From 8f085eb6a087242ab8c775ec4fe41ab9a194cec2 Mon Sep 17 00:00:00 2001 From: Andres Noetzli Date: Fri, 17 Jul 2020 15:25:54 -0700 Subject: [PATCH] Add NodeManagerScopes to fix use-after-free issues (#4768) This commit fixes our current ASan issues. Some methods in `NodeManager` were not creating a `NodeManagerScope` for `this` but were indirectly calling methods that get the `NodeManager` from the current scope, so we ended up calling methods on a `NodeManager` that had already been destroyed. --- src/expr/node_manager.cpp | 4 ++++ src/expr/node_manager.h | 3 +++ 2 files changed, 7 insertions(+) diff --git a/src/expr/node_manager.cpp b/src/expr/node_manager.cpp index c68b0df86..e9f56bf3f 100644 --- a/src/expr/node_manager.cpp +++ b/src/expr/node_manager.cpp @@ -106,6 +106,10 @@ NodeManager::NodeManager(ExprManager* exprManager) } void NodeManager::init() { + // `mkConst()` indirectly needs the correct NodeManager in scope because we + // call `NodeValue::inc()` which uses `NodeManager::curentNM()` + NodeManagerScope nms(this); + poolInsert( &expr::NodeValue::null() ); for(unsigned i = 0; i < unsigned(kind::LAST_KIND); ++i) { diff --git a/src/expr/node_manager.h b/src/expr/node_manager.h index 1a28a16eb..84c4b44e0 100644 --- a/src/expr/node_manager.h +++ b/src/expr/node_manager.h @@ -1484,6 +1484,9 @@ TypeNode NodeManager::mkTypeConst(const T& val) { template NodeClass NodeManager::mkConstInternal(const T& val) { + // This method indirectly calls `NodeValue::inc()`, which relies on having + // the correct `NodeManager` in scope. + NodeManagerScope nms(this); // typedef typename kind::metakind::constantMap::OwningTheory theory_t; NVStorage<1> nvStorage; -- 2.30.2