[clang] Refine the temporay object member access filtering for GSL pointer (#122088)

We currently have ad-hoc filtering logic for temporary object member
access in `VisitGSLPointerArg`. This logic

[clang] Refine the temporay object member access filtering for GSL pointer (#122088)

We currently have ad-hoc filtering logic for temporary object member
access in `VisitGSLPointerArg`. This logic filters out more cases than
it should, leading to false negatives. Furthermore, this location lacks
sufficient context to implement a more accurate solution.

This patch refines the filtering logic by moving it to the central
filtering location, `analyzePathForGSLPointer`, consolidating the logic
and avoiding scattered filtering across multiple places. As a result,
the special handling for conditional operators (#120233) is no longer
necessary.

This change also resolves #120543.

show more ...

Propagate lifetimebound from formal parameters to those in the canonical declaration and use that for analysis (#107627)

This partially fixes #62072 by making sure that re-declarations of a
function

Propagate lifetimebound from formal parameters to those in the canonical declaration and use that for analysis (#107627)

This partially fixes #62072 by making sure that re-declarations of a
function do not have the effect of removing lifetimebound from the
canonical declaration.

It doesn't handle the implicit 'this' parameter, but that can be
addressed in a separate fix.

show more ...

[clang] Don't infer lifetime_capture-by for reference of raw pointer types. (#122240)

When a vector is instantiated with a pointer type (`T` being `const
Foo*`), the inferred annotation becomes `pu

[clang] Don't infer lifetime_capture-by for reference of raw pointer types. (#122240)

When a vector is instantiated with a pointer type (`T` being `const
Foo*`), the inferred annotation becomes `push_back(const Foo*& value
[[clang::lifetime_capture_by(this)]])`.

For reference parameters, the `lifetime_capture_by` attribute treats the
lifetime as referring to the referenced object -- in this case, the
**pointer** itself, not the pointee object. In the `push_back`, we copy
the pointer's value, which does not establish a reference to the
pointer. This behavior is safe and does not capture the pointer's
lifetime.

The annotation should not be inferred for cases where `T` is a pointer
type, as the intended semantics do not align with the annotation.

Fixes #121391

show more ...

[clang] Fix dangling false positives for conditional operators. (#120233)

When analyzing a dangling gsl pointer, we currently filter out all field
access `MemberExpr` to avoid common false positive

[clang] Fix dangling false positives for conditional operators. (#120233)

When analyzing a dangling gsl pointer, we currently filter out all field
access `MemberExpr` to avoid common false positives (`string_view sv =
Temp().sv`), However, this filter only applies to direct MemberExpr
instances, leaving the conditional operator as an escaping example
(`GSLPointer pointer(Cond ? Owner().ptr : GSLPointer());`).

This patch extends the MemberExpr logic to handle the conditional
operator. The heuristic is intentionally simple, which may result in
some false negatives. However, it effectively covers common cases like
`std::string_view sv = cond ? "123" : std::string();`, which is a
reasonable trade-off.

Fixes https://github.com/llvm/llvm-project/issues/120206

show more ...

[clang] NFC, simplify the shouldLifetimeExtendThroughPath.

[clang] Fix the post-filtering heuristic for GSLPointer. (#114044)

The lifetime analyzer processes GSL pointers:

- when encountering a constructor for a `gsl::pointer`, the analyzer
continues tr

[clang] Fix the post-filtering heuristic for GSLPointer. (#114044)

The lifetime analyzer processes GSL pointers:

- when encountering a constructor for a `gsl::pointer`, the analyzer
continues traversing the constructor argument, regardless of whether the
parameter has a `lifetimebound` annotation. This aims to catch cases
where a GSL pointer is constructed from a GSL owner, either directly
(e.g., `FooPointer(FooOwner)`) or through a chain of GSL pointers (e.g.,
`FooPointer(FooPointer(FooOwner))`);
- When a temporary object is reported in the callback, the analyzer has
heuristics to exclude non-owner types, aiming to avoid false positives
(like `FooPointer(FooPointer())`).

In the problematic case (discovered in
https://github.com/llvm/llvm-project/pull/112751#issuecomment-2441055471)
of `return foo.get();`:

- When the analyzer reports the local object `foo`, the `Path` is
`[GslPointerInit, Lifetimebound]`.
- The `Path` goes through
[`pathOnlyHandlesGslPointer`](https://github.com/llvm/llvm-project/blob/main/clang/lib/Sema/CheckExprLifetime.cpp#L1136)
and isn’t filtered out by the [[heuristics]](because `foo` is an owner
type), the analyzer treats it as the `FooPointer(FooOwner())` scenario,
thus triggering a diagnostic.

Filtering out base on the object 'foo' is wrong, because the GSLPointer
is constructed from the return result of the `foo.get()`. The patch
fixes this by teaching the heuristic to use the return result (only
`const GSLOwner&` is considered) of the lifetimebound annotated
function.

show more ...

[clang] Fix -Wdangling false negative regressions caused by 117315 (#118088)

A specialization declaration can have an attribute even if the primary
template does not, particularly when the speciali

[clang] Fix -Wdangling false negative regressions caused by 117315 (#118088)

A specialization declaration can have an attribute even if the primary
template does not, particularly when the specialization is instantiated
from an annotated using-alias declaration.

Fix #118064

show more ...

[clang] Diagnose dangling references for parenthesized aggregate initialization. (#117690)

Unlike brace initialization, the parenthesized aggregate initialization
in C++20 does not extend the lifet

[clang] Diagnose dangling references for parenthesized aggregate initialization. (#117690)

Unlike brace initialization, the parenthesized aggregate initialization
in C++20 does not extend the lifetime of a temporary object bound to a
reference in an aggreate. This can lead to dangling references:

```
struct A { const int& r; };
A a1(1); // well-formed, but results in a dangling reference.
```

With this patch, clang will diagnose this common dangling issues.

Fixes #101957

show more ...

[clang] Add a common definition of isPointerLikeType for lifetime analysis (#117315)

Also checks for annotation for template specializations which sometimes
may not have the annotation attached.

[clang] Improve the lifetime_capture_by diagnostic on the constructor. (#117792)

With this change, the lifetime_capture_by code path will not handle the
constructor decl to avoid bogus diagnostics

[clang] Improve the lifetime_capture_by diagnostic on the constructor. (#117792)

With this change, the lifetime_capture_by code path will not handle the
constructor decl to avoid bogus diagnostics (see the testcase).

Instead, we reuse the lifetimebound code as the
lifetime_capture_by(this) has the same semantic as lifetimebound in
constructor. The downside is that the lifetimebound diagnostic is reused
for the capture case (I think it is not a big issue).


Fixes #117680

show more ...

[Clang] Fix handling of non-member functions in isNormalAssignmentOperator() (#115880)

This patch correctes the handling of non-member functions in the
`isNormalAssignmentOperator` function within

[Clang] Fix handling of non-member functions in isNormalAssignmentOperator() (#115880)

This patch correctes the handling of non-member functions in the
`isNormalAssignmentOperator` function within `CheckExprLifetime.cpp`.

The previous implementation incorrectly assumed that `FunctionDecl` is
always a `CXXMethodDecl`, leading to potential null pointer
dereferencing.

Change: - Correctly handle the case where `FD` is not a `CXXMethodDecl`
by using `FD->getParamDecl(0)->getType()`.

This fix ensures that the function correctly handles non-member
assignment operators, such as:

`struct S {}; void operator|=(S, S) {}`

This change improves the robustness of the `isNormalAssignmentOperator`
function by correctly identifying and handling different types of
function declarations.

show more ...

[clang][APINotes] Do not add duplicate lifetimebound annotations (#117194)

In case a method already is lifetimebound annotated we should not add a
second annotation to the type.

[clang] Implement lifetime analysis for lifetime_capture_by(X) (#115921)

This PR uses the existing lifetime analysis for the `capture_by`
attribute.

The analysis is behind `-Wdangling-capture` warn

[clang] Implement lifetime analysis for lifetime_capture_by(X) (#115921)

This PR uses the existing lifetime analysis for the `capture_by`
attribute.

The analysis is behind `-Wdangling-capture` warning and is disabled by
default for now. Once it is found to be stable, it will be default
enabled.

Planned followup:
- add implicit inference of this attribute on STL container methods like
`std::vector::push_back`.
- (consider) warning if capturing `X` cannot capture anything. It should
be a reference, pointer or a view type.
- refactoring temporary visitors and other related handlers.
- start discussing `__global` vs `global` in the annotation in a
separate PR.

---------

Co-authored-by: Boaz Brickner <brickner@google.com>

show more ...

[clang] [NFC] Merge conditions (#116612)

[clang][NFC] Use const reference for IndirectLocalPath if possible.

[clang][NFC] Remove an unnecessary variable in CheckExprLifetime.cpp

[clang] Suppress a dangling false positive when owner is moved in member initializer. (#114213)

This patch extends the filtering heuristic to apply for the
Lifetimebound code path.

This will sup

[clang] Suppress a dangling false positive when owner is moved in member initializer. (#114213)

This patch extends the filtering heuristic to apply for the
Lifetimebound code path.

This will suppress a common false positive:

```
namespace std {
template<typename T>
struct unique_ptr {
T &operator*();
T *get() const [[clang::lifetimebound]];
};
} // namespace std

struct X {
X(std::unique_ptr<int> up) :
pointer(up.get()), owner(std::move(up)) {}

int *pointer;
std::unique_ptr<int> owner;
};
```

See #114201.

show more ...

[clang] [NFC] Fix a couple of typos: assuments and assingment

[clang] Lifetimebound in assignment operator should work for non-gsl annotated types. (#113180)

This issue is identified during the discussion of [this
comment](https://github.com/llvm/llvm-project

[clang] Lifetimebound in assignment operator should work for non-gsl annotated types. (#113180)

This issue is identified during the discussion of [this
comment](https://github.com/llvm/llvm-project/issues/112234#issuecomment-2426102198).

There will be no release note for this fix as it is a follow-up to
[#106997](https://github.com/llvm/llvm-project/pull/106997).

show more ...

Make [[clang::lifetimebound]] work for expressions coming from default arguments (#112047)

Fixes #68596.

[Clang] Diagnose dangling references in std::vector. (#111753)

This is a follow-up to https://github.com/llvm/llvm-project/pull/108344.

The original bailout check was overly strict, causing it to

[Clang] Diagnose dangling references in std::vector. (#111753)

This is a follow-up to https://github.com/llvm/llvm-project/pull/108344.

The original bailout check was overly strict, causing it to miss cases
like the vector(initializer_list, allocator) constructor. This patch
relaxes the check to address that issue.

Fix #111680

show more ...

Reland: [clang] Diagnose dangling issues for the "Container<GSLPointer>" case. #107213 (#108344)

This relands #107213, with with fixes to address false positives
(`make_optional(nullptr)`).

[clang] Lifetime of locals must end before musttail call (#109255)

The lifetimes of local variables and function parameters must end before
the call to a [[clang::musttail]] function, instead of be

[clang] Lifetime of locals must end before musttail call (#109255)

The lifetimes of local variables and function parameters must end before
the call to a [[clang::musttail]] function, instead of before the
return, because we will not have a stack frame to hold them when doing
the call.

This documents this limitation, and adds diagnostics to warn about some
code which is invalid because of it.

show more ...

[clang] Don't emit bogus dangling diagnostics when `[[gsl::Owner]]` and `[[clang::lifetimebound]]` are used together. (#108280)

In the GSL analysis, we don't track the `this` object if the conversio

[clang] Don't emit bogus dangling diagnostics when `[[gsl::Owner]]` and `[[clang::lifetimebound]]` are used together. (#108280)

In the GSL analysis, we don't track the `this` object if the conversion
is not from gsl::owner to gsl pointer, we want to be conservative here
to avoid triggering false positives.

Fixes #108272

show more ...

Revert "[clang] Diagnose dangling issues for the "Container<GSLPointer>" case. (#107213)"

This reverts commit e50131aa068f74daa70d4135c92020aadae3af33.

It introduces a new false positive, see comme

Revert "[clang] Diagnose dangling issues for the "Container<GSLPointer>" case. (#107213)"

This reverts commit e50131aa068f74daa70d4135c92020aadae3af33.

It introduces a new false positive, see comment https://github.com/llvm/llvm-project/pull/107213#issuecomment-2345465256

show more ...