Add 'DeclStmt::DoDestroy()' which doesn't actually recurse over its child expressions (via StmtIterator), as those expressions are owned by the Decls and Types (which are destroyed elsewhere). This fixes a crasher reported in <rdar://problem/7487294>.

llvm-svn: 91990

clang/include/clang/AST/Stmt.h

@@ -294,6 +294,9 @@ class DeclStmt : public Stmt {
   DeclGroupRef DG;
   SourceLocation StartLoc, EndLoc;
 
+protected:
+  virtual void DoDestroy(ASTContext &Ctx);
+
 public:
   DeclStmt(DeclGroupRef dg, SourceLocation startLoc,
            SourceLocation endLoc) : Stmt(DeclStmtClass), DG(dg),

clang/lib/AST/DeclGroup.cpp

@@ -32,6 +32,7 @@ DeclGroup::DeclGroup(unsigned numdecls, Decl** decls) : NumDecls(numdecls) {
 }
 
 void DeclGroup::Destroy(ASTContext& C) {
+  // Decls are destroyed by the DeclContext.
   this->~DeclGroup();
   C.Deallocate((void*) this);
 }

clang/lib/AST/Stmt.cpp

@@ -426,6 +426,14 @@ Stmt::child_iterator DeclStmt::child_end() {
   return StmtIterator(DG.end(), DG.end());
 }
 
+void DeclStmt::DoDestroy(ASTContext &C) {
+  // Don't use StmtIterator to iterate over the Decls, as that can recurse
+  // into VLA size expressions (which are owned by the VLA).  Further, Decls
+  // are owned by the DeclContext, and will be destroyed with them.
+  if (DG.isDeclGroup())
+    DG.getDeclGroup().Destroy(C);
+}
+
 // NullStmt
 Stmt::child_iterator NullStmt::child_begin() { return child_iterator(); }
 Stmt::child_iterator NullStmt::child_end() { return child_iterator(); }

clang/test/Index/c-index-crasher-rdar_7487294.c

@@ -0,0 +1,13 @@
+// RUN: c-index-test -test-load-source local %s 2>&1 | FileCheck %s
+
+// This is invalid source.  Previously a double-free caused this
+// example to crash c-index-test.
+
+int foo(int x) {
+  int y[x * 3];
+  help
+};
+
+// CHECK: 8:3: error: use of undeclared identifier 'help'
+// CHECK:  help
+// CHECK: 12:102: error: expected '}'