[Completion] ~ExpectedTypeContext must be called after ~CCResultBuilder

bnbarham · bnbarham · commit 020f2b52b4a3 · 2023-08-31T09:09:42.000-07:00
There's a subtle stack UAF here - `~CodeCompletionResultBuilder` would
be called *after* `~ExpectedTypeContext` as `ExpectedTypeContext` was
defined after `CodeCompletionResultBuilder`. Fix the order they're
created to prevent this.
diff --git a/lib/IDE/CodeCompletion.cpp b/lib/IDE/CodeCompletion.cpp
@@ -896,14 +896,19 @@ static void addKeywordsAfterReturn(CodeCompletionResultSink &Sink, DeclContext *
   // using the solver-based implementation. Add the result manually.
   if (auto ctor = dyn_cast_or_null<ConstructorDecl>(DC->getAsDecl())) {
     if (ctor->isFailable()) {
+      Type resultType = ctor->getResultInterfaceType();
+
+      // Note that `TypeContext` must stay alive for the duration of
+      // `~CodeCodeCompletionResultBuilder()`.
+      ExpectedTypeContext TypeContext;
+      TypeContext.setPossibleTypes({resultType});
+
       CodeCompletionResultBuilder Builder(Sink, CodeCompletionResultKind::Literal,
                                           SemanticContextKind::None);
       Builder.setLiteralKind(CodeCompletionLiteralKind::NilLiteral);
       Builder.addKeyword("nil");
-      Builder.addTypeAnnotation(ctor->getResultInterfaceType(), {});
-      Builder.setResultTypes(ctor->getResultInterfaceType());
-      ExpectedTypeContext TypeContext;
-      TypeContext.setPossibleTypes({ctor->getResultInterfaceType()});
+      Builder.addTypeAnnotation(resultType, {});
+      Builder.setResultTypes(resultType);
       Builder.setTypeContext(TypeContext, DC);
     }
   }
