DemangleInitRAII saves and restores NumWords but not the Words[] array
itself. When a nested demangleSymbol/demangleType call processes
identifiers, it overwrites Words[] entries with StringRefs pointing
into its own Text buffer. After ~DemangleInitRAII restores the outer
NumWords, those entries still reference the inner (now-destroyed)
buffer. The outer demangling then hits a word substitution and reads
freed memory through the stale StringRef.
In practice this is triggered by MetadataReader::demangle(): the
symbolic reference resolver calls buildContextManglingForSymbol which
calls dem.demangleSymbol() on the same Demangler. The inner symbol's
identifiers overwrite Words[] with pointers into the
ParentContextDescriptorRef's temporary string. When the resolver
returns and the PCCDR is destroyed, the outer demangleType accesses
dangling Words[] entries via word substitution identifiers.
The fix adds Words[] to DemangleInitRAII's saved/restored state.
rdar://172223904
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fred Riss