[llvm-bugs] [Bug 176307] [LifetimeSafety] UAFs via indirect invocations are not diagnosed, as lifetimebound constraint information are lost when converted to function pointer

Thu, 15 Jan 2026 19:13:10 -0800

Issue 176307
Summary [LifetimeSafety] UAFs via indirect invocations are not diagnosed, as lifetimebound constraint information are lost when converted to function pointer
Labels new issue
Assignees
Reporter SidneyCogdill 
    https://godbolt.org/z/efbhczsaM

```cpp
#include <functional>

auto* free_max(int const* lhs [[clang::lifetimebound]], int const* rhs [[clang::lifetimebound]]) {
    return lhs > rhs ? lhs : rhs;
}

using F = int const*(int const*, int const*);

auto f1() {
 int const* max{};
    {
        int a = 0, b = 1;
        max = free_max(&a, &b); // error
    }
    auto result = *max;
}

auto f2(F* f) {
    int const* max{};
    {
        int a = 0, b = 1;
        max = f(&a, &b); // NO ERROR
    }
    auto result = *max;
}

auto f3(std::function<F> f) {
    int const* max{};
    {
        int a = 0, b = 1;
        max = f(&a, &b); // NO ERROR
    }
    auto result = *max;
}

auto f() {
    f2(free_max);
    f3(free_max);
}
```

Note that currently `lifetimebound` attribute cannot be applied to function type declarations:

```cpp
using F = int const*(int const* [[clang::lifetimebound]], int const* [[clang::lifetimebound]]);
```

```
<source>:7:35: error: 'clang::lifetimebound' attribute only applies to parameters and implicit object parameters
    7 | using F = int const*(int const* [[clang::lifetimebound]], int const* [[clang::lifetimebound]]);
      | ^
<source>:7:72: error: 'clang::lifetimebound' attribute only applies to parameters and implicit object parameters
    7 | using F = int const*(int const* [[clang::lifetimebound]], int const* [[clang::lifetimebound]]);
      | ^
2 errors generated.
Compiler returned: 1
```

Conceptually, `int const*(int const*, int const*)` should be treated as a `int const <'a>*(int const <'b>*, int const <'c>*)` "template", which then gets "instantiated" as `int const <'a>*(int const <'a>*, int const <'a>*)` at caller side, which then triggers the analysis within the instantiated function.

Related information: https://doc.rust-lang.org/reference/subtyping.html 


_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to