llvmorg-github-actions[bot] wrote:
<!--LLVM PR SUMMARY COMMENT--> @llvm/pr-subscribers-clang-analysis Author: Gábor Horváth (Xazax-hun) <details> <summary>Changes</summary> VisitBinaryOperator had no case for `obj.*pm` (BO_PtrMemD) / `objptr->*pm` (BO_PtrMemI), so a borrow of the accessed member (`&(obj.*pm)`) dropped the object's loan to an empty origin and a use-after-scope was missed. Flow the object operand's origin into the result, mirroring a member access: for `.*` the object is the LHS, for `->*` it is the LHS pointer's pointee. Assisted-by: Claude Opus 4.8 --- Full diff: https://github.com/llvm/llvm-project/pull/204612.diff 2 Files Affected: - (modified) clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp (+14) - (modified) clang/test/Sema/LifetimeSafety/safety.cpp (+46) ``````````diff diff --git a/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp b/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp index d56703a4b29c4..e2f934e0b6ad2 100644 --- a/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp +++ b/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp @@ -468,6 +468,20 @@ void FactsGenerator::handlePointerArithmetic(const BinaryOperator *BO) { } void FactsGenerator::VisitBinaryOperator(const BinaryOperator *BO) { + if (BO->getOpcode() == BO_PtrMemD || BO->getOpcode() == BO_PtrMemI) { + // `obj.*pm` / `objptr->*pm` names a member of the object, so a borrow of it + // borrows the object; flow the object's origin into the result. For `.*` the + // object is the LHS; for `->*` it is the LHS pointer's pointee. + OriginList *Dst = getOriginsList(*BO); + OriginList *ObjSrc = + BO->getOpcode() == BO_PtrMemD + ? getOriginsList(*BO->getLHS()) + : getRValueOrigins(BO->getLHS(), getOriginsList(*BO->getLHS())); + if (Dst && ObjSrc && Dst->getLength() == ObjSrc->getLength()) + flow(Dst, ObjSrc, /*Kill=*/true); + handleUse(BO->getLHS()); + return; + } if (BO->getOpcode() == BO_Comma) { killAndFlowOrigin(*BO, *BO->getRHS()); return; diff --git a/clang/test/Sema/LifetimeSafety/safety.cpp b/clang/test/Sema/LifetimeSafety/safety.cpp index 6fc275b51a9d0..69c1605ce9708 100644 --- a/clang/test/Sema/LifetimeSafety/safety.cpp +++ b/clang/test/Sema/LifetimeSafety/safety.cpp @@ -1962,6 +1962,52 @@ std::string_view refViewMemberReturnRefView1(RefMember a) { return a.view_ref; } std::string_view& refViewMemberReturnRefView2(RefMember a) { return a.view_ref; } } // namespace field_access +namespace pointer_to_member { +struct S { int x; void f() const; }; + +// `&(obj.*pm)` borrows the object, like `&obj.field`. +void via_dot_star() { + const int *p; + { + S s{5}; + int S::*pm = &S::x; + p = &(s.*pm); // expected-warning {{local variable 's' does not live long enough}} + } // expected-note {{destroyed here}} + (void)*p; // expected-note {{later used here}} +} + +void via_arrow_star() { + const int *p; + { + S s{5}; + int S::*pm = &S::x; + S *sp = &s; // expected-warning {{local variable 's' does not live long enough}} + p = &(sp->*pm); // expected-note {{local variable 'sp' aliases the storage of local variable 's'}} + } // expected-note {{destroyed here}} + (void)*p; // expected-note {{later used here}} +} + +// Negative: a long-lived object borrowed through `.*` stays silent. +void via_dot_star_ok() { + static S s{5}; + int S::*pm = &S::x; + const int *p = &(s.*pm); + (void)*p; // no-warning +} + +// A pointer-to-member-function result is only callable (not storable), so it +// carries no borrow -- but calling one on a dangling object is still caught. +void via_member_function_ptr() { + void (S::*pmf)() const = &S::f; + S *sp; + { + S s; + sp = &s; // expected-warning {{local variable 's' does not live long enough}} + } // expected-note {{destroyed here}} + (sp->*pmf)(); // expected-note {{later used here}} +} +} // namespace pointer_to_member + namespace attr_on_template_params { struct MyObj { ~MyObj(); `````````` </details> https://github.com/llvm/llvm-project/pull/204612 _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
