https://github.com/Xazax-hun updated https://github.com/llvm/llvm-project/pull/204841
From 6951b32d0a397d17d08100b704e892e411d3e217 Mon Sep 17 00:00:00 2001 From: Gabor Horvath <[email protected]> Date: Fri, 19 Jun 2026 15:39:45 +0100 Subject: [PATCH] [LifetimeSafety] Model GNU statement expressions A statement expression `({ ...; e; })` carried none of its final expression's loans, so a borrow used through it was silently dropped. In VisitStmtExpr, flow `e`'s origins into the statement expression's origin so a borrow `e` carries reaches the value's users: a borrow of a body-local dangles, and a borrow forwarded from an outer object propagates to its consumer. Assisted-by: Claude Opus 4.8 --- .../Analyses/LifetimeSafety/FactsGenerator.h | 1 + .../LifetimeSafety/FactsGenerator.cpp | 15 ++++ clang/test/Sema/LifetimeSafety/safety.cpp | 70 +++++++++++++++++++ 3 files changed, 86 insertions(+) diff --git a/clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h b/clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h index 5ac67263681ac..8dc5213dd8de2 100644 --- a/clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h +++ b/clang/include/clang/Analysis/Analyses/LifetimeSafety/FactsGenerator.h @@ -57,6 +57,7 @@ class FactsGenerator : public ConstStmtVisitor<FactsGenerator> { void VisitArraySubscriptExpr(const ArraySubscriptExpr *ASE); void VisitCXXNewExpr(const CXXNewExpr *NE); void VisitCXXDeleteExpr(const CXXDeleteExpr *DE); + void VisitStmtExpr(const StmtExpr *SE); private: OriginList *getOriginsList(const ValueDecl &D); diff --git a/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp b/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp index d8c5679a80b38..a2341ebc8f2ed 100644 --- a/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp +++ b/clang/lib/Analysis/LifetimeSafety/FactsGenerator.cpp @@ -801,6 +801,21 @@ void FactsGenerator::VisitCXXDeleteExpr(const CXXDeleteExpr *DE) { FactMgr.createFact<InvalidateOriginFact>(List->getOuterOriginID(), DE)); } +void FactsGenerator::VisitStmtExpr(const StmtExpr *SE) { + // A statement expression (`({ ...; e; })`) yields the value of its final + // expression `e`. Flow `e`'s origins into the statement expression's origin + // so a borrow `e` carries reaches the value's users. + const auto *CS = SE->getSubStmt(); + if (!CS || CS->body_empty()) + return; + const auto *Last = dyn_cast<Expr>(CS->body_back()); + if (!Last) + return; + if (OriginList *Dst = getOriginsList(*SE)) + if (OriginList *Src = getRValueOrigins(Last, getOriginsList(*Last))) + flow(Dst, Src, /*Kill=*/true); +} + bool FactsGenerator::escapesViaReturn(OriginID OID) const { return llvm::any_of(EscapesInCurrentBlock, [OID](const Fact *F) { if (const auto *EF = F->getAs<ReturnEscapeFact>()) diff --git a/clang/test/Sema/LifetimeSafety/safety.cpp b/clang/test/Sema/LifetimeSafety/safety.cpp index b59fac191dcfb..bbb8fbe6fc6a9 100644 --- a/clang/test/Sema/LifetimeSafety/safety.cpp +++ b/clang/test/Sema/LifetimeSafety/safety.cpp @@ -3955,3 +3955,73 @@ struct [[gsl::Pointer()]] PtrWithInt { int x; }; PtrWithInt f() { return PtrWithInt{10}; } + +// A GNU statement expression (`({ ...; e; })`) yields the value of its final +// expression `e`. `e`'s origins flow into the statement expression's value, so +// a borrow `e` carries is tracked: a borrow of a body-local dangles, and a +// borrow forwarded from an outer object propagates to the value's users. +namespace statement_expression { +void use(int *p); + +// A borrow of a statement-expression-local escaping via the value. +void borrow_of_local() { + int *p = ({ int x = 7; &x; }); // expected-warning {{local variable 'x' does not live long enough}} expected-note {{local variable 'x' is destroyed here}} + use(p); // expected-note {{later used here}} +} + +// An outer borrow forwarded through a statement expression and returned: +// use-after-return. +int *return_borrow_of_local() { + int local = 0; + return ({ (void)0; &local; }); // expected-warning {{stack memory associated with local variable 'local' is returned}} expected-note {{returned here}} +} + +// A view bound to a temporary produced by the statement expression dangles. +void borrow_temporary() { + std::string_view view = ({ std::string x = "long enough heap string!!!!!!"; x; }); // expected-warning {{temporary object does not live long enough}} expected-note {{temporary object is destroyed here}} + (void)view; // expected-note {{later used here}} +} + +// Forwarding an outer borrow that dangles. +void forward_outer_borrow() { + int *p; + { + int local = 0; + p = ({ (void)0; &local; }); // expected-warning {{local variable 'local' does not live long enough}} + } // expected-note {{local variable 'local' is destroyed here}} + use(p); // expected-note {{later used here}} +} + +// The statement-expression result carries the borrow, so a `?:` sibling +// supplying a valid loan no longer hides it via the merge. +void masked(bool c) { + static int valid; + int *keep = &valid; + int *r; + { + int local = 0; + r = c ? keep : ({ &local; }); // expected-warning {{local variable 'local' does not live long enough}} + } // expected-note {{local variable 'local' is destroyed here}} + use(r); // expected-note {{later used here}} +} + +// Both conditional arms are statement expressions returning a borrow of a +// body-local; each is caught as a returned stack address. +int *conditional_arms(bool c) { + return c ? ({ int x = 7; &x; }) // expected-warning {{stack memory associated with local variable 'x' is returned}} expected-note 2 {{returned here}} + : ({ int y = 7; &y; }); // expected-warning {{stack memory associated with local variable 'y' is returned}} +} + +// Negative: a statement expression yielding a long-lived borrow stays silent. +void ok() { + static int s; + int *p = ({ int unused = 0; (void)unused; &s; }); + use(p); // no-warning +} + +// A discarded statement expression's value is not consumed, so a borrow of a +// body-local in it does not reach any user and is correctly not flagged. +void discarded_body_local() { + (void)({ int x = 7; &x; }); // no-warning +} +} // namespace statement_expression _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
