Fix a use-after-free crash in ResetObjCLayout (llvm#170360)

ahatanak · ahatanaka · commit 9c9853e4f12d · 2025-12-05T12:51:46.000-08:00
operator[] can potentially cause reallocation and invalidate live
iterators if it's called with a key that isn't present in the DenseMap.
Call lookup() instead to prevent the function from inserting new entries
into the DenseMap for ObjC classes that don't have any subclasses.

rdar://165448332
diff --git a/clang/lib/AST/ASTContext.cpp b/clang/lib/AST/ASTContext.cpp
@@ -12846,7 +12846,7 @@ bool ASTContext::mergeExtParameterInfo(
 void ASTContext::ResetObjCLayout(const ObjCInterfaceDecl *D) {
   if (auto It = ObjCLayouts.find(D); It != ObjCLayouts.end()) {
     It->second = nullptr;
-    for (auto *SubClass : ObjCSubClasses[D])
+    for (auto *SubClass : ObjCSubClasses.lookup(D))
       ResetObjCLayout(SubClass);
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -12846,7 +12846,7 @@ bool ASTContext::mergeExtParameterInfo(`
`12846`	`12846`	`void ASTContext::ResetObjCLayout(const ObjCInterfaceDecl *D) {`
`12847`	`12847`	`if (auto It = ObjCLayouts.find(D); It != ObjCLayouts.end()) {`
`12848`	`12848`	`It->second = nullptr;`
`12849`		`- for (auto *SubClass : ObjCSubClasses[D])`
	`12849`	`+ for (auto *SubClass : ObjCSubClasses.lookup(D))`
`12850`	`12850`	`ResetObjCLayout(SubClass);`
`12851`	`12851`	`}`
`12852`	`12852`	`}`