Fix a use-after-free crash in ResetObjCLayout (#170360)

ahatanak · web-flow · commit d684cb80da7a · 2025-12-04T07:16:01.000-08:00
operator[] can potentially cause reallocation and invalidate live
iterators if it's called with a key that isn't present in the DenseMap.
Call lookup() instead to prevent the function from inserting new entries
into the DenseMap for ObjC classes that don't have any subclasses.

rdar://165448332
diff --git a/clang/lib/AST/ASTContext.cpp b/clang/lib/AST/ASTContext.cpp
@@ -12040,7 +12040,7 @@ bool ASTContext::mergeExtParameterInfo(
 void ASTContext::ResetObjCLayout(const ObjCInterfaceDecl *D) {
   if (auto It = ObjCLayouts.find(D); It != ObjCLayouts.end()) {
     It->second = nullptr;
-    for (auto *SubClass : ObjCSubClasses[D])
+    for (auto *SubClass : ObjCSubClasses.lookup(D))
       ResetObjCLayout(SubClass);
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -12040,7 +12040,7 @@ bool ASTContext::mergeExtParameterInfo(`
`12040`	`12040`	`void ASTContext::ResetObjCLayout(const ObjCInterfaceDecl *D) {`
`12041`	`12041`	`if (auto It = ObjCLayouts.find(D); It != ObjCLayouts.end()) {`
`12042`	`12042`	`It->second = nullptr;`
`12043`		`- for (auto *SubClass : ObjCSubClasses[D])`
	`12043`	`+ for (auto *SubClass : ObjCSubClasses.lookup(D))`
`12044`	`12044`	`ResetObjCLayout(SubClass);`
`12045`	`12045`	`}`
`12046`	`12046`	`}`