C++: Fix possible use-after-free of AST.

The CppRefactoringChanges::fileNoEditor takes a Document from the
snapshot it has. Although this snapshot is a safe copy, it might have
been gotten right after it was updated by indexing. Such a document will
still have its AST. If this AST is used by any refactoring action
without retaining it, the pointers will be dangling after a short while
(specifically: after the locator has extracted all the information).

The fileNoEditor method is called by the declDefLinkFinder to search
the target document. The snapshot is obtained before, and contains the
document for the semantic info. However, the target document will not
come from the semantic info, but from the indexer.

Change-Id: I212ff41dde6910e94e80552b2c3e5911fe9496ae
Task-number: QTCREATORBUG-11262
Reviewed-by: Nikolai Kosjar <nikolai.kosjar@digia.com>

2 files changed, 2 insertions, 4 deletions

diff --git a/src/libs/cplusplus/CppDocument.cpp b/src/libs/cplusplus/CppDocument.cpp
index 9a18343eda..389a030b55 100644
--- a/src/libs/cplusplus/CppDocument.cpp
+++ b/src/libs/cplusplus/CppDocument.cpp
@@ -297,8 +297,10 @@ Document::Document(const QString &fileName)
 Document::~Document()
 {
     delete _translationUnit;
+    _translationUnit = 0;
     delete _control->diagnosticClient();
     delete _control;
+    _control = 0;
 }
 
 Control *Document::control() const
diff --git a/src/plugins/cpptools/cpprefactoringchanges.cpp b/src/plugins/cpptools/cpprefactoringchanges.cpp
index a07d7a404c..045633077b 100644
--- a/src/plugins/cpptools/cpprefactoringchanges.cpp
+++ b/src/plugins/cpptools/cpprefactoringchanges.cpp
@@ -112,10 +112,6 @@ CppRefactoringFileConstPtr CppRefactoringChanges::fileNoEditor(const QString &fi
     CppRefactoringFilePtr result(new CppRefactoringFile(document, fileName));
     result->m_data = m_data;
 
-    Document::Ptr cppDocument = data()->m_snapshot.document(fileName);
-    if (cppDocument)
-        result->setCppDocument(cppDocument);
-
     return result;
 }