Prevent use-after-free bugs in object variants. Fixes bug #20305 (#20300) [backport]

prevent use-after-free bugs in cased objects the bug happens specifically when deleting an item in a seq. The item taking it's place might not have the same case fields. Then =sink(x[i], move x[xl]) might leave the deleted fields still in memory! If the new item switches branches again, you get a use-after-free bug.
author: Antonis Geralis <43617260+planetis-m@users.noreply.github.com> 2022-09-05 09:26:02 +0300
committer: GitHub <noreply@github.com> 2022-09-05 08:26:02 +0200
commit: 8dcf367e5223ae26b57c9bbfaec6e70ac14bb820 (patch)
tree: 66bb46ead56039a37fbaf312befbba59c32f8320 /compiler
parent: cde6b2aab8f67291eca5375a067f97e98b7593ee (diff)
download: Nim-8dcf367e5223ae26b57c9bbfaec6e70ac14bb820.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/compiler/liftdestructors.nim b/compiler/liftdestructors.nim
index 68c93a179..5174a908f 100644
--- a/compiler/liftdestructors.nim
+++ b/compiler/liftdestructors.nim
@@ -165,9 +165,12 @@ proc fillBodyObj(c: var TLiftCtx; n, body, x, y: PNode; enforceDefaultOp: bool)
       # the value needs to be destroyed before we assign the selector
       # or the value is lost
       let prevKind = c.kind
+      let prevAddMemReset = c.addMemReset
       c.kind = attachedDestructor
+      c.addMemReset = true
       fillBodyObj(c, n, body, x, y, enforceDefaultOp = false)
       c.kind = prevKind
+      c.addMemReset = prevAddMemReset
       localEnforceDefaultOp = true
 
     if c.kind != attachedDestructor:
author	Antonis Geralis <43617260+planetis-m@users.noreply.github.com>	2022-09-05 09:26:02 +0300
committer	GitHub <noreply@github.com>	2022-09-05 08:26:02 +0200
commit	8dcf367e5223ae26b57c9bbfaec6e70ac14bb820 (patch)
tree	66bb46ead56039a37fbaf312befbba59c32f8320 /compiler
parent	cde6b2aab8f67291eca5375a067f97e98b7593ee (diff)
download	Nim-8dcf367e5223ae26b57c9bbfaec6e70ac14bb820.tar.gz