Prevent use-after-free bugs in object variants. Fixes bug #20305 (#20300) [backport]

prevent use-after-free bugs in cased objects the bug happens specifically when deleting an item in a seq. The item taking it's place might not have the same case fields. Then =sink(x[i], move x[xl]) might leave the deleted fields still in memory! If the new item switches branches again, you get a use-after-free bug. (cherry picked from commit 8dcf367e52)
2026-04-18 21:40:32 +00:00 · 2022-09-05 09:26:02 +03:00
parent 113bd34b6c
commit 8923e34d7f
1 changed files with 3 additions and 0 deletions
--- a/compiler/liftdestructors.nim
+++ b/compiler/liftdestructors.nim
@@ -162,9 +162,12 @@ proc fillBodyObj(c: var TLiftCtx; n, body, x, y: PNode; enforceDefaultOp: bool)
      # the value needs to be destroyed before we assign the selector
      # or the value is lost
      let prevKind = c.kind
+      let prevAddMemReset = c.addMemReset
      c.kind = attachedDestructor
+      c.addMemReset = true
      fillBodyObj(c, n, body, x, y, enforceDefaultOp = false)
      c.kind = prevKind
+      c.addMemReset = prevAddMemReset
      localEnforceDefaultOp = true

    if c.kind != attachedDestructor: