mirror of
https://github.com/apple/swift.git
synced 2026-06-20 15:42:51 +02:00
Fred Riss
e3ae0756a1
DemangleInitRAII saves and restores NumWords but not the Words[] array itself. When a nested demangleSymbol/demangleType call processes identifiers, it overwrites Words[] entries with StringRefs pointing into its own Text buffer. After ~DemangleInitRAII restores the outer NumWords, those entries still reference the inner (now-destroyed) buffer. The outer demangling then hits a word substitution and reads freed memory through the stale StringRef. In practice this is triggered by MetadataReader::demangle(): the symbolic reference resolver calls buildContextManglingForSymbol which calls dem.demangleSymbol() on the same Demangler. The inner symbol's identifiers overwrite Words[] with pointers into the ParentContextDescriptorRef's temporary string. When the resolver returns and the PCCDR is destroyed, the outer demangleType accesses dangling Words[] entries via word substitution identifiers. The fix adds Words[] to DemangleInitRAII's saved/restored state. rdar://172223904 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>