Author: DonĂ¡t Nagy
Date: 2026-06-25T15:06:27+02:00
New Revision: 0c540b9dcd041a2574f744144bb894b5862344b1

URL: 
https://github.com/llvm/llvm-project/commit/0c540b9dcd041a2574f744144bb894b5862344b1
DIFF: 
https://github.com/llvm/llvm-project/commit/0c540b9dcd041a2574f744144bb894b5862344b1.diff

LOG: [analyzer] Fix unjustified early return in processCallExit (#205656)

In `ExprEngine::processCallExit` step 3 may theoretically split the
state because it calls `removeDead`, which activates `LiveSymbols` and
`DeadSymbols` callbacks of various checkers. (However, in practice it is
likely that these checker callbacks never actually split the state -- at
least, no such state splits happen in the LIT tests.)

The nodes produced by `removeDead` are placed in the set `CleanedNodes`;
in theory the different execution paths should be handled in parallel,
independently of each other. However, the loop `for (ExplodedNode *N :
CleanedNodes)` contained an early return statement, which meant that if
the creation of `CEENode` failed for a node `N`, then the subsequent
iterations were skipped altogether.

This commit replaces the `return` with a `continue` to ensure that the
nodes in `CleanedNodes` are handled independently (if there are several
such nodes).

This logic error is present in the codebase since 2012 (!) when commit
7e53bd6fb01b062ece426252fb94c76bcce58941 introduced the `removeDead`
step into `processCallExit`.

Given that nobody noticed this error within the last 14 years, I very
strongly suspect that it doesn't have any observable functional effects,
i.e. this change is essentially NFC.

Added: 
    

Modified: 
    clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Removed: 
    


################################################################################
diff  --git a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp 
b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
index 4cbcaa2721639..97c655c103b0a 100644
--- a/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
@@ -384,7 +384,7 @@ void ExprEngine::processCallExit(ExplodedNode *CEBNode) {
 
     ExplodedNode *CEENode = Engine.makeNode(Loc, CEEState, N);
     if (!CEENode)
-      return;
+      continue;
 
     // Step 5: Perform the post-condition check of the CallExpr and enqueue the
     // result onto the work list.


        
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to