From 156ece7b27e45217ce9f031e078acf661cb72cc3 Mon Sep 17 00:00:00 2001 From: Nikolai Kosjar Date: Wed, 27 Apr 2016 16:24:45 +0200 Subject: [PATCH] AutoTest: Fix heap-use-after-free The snapshot was given as a temporary expression to findMatchingDefinition(). Upon destruction it deleted documents/controls to which the returned symbols still had pointers to. The prime candidate for the document to free is the one coming from the editor - the user typed new content and thus created a new document. The last reference to the old document was held in the temporary argument expression. Fix by pinning the snapshot. Task-number: QTCREATORBUG-16062 Change-Id: I4fb3915bef8471cefef4ca27450901824416e397 Reviewed-by: Orgad Shaneh --- src/plugins/autotest/testvisitor.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/plugins/autotest/testvisitor.cpp b/src/plugins/autotest/testvisitor.cpp index d9f7b37a820..4336591e3ee 100644 --- a/src/plugins/autotest/testvisitor.cpp +++ b/src/plugins/autotest/testvisitor.cpp @@ -63,6 +63,7 @@ bool TestVisitor::visit(CPlusPlus::Class *symbol) { const CPlusPlus::Overview o; CPlusPlus::LookupContext lc; + const CPlusPlus::Snapshot snapshot = CppTools::CppModelManager::instance()->snapshot(); unsigned count = symbol->memberCount(); for (unsigned i = 0; i < count; ++i) { @@ -81,7 +82,7 @@ bool TestVisitor::visit(CPlusPlus::Class *symbol) TestCodeLocationAndType locationAndType; CPlusPlus::Function *functionDefinition = m_symbolFinder.findMatchingDefinition( - func, CppTools::CppModelManager::instance()->snapshot(), true); + func, snapshot, true); if (functionDefinition && functionDefinition->fileId()) { locationAndType.m_name = QString::fromUtf8(functionDefinition->fileName()); locationAndType.m_line = functionDefinition->line();