fix(parse): fix use-after-free after rolling back transaction

Rolling back a transaction queues memory to be rewound. This is
incorrect if the transaction object is destructed later. This leads to a
use-after-free bug with the following input:

    await (0scribeBlock => {
        switch (child.type) {
        case 'test': {
        }
        }
        async describeBlock => {
        await (x) => {
        await (0scribeBlock => {
            await (x) => {
            await (0s => {
                @ @ @;
                @ @ @;

The specific cause is the following code pattern in
parser::parse_await_expression:

    {
      parser_transaction transaction = this->begin_transaction();
      // ...
      this->roll_back_transaction(std::move(transaction));

      this->diag_reporter_->report(diag_await_followed_by_arrow_function{
          .await_operator = operator_span,
      }); // (a)

    } // (b)

Line (a) allocates memory in the to-be-unwound allocator. Line (b)
performs the rewind. After (b), reading from diag_reporter_ (which in
the buggy case is a buffering_diag_reporter) leads to a use-after-free
error.

Fix the problem by having roll_back_transaction rewind immediately,
instead of deferring rewind to an arbitrary point in the future.

Fixing this issue exposed another use-after-free bug, causing
test_lex.rolled_back_outer_transaction_discards_errors to fail in ASAN
builds. Fix this by promptly destructing the buffering_diag_reporter
when committing a transaction.

Ref: 51a2ba7

Author: strager

src/lex.cpp

@@ -1128,14 +1128,18 @@ void lexer::commit_transaction(lexer_transaction&& transaction) {
   buffered_diagnostics->move_into(transaction.old_diag_reporter);
 
   this->diag_reporter_ = transaction.old_diag_reporter;
+
+  transaction.reporter.reset();
 }
 
 void lexer::roll_back_transaction(lexer_transaction&& transaction) {
   this->last_token_ = transaction.old_last_token;
   this->last_last_token_end_ = transaction.old_last_last_token_end;
   this->input_ = transaction.old_input;
   this->diag_reporter_ = transaction.old_diag_reporter;
-  transaction.allocator_rewind.rewind_on_destruct();
+
+  transaction.reporter.reset();
+  this->transaction_allocator_.rewind(std::move(transaction.allocator_rewind));
 }
 
 bool lexer::transaction_has_lex_diagnostics(const lexer_transaction&) const

src/quick-lint-js/lex.h

@@ -14,6 +14,7 @@
 #include <quick-lint-js/location.h>
 #include <quick-lint-js/monotonic-allocator.h>
 #include <quick-lint-js/narrow-cast.h>
+#include <quick-lint-js/optional.h>
 #include <quick-lint-js/padded-string.h>
 #include <quick-lint-js/token.h>
 #include <quick-lint-js/utf-8.h>
@@ -316,27 +317,28 @@ struct lexer_transaction {
                              const char8* old_input,
                              diag_reporter** diag_reporter_pointer,
                              allocator_type* allocator)
-      : allocator_rewind(allocator),
+      : allocator_rewind(allocator->prepare_for_rewind()),
         old_last_token(old_last_token),
         old_last_last_token_end(old_last_last_token_end),
         old_input(old_input),
-        reporter(allocator),
+        reporter(std::in_place, allocator),
         old_diag_reporter(
-            std::exchange(*diag_reporter_pointer, &this->reporter)) {}
+            std::exchange(*diag_reporter_pointer, get(this->reporter))) {}
 
   // Don't allow copying a transaction. lexer::diag_reporter_ might point to
   // lexer_transaction::diag_reporter.
   lexer_transaction(const lexer_transaction&) = delete;
   lexer_transaction& operator=(const lexer_transaction&) = delete;
 
   // Rewinds memory allocated by 'reporter'. Must be constructed before
-  // 'reporter' (thus destructed after 'reporter').
-  allocator_type::conditional_rewind_guard allocator_rewind;
+  // 'reporter' is constructed. 'allocator_type::rewind' must be called before
+  // 'reporter' is destructed.
+  allocator_type::rewind_state allocator_rewind;
 
   token old_last_token;
   const char8* old_last_last_token_end;
   const char8* old_input;
-  buffering_diag_reporter reporter;
+  std::optional<buffering_diag_reporter> reporter;
   diag_reporter* old_diag_reporter;
 };
 }

src/quick-lint-js/optional.h

@@ -7,6 +7,11 @@
 #include <optional>
 
 namespace quick_lint_js {
+template <class T>
+T *get(std::optional<T> &o) noexcept {
+  return o.has_value() ? &*o : nullptr;
+}
+
 template <class T>
 const T *get(const std::optional<T> &o) noexcept {
   return o.has_value() ? &*o : nullptr;