Is there a bug in the code that rehashes IdDict? Asan on #52496 is saying that ol[i+1] on line 23 is a use after being freed in the call to jl_alloc_memory_any (line 18).
|
JL_DLLEXPORT jl_genericmemory_t *jl_idtable_rehash(jl_genericmemory_t *a, size_t newsz) |
|
{ |
|
size_t sz = a->length; |
|
size_t i; |
|
jl_value_t **ol = (jl_value_t **) a->ptr; |
|
jl_genericmemory_t *newa = jl_alloc_memory_any(newsz); |
|
// keep the original memory in the original slot since we need `ol` |
|
// to be valid in the loop below. |
|
JL_GC_PUSH2(&newa, &a); |
|
for (i = 0; i < sz; i += 2) { |
|
if (ol[i + 1] != NULL) { |
|
jl_table_assign_bp(&newa, ol[i], ol[i + 1]); |
|
// it is however necessary here because allocation |
|
// can (and will) occur in a recursive call inside table_lookup_bp |
|
} |
|
} |
|
JL_GC_POP(); |
|
return newa; |
|
} |
Should lines 18 and 21 be changed to the following,
jl_genericmemory_t *newa = NULL;
JL_GC_PUSH2(&newa, &a);
newa = jl_alloc_memory_any(newsz);
