From 6c8adc3f30bf0dabdaaa34f2d4d433bb57a0824c Mon Sep 17 00:00:00 2001 From: reuk Date: Fri, 14 Apr 2017 19:47:00 +0100 Subject: [PATCH 1/2] Fix memory leak in ansi-c frontend If you swap an irep with an irep that it contains, I think it creates a circular reference which lives until the program quits. --- src/ansi-c/c_typecheck_type.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ansi-c/c_typecheck_type.cpp b/src/ansi-c/c_typecheck_type.cpp index d82e81c0038..ac3fe7f2928 100644 --- a/src/ansi-c/c_typecheck_type.cpp +++ b/src/ansi-c/c_typecheck_type.cpp @@ -54,7 +54,7 @@ void c_typecheck_baset::typecheck_type(typet &type) exprt alignment=static_cast(type.find(ID_C_alignment)); irept _typedef=type.find(ID_C_typedef); - type.swap(type.subtype()); + type=type.subtype(); c_qualifiers.write(type); if(packed) From feb1108807f72b17a57b3665188e7312a07c7827 Mon Sep 17 00:00:00 2001 From: reuk Date: Sun, 16 Apr 2017 23:12:43 +0100 Subject: [PATCH 2/2] Fix pointer-invalidation bug in ansi-c/padding.cpp The insert on line 262 invalidates the iterators of the vector which is being iterated, which may cause the reference on line 206 to dangle. This in turn leads to undefined behaviour on line 269 when the reference is passed to a function. The fix is to take a copy instead of a reference on line 206. --- src/ansi-c/padding.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ansi-c/padding.cpp b/src/ansi-c/padding.cpp index cdcc1cd802b..16391ee33a7 100644 --- a/src/ansi-c/padding.cpp +++ b/src/ansi-c/padding.cpp @@ -203,7 +203,7 @@ void add_padding(struct_typet &type, const namespacet &ns) it!=components.end(); it++) { - const typet &it_type=it->type(); + const typet it_type=it->type(); mp_integer a=1; const bool packed=it_type.get_bool(ID_C_packed) ||