Fix use-after-free in return statement handling. (#4472)

Initialization can import a function and thus invalidate the reference we're holding to the enclosing function. Don't use the reference after initialization completes.
carbon-language · Nov 1, 2024 · 261fe38 · 261fe38
1 parent ac5cc33
commit 261fe38
Show file tree

Hide file tree

Showing 2 changed files with 1,394 additions and 1 deletion.
diff --git a/toolchain/check/return.cpp b/toolchain/check/return.cpp
@@ -160,8 +160,9 @@ auto BuildReturnWithExpr(Context& context, Parse::ReturnStatementId node_id,
     // convert to it.
     expr_id = SemIR::InstId::BuiltinError;
   } else if (return_info.has_return_slot()) {
-    expr_id = Initialize(context, node_id, function.return_slot_id, expr_id);
     return_slot_id = function.return_slot_id;
+    // Note that this can import a function and invalidate `function`.
+    expr_id = Initialize(context, node_id, return_slot_id, expr_id);
   } else {
     expr_id =
         ConvertToValueOfType(context, node_id, expr_id, return_info.type_id);