a/clang/lib/Sema/SemaExprCXX.cpp b/clang/lib/Sema/SemaExprCXX.cpp
@@ -5627,10 +5627,9 @@ static bool EvaluateUnaryTypeTrait(Sema &Self, TypeTrait UTT,
 static bool EvaluateBinaryTypeTrait(Sema &Self, TypeTrait BTT, const TypeSourceInfo *Lhs,
                                     const TypeSourceInfo *Rhs, SourceLocation KeyLoc);
 
-static ExprResult CheckConvertibilityForTypeTraits(Sema &Self,
-                                                   const TypeSourceInfo *Lhs,
-                                                   const TypeSourceInfo *Rhs,
-                                                   SourceLocation KeyLoc) {
+static ExprResult CheckConvertibilityForTypeTraits(
+    Sema &Self, const TypeSourceInfo *Lhs, const TypeSourceInfo *Rhs,
+    SourceLocation KeyLoc, llvm::BumpPtrAllocator &OpaqueExprAllocator) {
 
   QualType LhsT = Lhs->getType();
   QualType RhsT = Rhs->getType();
@@ -5675,9 +5674,9 @@ static ExprResult CheckConvertibilityForTypeTraits(Sema &Self,
 
   // Build a fake source and destination for initialization.
   InitializedEntity To(InitializedEntity::InitializeTemporary(RhsT));
-  OpaqueValueExpr From(KeyLoc, LhsT.getNonLValueExprType(Self.Context),
-                       Expr::getValueKindForType(LhsT));
-  Expr *FromPtr = &From;
+  Expr *From = new (OpaqueExprAllocator.Allocate<OpaqueValueExpr>())
+      OpaqueValueExpr(KeyLoc, LhsT.getNonLValueExprType(Self.Context),
+                      Expr::getValueKindForType(LhsT));
   InitializationKind Kind =
       InitializationKind::CreateCopy(KeyLoc, SourceLocation());
 
@@ -5687,11 +5686,11 @@ static ExprResult CheckConvertibilityForTypeTraits(Sema &Self,
       Self, Sema::ExpressionEvaluationContext::Unevaluated);
   Sema::SFINAETrap SFINAE(Self, /*AccessCheckingSFINAE=*/true);
   Sema::ContextRAII TUContext(Self, Self.Context.getTranslationUnitDecl());
-  InitializationSequence Init(Self, To, Kind, FromPtr);
+  InitializationSequence Init(Self, To, Kind, From);
   if (Init.Failed())
     return ExprError();
 
-  ExprResult Result = Init.Perform(Self, To, Kind, FromPtr);
+  ExprResult Result = Init.Perform(Self, To, Kind, From);
   if (Result.isInvalid() || SFINAE.hasErrorOccurred())
     return ExprError();
 
@@ -5819,7 +5818,8 @@ static bool EvaluateBooleanTypeTrait(Sema &S, TypeTrait Kind,
           S.Context.getPointerType(T.getNonReferenceType()));
       TypeSourceInfo *UPtr = S.Context.CreateTypeSourceInfo(
           S.Context.getPointerType(U.getNonReferenceType()));
-      return !CheckConvertibilityForTypeTraits(S, UPtr, TPtr, RParenLoc)
+      return !CheckConvertibilityForTypeTraits(S, UPtr, TPtr, RParenLoc,
+                                               OpaqueExprAllocator)
                   .isInvalid();
     }
 
@@ -6028,9 +6028,9 @@ static bool EvaluateBinaryTypeTrait(Sema &Self, TypeTrait BTT, const TypeSourceI
   case BTT_IsNothrowConvertible: {
     if (RhsT->isVoidType())
       return LhsT->isVoidType();
-
-    ExprResult Result =
-        CheckConvertibilityForTypeTraits(Self, Lhs, Rhs, KeyLoc);
+    llvm::BumpPtrAllocator OpaqueExprAllocator;
+    ExprResult Result = CheckConvertibilityForTypeTraits(Self, Lhs, Rhs, KeyLoc,
+                                                         OpaqueExprAllocator);
     if (Result.isInvalid())
       return false;
 
