C++: Fix use-after-free crash when handling auto expressions

The Control of the Document "exprDoc" in ResolveExpression::visit(
SimpleNameAST*ast) owns names that are passed on further as part of the
LookupItems. However, the life time of that Document and thus the
Control ends in that function.

Fix by using the appropriate Control object.

Task-number: QTCREATORBUG-16731
Change-Id: I5a7af0a67613fff79f7e07865801585c13bb9b45
Reviewed-by: Orgad Shaneh <orgads@gmail.com>

src/libs/cplusplus/CppDocument.cpp

@@ -286,8 +286,10 @@ Document::~Document()
 {
     delete _translationUnit;
     _translationUnit = 0;
-    delete _control->diagnosticClient();
-    delete _control;
+    if (_control) {
+        delete _control->diagnosticClient();
+        delete _control;
+    }
     _control = 0;
 }
 
@@ -296,6 +298,25 @@ Control *Document::control() const
     return _control;
 }
 
+Control *Document::swapControl(Control *newControl)
+{
+    if (newControl) {
+        const StringLiteral *fileId = newControl->stringLiteral(_translationUnit->fileId()->chars(),
+                                                                _translationUnit->fileId()->size());
+        const auto newTranslationUnit = new TranslationUnit(newControl, fileId);
+        newTranslationUnit->setLanguageFeatures(_translationUnit->languageFeatures());
+        delete _translationUnit;
+        _translationUnit = newTranslationUnit;
+    } else {
+        delete _translationUnit;
+        _translationUnit = 0;
+    }
+
+    Control *oldControl = _control;
+    _control = newControl;
+    return oldControl;
+}
+
 unsigned Document::revision() const
 {
     return _revision;
@@ -696,7 +717,8 @@ void Document::releaseSourceAndAST()
     if (!_keepSourceAndASTCount.deref()) {
         _source.clear();
         _translationUnit->release();
-        _control->squeeze();
+        if (_control)
+            _control->squeeze();
     }
 }