Fix use-after-free bug in typeCode

[davidlt]

edm::TypeWithDict::name() returns a std::string. The code was
taking a pointer to temporary string. Thus causing CutParser to
fail depending on random values in memory.

GDB output below. Memory pattern was set to 0x04, thus the name is just a sequence of 0x04.

Breakpoint 3, reco::parser::ExpressionVarSetter::push (this=0x12fda930,
    begin=0x12fd7b58 "strip < 400000 && pixel < 40000 && (strip < 50000 + 10*pixel) && (pixel < 5000 + 0.1*strip)",
    end=0x12fd7b5d " < 400000 && pixel < 40000 && (strip < 50000 + 10*pixel) && (pixel < 5000 + 0.1*strip)")
    at /build/davidlt/debug/CMSSW_7_5_0_pre4/src/CommonTools/Utils/src/ExpressionVarSetter.cc:17
17        edm::TypeWithDict type = typeStack_.back();
(gdb) n
18        method::TypeCode retType = reco::typeCode(type);
(gdb) p type
$25 = {ti_ = 0x7ffff6546b20 <typeinfo for int>, class_ = 0x0, enum_ = 0x0, dataType_ = 0x3a0fd10, arrayDimensions_ = {myP = 0x0}, property_ = 0}
(gdb) s
reco::typeCode (t=...) at /build/davidlt/debug/CMSSW_7_5_0_pre4/src/CommonTools/Utils/src/returnType.cc:46
46          const char* name = t.name().c_str();
(gdb) n
51            });
(gdb) p name
$26 = 0x12fda128 '\004' <repeats 16 times>, "\061"

----- Begin Fatal Exception 25-May-2015 10:35:59 CEST-----------------------
An exception of category 'Configuration' occurred while
   [0] Constructing the EventProcessor
   [1] Constructing module: class=SeedGeneratorFromRegionHitsEDProducer label='initialStepSeedsPreSplitting'
Exception Message:
Cut parser error:member "strip" has an invalid return type: "int" (char 0)
----- End Fatal Exception -------------------------------------------------

Signed-off-by: David Abdurachmanov David.Abdurachmanov@cern.ch

[cmsbuild]

A new Pull Request was created by @davidlt for CMSSW_7_5_X.

Fix use-after-free bug in typeCode

It involves the following packages:

CommonTools/Utils

@nclopezo, @cvuosalo, @monttj, @cmsbuild, @slava77, @vadler can you please review it and eventually sign? Thanks.
@makortel this is something you requested to watch as well.
You can sign-off by replying to this message having '+1' in the first line of your reply.
You can reject by replying to this message having '-1' in the first line of your reply.
If you are a L2 or a release manager you can ask for tests by saying 'please test' in the first line of a comment.
@nclopezo you are the release manager for this.
You can merge this pull request by typing 'merge' in the first line of your comment.

[cmsbuild]

+1
Tested at: 1ef5ad9
https://cmssdt.cern.ch/SDT/jenkins-artifacts/pull-request-integration/PR-9261/53/summary.html

[cmsbuild]

Comparison is ready
https://cmssdt.cern.ch/SDT/jenkins-artifacts/pull-request-integration/PR-9261/53/summary.html

[Dr15Jones]

Do we need the same fix in 7_4?

[Dr15Jones]

+1

[wmtan]

This bug was introduced in 7_4_X, and should be fixed there as well. The same bug occurs in the ROOT5 versions of 7_4_X and 7_5_X, so the fixes should be carried forward to the ROOT5 branches, as is normally done.

[slava77]

@davidlt David, could you please make a PR for 74X as well.
Thank you.

[slava77]

+1

for #9261 1ef5ad9

• this is a somewhat technical change
• jenkins tests pass and comparisons with the baseline show no differences

[davidlt]

This is a technical change. It extends lifetime of a std::string. It does nothing more, thus there should be no differences (unless you were unlucky and previously that string was a garbage).

[davidlt]

7_4_X: #9310