Fix use after free. Incrementing an use_iterator after its user is erased is unsafe.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@100926 91177308-0d34-0410-b5e6-96231b3b80d8
author: Benjamin Kramer <benny.kra@googlemail.com> 2010-04-10 11:02:40 +0000
committer: Benjamin Kramer <benny.kra@googlemail.com> 2010-04-10 11:02:40 +0000
commit: dbf02bccc9fc1115cb7dd45c84df77252d68f220 (patch)
tree: a9e17ccce03d7a0865171992da8118b9da848338 /lib
parent: 59fc2690e622e9db7f7a8f5036562b19d3bfb2b5 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/CodeGen/CodeGenModule.cpp b/lib/CodeGen/CodeGenModule.cpp
index 3a59c4cf3d..565f83c690 100644
--- a/lib/CodeGen/CodeGenModule.cpp
+++ b/lib/CodeGen/CodeGenModule.cpp
@@ -1203,11 +1203,12 @@ static void ReplaceUsesOfNonProtoTypeWithRealFunction(llvm::GlobalValue *Old,
   llvm::SmallVector<llvm::Value*, 4> ArgList;
 
   for (llvm::Value::use_iterator UI = OldFn->use_begin(), E = OldFn->use_end();
-       UI != E; ++UI) {
+       UI != E; ) {
     // TODO: Do invokes ever occur in C code?  If so, we should handle them too.
-    llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*UI);
+    llvm::Value::use_iterator I = UI++; // Increment before the CI is erased.
+    llvm::CallInst *CI = dyn_cast<llvm::CallInst>(*I);
     llvm::CallSite CS(CI);
-    if (!CI || !CS.isCallee(UI)) continue;
+    if (!CI || !CS.isCallee(I)) continue;
 
     // If the return types don't match exactly, and if the call isn't dead, then
     // we can't transform this call.
author	Benjamin Kramer <benny.kra@googlemail.com>	2010-04-10 11:02:40 +0000
committer	Benjamin Kramer <benny.kra@googlemail.com>	2010-04-10 11:02:40 +0000
commit	dbf02bccc9fc1115cb7dd45c84df77252d68f220 (patch)
tree	a9e17ccce03d7a0865171992da8118b9da848338 /lib
parent	59fc2690e622e9db7f7a8f5036562b19d3bfb2b5 (diff)